We’re at the end of our SysInternals series, and it’s time to wrap everything up by talking about all the little utilities that we didn’t cover through the first nine lessons. There are definitely a lot of tools in this kit.
We’ve learned how to use Process Explorer to troubleshoot unruly processes on the system, and Process Monitor to see what they are doing under the hood. We’ve learned about Autoruns, one of the most powerful tools to deal with malware infections, and PsTools to control other PCs from the command line.
Today we’re going to cover the remaining utilities in the kit, which can be used for all sorts of purposes, ranging from viewing network connections to seeing effective permissions on file system objects.
But first, we’ll walk through a hypothetical example scenario to see how you might use a number of the tools together to solve a problem and do some research on what is going on.
Which Tool Should You Use?
There isn’t always just one tool for the job — it’s much better to use them all together. Here’s an example scenario to give you an idea of how you might tackle the investigation, although it’s worth noting that there are any number of ways to figure out what’s going on. This is just a quick example to help illustrate, and is by no means an exact list of steps to follow.
Scenario: System is Running Slow, Suspected Malware
The first thing you should do is open up Process Explorer and see what processes are using up resources on the system. Once you’ve identified the process, you should use the built-in tools in Process Explorer to verify what the process actually is, make sure it’s legitimate, and optionally scan that process for viruses using the built-in VirusTotal integration.
Note: if you really think there might be malware, it’s often helpful to unplug or disable internet access on that machine while troubleshooting, although you might want to do VirusTotal lookups first. Otherwise that malware might download more malware, or transmit more of your information.
If the process is completely legitimate, kill or restart the offending process, and cross your fingers that it was a fluke. If you don’t want that process to start anymore, you can either uninstall it, or use Autoruns to stop the process from loading at startup.
If that doesn’t solve the problem, it might be time to pull out Process Monitor and analyze the processes that you’ve already identified and figure out what they are trying to access. This can give you clues into what is actually going on — maybe the process is trying to access a registry key or file that doesn’t exist or it doesn’t have access to, or maybe it is just trying to hijack all of your files and do lots of sketchy things like accessing information that it probably shouldn’t, or scanning your whole drive for no good reason.
In addition, if you suspect that the application is connecting to something that it shouldn’t, which is very common in the case of spyware, you’d pull out the TCPView utility to verify whether that is the case.
At this point you might have determined that the process is malware or at crapware. Either way you don’t want it. You can run through the uninstall process if they are listed in Control Panel’s Uninstall Programs list, but many times they aren’t listed, or don’t clean up properly. This is when you pull out Autoruns and find every place that the application has hooked into the startup, and nuke them from there, and then nuke all of the files.
Running a full virus scan of your system is also helpful, but lets be honest… most crapware and spyware gets installed despite anti-virus applications being installed. In our experience, most anti-virus will happily report “all clear” while your PC can barely operate because of spyware and crapware.
This utility is a great way to see what applications on your computer are connecting to what services over the network. You can see most of this information on the command prompt using netstat, or buried in the Process Explorer / Monitor interface, but it’s much easier to just pop open TCPView and see what is connecting to what.
The colors in the list are pretty simple and similar to the other utilities — bright green means that the connection just showed up, red means the connection is closing, and yellow means the connection changed.
You can also look at the process properties, end the process, close the connection, or pull up a Whois report. It’s simple, functional, and very useful.
Note: When you first load TCPView, you might see a ton of connections from [System Process] to all sorts of internet addresses, but this usually isn’t a problem. If all of the connections are in the TIME_WAIT state, that means that the connection is being closed, and there isn’t a process to assign the connection to, so they should up as assigned to PID 0 since there’s no PID to assign it to.
This usually happens when you load up TCPView after having connected to a bunch of things, but it should go away after all the connections close and you keep TCPView open.
Shows information on the system CPU and all of the features. Ever wondered if your CPU is 64-bit or if it supports hardware-based virtualization? You can see all that and much, much more with the coreinfo utility. This can be really useful if you want to see whether an older computer can run the 64-bit version of Windows or not.
This utility does the same thing that Process Explorer does — you can quickly search to find out which process has an open handle that is blocking access to a resource, or from deleting a resource. The syntax is pretty simple:
And if you want to close the handle, you can use the hexadecimal handle code (with -c) in the list combined with the process ID (the -p switch) to close it.
handle -c <hex> -p <PID>
It’s probably a lot easier to use Process Explorer for this task.
Just like Process Explorer, this utility lists out the DLLs that are loaded as part of a process. It’s a lot easier to use Process Explorer, of course.
This utility analyzes your physical memory usage, with loads of different ways to visualize the memory, including by physical pages, where you can see the location in RAM that each executable is loaded into.
Strings Finds Human-Readable Text in Apps and DLLs
If you see a weird URL as a string in some software package, it is time to worry. How would you see that weird string? Using the strings utility from the command prompt (or using the function in Process Explorer instead).