SysInternals & PsTools: All The Tools & What They Do

The SysInternals Suite (including PsTools) is a wide—and we mean wiiiiiiide—array of super-useful utilities that not only provide some of the most critical and detailed system information otherwise not generally available, but also a highly granular level of control over the Windows system. The general capabilities of the multitude of tools within this suite fall loosely within the categories of monitoring, troubleshooting, information-gathering, security, optimizations, enhancements, and a lot more.

The wiiiiiiide array of utilities within the SysInternals Suite

If you have ever wondered what a particular tool from within the massive SysInternals Suite is actually supposed to do, we have assembled short and detailed descriptions along with their user interface information (command line / GUI / both) of all of them within this single post — on this single page.

Tip: All the tools here are listed alphabetically for convenience. Additionally, instead of scrolling manually to find a particular tool’s description, you may use the “Find” function by pressing the Ctrl + F keys on this page to search for a tool specifically on a desktop system, or use the “Find in page” menu option within your mobile device browser.

SysInternals Suite Tools List (including PsTools)

AccessChk (Access Check) — Command Line Only

TL;DR: Shows the effective permissions on files, Registry keys, services, processes, kernel objects, and more.

Windows administrators often need to know—to ensure that they’ve created a secure environment—what kind of accesses specific users or groups have to specific resources (files, directories, Registry keys, global objects and Windows services). This tool provides all this information.

AccessEnum (Access Enumerate) — GUI Only

TL;DR: Shows who has what access to directories, files and Registry keys on the system; and is typically used to find inconsistencies with permissions.

Managing permissions for users to have appropriate access to files, directories and Registry keys can be quite difficult. Making it even more difficult, there is no Windows-built-in way to readily and conveniently view user accesses for a particular tree of directories, or keys of the Registry. This tool provides a full view of the file system and Registry security settings within seconds, making it the ideal tool to help find security holes and lock down permissions wheresoever necessary.

ADExplorer (Active Directory Explorer) — GUI Only

TL;DR: Advanced viewer and editor for Active Directory (AD).

This tool allows to conveniently navigate an Active Directory database, view object properties and attributes, edit permissions, view an object’s schema, and perform complex searches that are savable and re-performable.

Another commendable feature of this tool is the ability to save snapshots of an Active Directory database for offline viewing as though it were a live database. Snapshots could further also be used to compare a snapshot with another to know of the objects, attributes, and security permissions that differ or changed between them.

ADInsight (Active Directory Insight) — GUI Only

TL;DR: Real-time LDAP monitor to troubleshoot Active Directory client applications.

This tool uses DLL injection techniques to intercept calls that applications make in the “wldap32.dll” library, which is the standard library underlying Active Directory APIs such LDAP and ADSI. This tool intercepts and interprets all client-side APIs, including those that do not result in transmission to a server.

Without administrator privileges, this tool monitors any process into which it can inject its tracing DLL. With administrative privileges, it would also monitor system processes, including Windows services.

ADRestore (Active Directory Restore) — Command Line Only

TL;DR: Recovers (un-deletes) Server 2003 Active Directory objects.

Deleted objects—called “tombstones”—within Windows Server 2003 could be restored. This tool enumerates deleted objects in a domain, and provides the option to restore them as well.

AutoLogon — GUI Only

TL;DR: Bypasses password screen during logon by automatically logging in for you.

Using this tool, instead of waiting for a user to enter their username and password while on the logon screen, Windows logs the specified user in automatically. Although the credentials are encrypted and stored in the Registry as a Local Security Authority (LSA) secret, a user with administrative privileges could easily retrieve and decrypt them.

While this tool is enabled on the system, if the Shift key is pressed and held before an automatic logon could be performed, then automatic logon is disabled only for that single logon instance.

AutoRuns — Command Line + GUI

TL;DR: Shows what programs are configured to start up automatically when the system boots and you log in, and also shows a full list of Registry and file locations where applications could configure auto-start settings.

