If you've even a modicum of experience with more than a few versions of Microsoft Windows, you've probably heard of Sysinternals and know the name Mark Russinovich. Microsoft acquired Sysinternals in 2006, and today Mark Russinovich is a technical fellow in the Cloud and Enterprise division. While he spends most of his time focusing on the Azure platform, he remains involved with the development of the tools his company created.
At Microsoft events like TechEd, Russinovich presentations on Sysinternals tools are often standing room. Russinovich's blog contains a long list of articles documenting how different system problems, including security issues, were analyzed using Sysinternals tools. It's worth taking time to browse his blog and watch recorded sessions from TechEd.
The Sysinternals website provides links to a wide range of tools categorized into functional areas. Some tools overlap different categories and make it possible to perform both system maintenance and security tasks. You'll also find links to webcasts and other training materials to help get you up to speed on the entire suite of tools. If you really want to dig deep, you'll want to take a look at the Windows Sysinternals Administrator's Reference book.
Sysinternals Process Explorer, Process Monitor
All Sysinternals tools are free to download and provide information you can use to do your own sleuthing. Many experienced system administrators keep either a USB key or a CD with the entire suite of Sysinternal tools at the ready. The two most popular tools, Process Explorer and Process Monitor, provide deep insight into the inner workings of Microsoft Windows.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Process Explorer is currently at version 16.03 and has been around in one form or another since the days of Windows NT. Process Explorer is the tool to use for identifying files, DLLs, registry keys and other objects attached to a running process. It will also show the owner of each running process.
Process Monitor is one of those tools you wish you'd known about a long time ago. It provides a real-time view of all file system, Windows Registry and process activity for each running process. The biggest problem most people have with using Process Monitor is the sheer amount of information it produces. Figure 1 shows a screenshot of the Process Monitor screen with information gathered over a few seconds.
The real power behind Process Monitor comes from the summary tools and filtering feature. A Process Activity Summary screen available from the Tools menu presents a visual picture of all active processes with graphs of file, network and registry activity. From this single screen it's easy to spot problem applications and then use the filtering tool to dive deeper into the process to determine exactly what's going on.
Sysmon is one of the newest tools added to the Sysinternals suite. It's available for download from the Microsoft Technet site. Sysmon runs as a Windows service, loading very early in the boot process in an effort to catch any malicious code that might attempt to take control of the machine. It logs three specific events including process creation, the changing of a file creation time by a process and establishing of a network connection. All occurrences of these events get written to the Windows event log which is accessible remotely if necessary.
Filtering and searching through event logs can be a tedious process, but with a little practice it is possible to become proficient at identifying problems. Understanding how certain types of malware behave helps when it comes to security sleuthing. Many of these programs make a copy of the initial executable in an attempt to hide its identity. Sysmon logs these types of actions and uses the SHA1 hashing algorithm to identify the signature of these rogue programs.
Sysmon also monitors network activity to help identify attacks which initiate connections outside the host system. The biggest benefit to using a tool such as Sysmon over other tools like Process Monitor is the use of the Windows event log to store all pertinent information. This removes the need to run an additional program and makes it possible to remotely access the logs for further analysis.
Bottom Line on Sysinternals
The biggest takeaway here is the fact that all Sysinternals tools are free. All that's required is to download and install them. While they might take a bit of usage and study to understand exactly how they work, you won't find any better tools that do what they do. If you are a system administrator and don't know about these tools, it's high time you did.
Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch.com and several other QuinStreet Enterprise properties.