This is the most comprehensive auto-start monitoring tool that not only knows of the programs and drivers that are rigged to auto-run on the system via the “Startup” folder and Registry keys (such as Run, RunOnce, and others), but also reports Explorer shell extensions, toolbars, browser helper objects, “winlogon” notifications, auto-start services, and a lot more.

Since all these entries could get overwhelming, this tool also allows a display filter that hides all trusted Microsoft-native start-up images (executables), therefore highlighting upon only the third-party start-up images.

BgInfo (Background Info) — Command Line + GUI

TL;DR: Fully-configurable program that generates wallpapers that include important information about the system including computer name, IP addresses, network adapters, and more.

This tool can not only write all this user-selected system information onto the Desktop wallpaper, but also the logon screen. Also, since this tool simply writes all this information onto the specified wallpaper and automatically exits, it does not constantly run in the background to consume any further resources or cause any interference with other applications.

BlueScreen — Screensaver

TL;DR: Ultra-realistic Windows Blue Screen of Death (BSoD) screensaver.

This tool not only accurately and authentically simulates the infamous Windows “Blue Screen of Death”, but it also simulates a single fake reboot after the BSoD as well, complete with the Windows boot sequence and loading bar, and even adds a simulated CHKDSK (Disk Check Utility) scan with dummy disk errors following the fake reboot — just like the real deal, but all as a surprisingly uncanny-looking, harmless screensaver prank!

CacheSet — GUI Only

TL;DR: Allows to control the working set size of the system cache; and could be used to tune performance.

In addition to allowing to manipulate the working set (physical memory) parameters (such as size) of the system cache, this tool also allows to reset the cache’s working set, therefore setting it up to expand as necessary from a minimal initial size. Also, unlike other tools with similar functionalities, changes made with this tool are immediately applied and in effect.

ClockRes (Clock Resolution) — Command Line Only

TL;DR: Shows the minimum, maximum, and current resolution of the system clock timer.

The smallest possible unit of time increment a clock is able to perform accurately is called as Clock Resolution. For example, if the clock resolution is 0.25 seconds (250 milliseconds), it means that the minimum delta (difference between two adjacent values of time) will be 0.25 seconds. In other words, the clock resolution is the minimum increment unit of time it supports, or the maximum granularity of the clock.

This tool uses the Windows’ function named “GetSystemTimeAdjustment” to gather and display this information.

Contig — Command Line Only

TL;DR: Single-file defragmenter that allows to optimize individual files.

While performing a typical defragmentation, it is difficult to ensure frequently used files are defragmented since they may remain fragmented for various reasons that could be specific to the particular defragmentation algorithm being used. Even if all files have been defragmented, subsequent changes to critical files could cause them to become fragmented. Here’s where this tool steps in.

Being a single-file defragmenter—as opposed to defragmenters that typically defragment the entire disk—this tool attempts to make individually specified files contiguous on the disk so they could be in as few fragments on the disk as possible.

CoreInfo — Command Line Only

TL;DR: Shows processor and cache topology information.

This tool uses the Windows function named “GetLogicalProcessorInformation” to obtain and display processor and cache topology information such as the:

  • Mapping between logical processors and the physical processor
  • NUMA node
  • Socket on which they reside
  • Cache(s) assigned to each logical processor

Ctrl2Cap (Ctrl to Caps Lock) — Driver

TL;DR: Converts the “Caps Lock” key into a “Left Ctrl” key at the kernel-level.

This is a kernel-mode driver that turns the “Caps Lock” key into the “Ctrl” key for UNIX users that have migrated to Windows NT (since they are more accustomed to the “Left Ctrl” key being located where the “Caps Lock” key is on the standard, conventional computer systems).

This keyboard input filtering occurs just above the keyboard class driver. Hence, any keyboard filtering at this level allows conversion and hiding of keys even before Windows “sees” them.

DebugView — Command Line + GUI

TL;DR: Allows to view and record debug output on the local machine or across the Internet (via TCP/IP) without an active debugger.

This tool is capable of recording both, kernel-mode (device drivers) and Win32 program debugs by intercepting calls made to:

  • DbgPrint (used by device drivers)
  • OutputDebugString (used by Win32 programs)

Due to this direct interception, an active debugger is not required to be catching the debug output(s) in order to be recorded.

Desktops — GUI Only

This tool allows to create up to four virtual Desktops, and to use a taskbar tray or hotkeys to preview each desktop or easily switch among them.

Disk2VHD (Disk to Virtual Hard Drive) — Command Line + GUI

This tool simplifies the migration of physical systems into virtual machines by creating virtual versions of physical disks to be used within virtual machines.

DiskExt (Disk Extents) — Command Line Only

This tool shows volume disk mappings — what disks the partitions of a volume are located on, and where on the disk the partitions are located.

DiskMon (Disk Monitor) — GUI Only

This tool Captures all disk activity, or acts as a green-colored software-level icon in the taskbar tray that acts as a “disk activity LED”.

DiskView — GUI Only

This tool shows a graphical disk map and allows to determine where a file is “physically” located on the disk.

DU (Disk Usage) — Command Line Only

This tool shows disk usage for a specified directory, by default, in a recursive manner (also including all subdirectories within its calculation) unless specified otherwise within its arguments.

EFSDump (Encrypting File System Dump) — Command Line Only

This tool uses the “QueryUsersOnEncryptedFile” API to show what user accounts have the permissions to access encrypted files within an EFS file system.

FindLinks — Command Line Only

This tool reports the file index and any hard links (alternate file paths on the same volume) that exist for a specified file. Note that as long as at least one file name references a file’s data, the file data remains allocated.

Handle — Command Line Only

TL;DR: Shows what files are open by which processes, and more.

A process “handle” is an integer value that helps Windows identify a process. This tool displays information such as object types and names about the active handles of any process in the system. It is essentially the command-line version of another SysInternals Suite tool called Process Explorer, which is a GUI-based tool with similar capabilities and more.

Hex2Dec (Hexadecimal to Decimal) — Command Line Only

This tool converts hexadecimal numbers to decimal, and decimal numbers to hexadecimal.

Junction — Command Line Only

TL;DR: Creates directory symbolic links — junction points.

Windows 2000 and later support “junction points”, where a directory could be made to serve as a “symbolic link” (an alias) to another directory on the system — sort of like a “shortcut” for directories, but more functionally diverse. Since Windows 2000 does not come with any in-built tools to create junction points, this tool comes in handy.

LDMDump (Logical Disk Manager Dump) — Command Line Only

TL;DR: Dumps the contents of the Logical Disk Manager’s (LDM) on-disk database in Windows 2000 Dynamic disks.

Windows 2000 introduced a new type of disk-partitioning scheme, managed by a component called “Logical Disk Manager” (LDM). Basic disks implement standard DOS-style partition tables, whereas Dynamic disks use LDM partitioning. LDM partitioning offers several advantages over DOS-style partitioning including replication across disks, and on-disk storage of advanced volume configuration.

This tool allows to examine exactly what is stored in a disk’s copy of the system LDM database. It shows the contents of the LDM database private header, table-of-contents, and object database.

ListDLLs (List Dynamic-Link Libraries) — Command Line Only

TL;DR: Lists all the DLLs that are currently loaded and related information.

This tool not only displays all DLLs currently loaded into active processes, but also the full location paths of where they are loaded, their version numbers, and their digital signatures. Hence, it is also used to scan processes for unsigned DLLs.

LiveKD (Live Kernel Debug) — Command Line Only

TL;DR: Examines the live system using Microsoft kernel debuggers.

This tool allows running the “KD” and “WinDbg” Microsoft kernel debuggers—which are part of the “Debugging Tools for Windows” package—locally, on a live system.

LoadOrder — Command Line + GUI

This tool shows the order in which device drivers are loaded on a Windows NT or Windows 2000 system.

LogonSessions — Command Line Only

This tool lists the active logon sessions—and optionally the processes running in those sessions—on a system.

MoveFile — Command Line Only

This tool allows to schedule file move operations for the next reboot. Specifying to move a file to an empty destination will schedule it to be deleted. Hence, it allows both, scheduled file move and delete operations.

NotMyFault — Command Line + GUI

This tool is used to deliberately cause crashes, hangs, and kernel memory leaks on a Windows system for the purpose of studying hardware or driver issues; or even generate a Blue Screen of Death (BSoD) dump for troubleshooting purposes.

NTFSInfo (New Technology File System Info) — Command Line Only

TL;DR: Shows detailed information about NTFS volumes.

The Master File Table (MFT) in NTFS file systems is made up of records that describe the location of every file and directory on the drive — and the MFT itself is a file! To protect this MFT from becoming fragmented (un-defragmented), the NTFS file system reserves a portion of the disk around the MFT which would not be allocated to other files unless disk space runs low. This portion of the disk around the MFT is called the “MFT Zone”.

This tool dumps information such as:

  • Size and location of the MFT on the disk
  • Size and location of the MFT Zone on the disk
  • Sizes of the NTFS meta-data files
  • Location of where key NTFS files are located on the disk

PageDefrag — Command Line + GUI

This tool defragments paging files and Registry hives.

PendMoves (Pending Moves) — Command Line Only

This tool lists file rename and delete commands that are scheduled to be executed on the next boot.

PipeList — Command Line Only

TL;DR: Lists named pipes defined in the system.

“Named pipes”, in Windows-based systems, are an extension to the traditional “pipe” concept in UNIX-based systems, and are one of the methods processes use to communicate among themselves (inter-process communication). The device driver that implements these named pipes is a file system driver (NPFS.SYS).

This tool uses the Windows function named “NtQueryDirectoryFile” to obtain a directory listing of the named pipes defined in the system.

PortMon (Port Monitor) — GUI Only

This powerful tool monitors serial and parallel port activity with advanced filtering capabilities, application–port relationships, and even shows a portion of the data being sent and received. All standard serial and parallel IOCTLs are supported.

ProcDump (Processes Dump) — Command Line Only

This tool captures process dumps of otherwise difficult-to-isolate-and-reproduce CPU spikes. It also generally helps monitor and generate process dumps when a process has a hung window or an unhandled exception.

ProcExp (Process Explorer) — Command Line + GUI

A process “handle” is an integer value that helps Windows identify a process.

This tool shows information regarding processes having any handles, or DLLs, or files, or Registry keys, or other objects either opened or loaded, and more.

ProcMon (Process Monitor) — Command Line + GUI

TL;DR: Monitors file system, Registry, process, thread and DLL activity in real-time.

This tool combines the features of two popular legacy Sysinternals Suite tools — FileMon (File Monitor) and RegMon (Registry Monitor), along with several enhancements including comprehensive event properties (such as session IDs and user names), reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.

These powerful features make this tool particularly useful in system troubleshooting and malware analysis usage scenarios.

PsExec (Execute) — Command Line Only

TL;DR: Executes processes on remote systems.

This is a lightweight remote administration tool that allows to execute processes on remote systems without the need of any additional client installations on the remote system (such as Telnet or Remote Desktop). It also supports full interactivity for console-based applications as it effectively redirects inputs and outputs to and from these console-based applications.

This tool is also used for executing commands—on a remote system—that otherwise are fundamentally not intended for execution against remote systems (such as ipconfig).

PsFile — Command Line Only

TL;DR: Shows files on the system that are opened on remote systems.

This tool lists shared files that are open remotely, and also allows closing those opened files either by name or file identifiers. It is an upgrade over Windows’ in-built net file command that lists all shared files that are open, but without the support for lengthy location paths and remote system information.

PsGetSID (Get Security Identifier) — Command Line Only

This tool translates Security Identifiers (SIDs) to their corresponding hostnames or usernames and vice versa. It works on Windows’ built-in accounts, domain accounts, and local accounts.

PsInfo — Command Line Only

TL;DR: Shows useful local and remote system information.

This tool, by default, shows information for only the local system. However, if a remote hostname is specified, the tool relies on the “Remote Registry” Windows service being enabled and running on the remote system in order to retrieve this information. Key local and remote system information could be gathered using this tool, such as:

  • Installation type
  • Kernel build
  • Registered organization and owner
  • Number of processors and their types
  • Amount of physical memory
  • Windows install date (and if it is a trial version, then also the expiration date)

PsKill — Command Line Only

TL;DR: Terminates processes on local and remote systems.

Windows’ in-built commands to terminate (or “kill”) running processes are only effective against local system processes.

This process termination tool is effective against local and remote system processes, without the need of any additional client installations on the remote system.

PsList — Command Line Only

This tool shows detailed information regarding processes and threads.

PsLoggedOn — Command Line Only

TL;DR: Shows users logged on on local and remote systems.

Windows’ in-built net session command only lists users consuming resources, that too on only the local system. Additionally, Windows has no in-built tools to list logged on users — neither for local systems, nor for remote ones.

This tool displays both locally and remotely logged on users, using the following methods:

To determine who is logged on locally, it scans the keys under the “HKEY_USERS” Registry key (since it considers profiles loaded into the Registry as “logged on”). Then, for every key under the “HKEY_USERS” Registry key that has its name as a user’s SID (Security Identifier), it looks up the corresponding username to this SID and displays it

To determine who is logged on remotely via resource shares, it uses the “NetSessionEnum” API to perform a NetBIOS enumeration

PsLogList — Command Line Only

This tool dumps event log records from local and remote systems.

PsPasswd — Command Line Only

TL;DR: Changes account passwords on local and remote systems.

This is a useful tool for systems administrators that manage local administrative accounts on multiple systems and regularly need to change account passwords, say, as part of standard security practices. It allows changing an account password on local and remote systems using Windows’ password-reset APIs, therefore not insecurely transmitting passwords over the network.

PsPing — Command Line Only

This tool measures network performance metrics (latency and bandwidth) using the concept of pinging.

PsService — Command Line Only

This tool allows to view and manage services on local and remote systems.

PsShutdown — Command Line Only

This tool is similar to the shutdown command on Windows systems, but additionally supports shutting down, rebooting logging users off, and locking (equivalent to Ctrl + L) of local and remote systems — all without the need of any additional client installations on the remote system.

PsSuspend — Command Line Only

Rather than completely terminating (killing) a process, suspending it allows to resume its operation at a later point in time.

This tool suspends and resumes processes on local and remote systems.

RAMMap (Random Access Memory Map) — Command Line + GUI

This is an advanced physical memory usage analysis tool that shows usage information within its several different information tabs, providing useful insight into how the system assigns its physical memory, the amount of file data cached in RAM, the amount of RAM used by the kernel and device drivers, and more.

RDCMan (Remote Desktop Connection Manager) — GUI Only

This tool manages multiple remote desktop connections in a single, convenient place.

RegDelNull (Registry Delete Null) — Command Line Only

This tool scans for and deletes Registry keys that contain embedded null-characters, which are otherwise undeletable by standard Registry-editing tools.

RegJump (Registry Jump) — Command Line Only

This tool directly opens RegEdit (Windows Registry Editor) and jumps to the Registry path specified.

RU (Registry Usage) — Command Line Only

This tool reports the registry space usage for a specified registry key.

SDelete (Secure Delete) — Command Line Only

TL;DR: Department of Defense-compliant secure-delete program that securely overwrites sensitive files and cleans free space of previously deleted files to ensure maximum non-recoverability.

Windows NT and 2000 implement “object reuse protection”. This means that when an application allocates a file any storage space or virtual memory, it is unable to access the data that was previously stored in these resources. This data is inaccessible since the system zero-fills the resources (memory and disk) where the file is to be placed before granting these resources to the application.

However, this object reuse protection does not automatically imply that zero-filling would be performed against the space occupied by a file that is deleted. Hence, it becomes possible to use raw disk editors and recovery tools to view and recover data that the operating system has deallocated. Deallocation is simply the state change of storage space from “allocated” (being used) to “unallocated” (free), without actually clearing the data that resides there. This essentially marks the space as “free”, and saves the system the extra overhead involved in explicitly zero-filling that space since not every user requires that level of security.

This tool is used to securely delete existing files and securely erase any file data that may exist in the unallocated portions of the disk. It implements the Department of Defense clearing and sanitizing standard “DOD 5220.22-M” to ensure that the file data is gone forever.

ShareEnum (Share Enumerate) — GUI Only

TL;DR: Scans file shares on a network and shows their security settings to help find and close security holes.

This tool uses NetBIOS enumeration to scan all hosts within the network that is accessible to it, and then shows file shares, print shares, and their security settings. Since only a domain administrator has the ability to view all network resources, this tool is most effective when run from a domain administrator account.

ShellRunAs — Command Line Only

This tool helps launch programs as different user accounts via a convenient shell context-menu entry.

SigCheck (Signature Check) — Command Line Only

This tools dumps file information of a specified file to show the file version number, digital signature information, certificate chains, and an optional status-check of that file on VirusTotal (performs automated file scanning against over 70 anti-malware engines).

Streams — Command Line Only

TL;DR: Reveals NTFS’ Alternate Data Streams (ADS).

Alternate Data Streams (ADS) are a property of only the NTFS file system which surprisingly allows to store “invisible” data within a file’s alternate data stream. This could essentially be used to hide one file within another. ADS is not limited to only files, and could also apply to directories.

Since there are no in-built tools to scan NTFS files for any streams associated with them, this tool proves itself by not only searching for data hidden within alternate data streams, but also showing their names and sizes.

Strings — Command Line Only

In Windows NT and 2000 systems, executables and object files often times have embedded ANSI or Unicode strings that are not readily human-readable using standard ASCII string searches.

This tool searches for ANSI and Unicode strings in binary images and displays them.

Sync — Command Line Only

This tool flushes cached data to a specified disk to ensure this data is not lost in the case of a system failure or forced shutdown event.

SysMon (System Monitor) — Command Line Only

TL;DR: Monitors and reports key system activity into the Windows event log.

This tool is a system service and device driver (hence, kernel-level) that persists across system reboots once installed, and then monitors and logs system activity into the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation times.

TCPView (Transmission Control Protocol View) — GUI Only

TL;DR: Active socket viewer.

This tool shows detailed listings of all TCP and UDP endpoints (ports) on a system, including the local and remote IP addresses and state of these TCP connections. If possible, it also reports the name of the process that owns the port. It provides a more informative and more conveniently presented degree of data than the in-built Windows tool “Netstat”.

VMMap (Virtual Machine Map) — Command Line + GUI

TL;DR: Virtual and physical memory analysis utility for processes.

This tool shows a breakdown of a process’s committed virtual memory and the amount of physical memory (working set) assigned to that virtual memory by the operating system. It shows graphical representations of memory usage, a detailed process memory map, and features powerful filtering capabilities that allow to identify the sources of process memory usage and memory costs of applications. Hence, this tool is ideal for developers that want to understand and optimize their application’s memory resource usage.

VolumeID — Command Line Only

TL;DR: Sets Volume ID of FAT or NTFS drives.

Changing labels of disk volumes is easy and widely known of; however, changing volume IDs is not as straightforward with the in-built Windows disk management tools. This tool proves useful exactly here, as it allows changing these volume IDs for disks using the FAT or NTFS file systems.

WhoIs — Command Line Only

This tool performs registration record lookups for the specified domain name or IP address, and displays the results.

WinObj (Windows Object) — GUI Only

TL;DR: The ultimate Object Manager namespace viewer.

This is a must-have tool for a system administrator concerned about security, or a developer tracking down object-related problems, or someone just curious about the Object Manager namespace.

ZoomIt — GUI Only

TL;DR: Presentation utility for zooming and drawing on the screen.

This tool runs in the taskbar tray and activates with customizable hotkeys to zoom in on an area of the screen, draw on it with multiple colors, and type strings on the screen — all for presentation purposes. It works on all versions of Windows and also utilizes the pen-input feature to draw on Windows-based tablet computers as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.