Here my notes on the Sysinternals Suite from the point of view of a security analyst/engineer. Many of these tools are used frequently by sysadmins and malicious actors. I recommend that security professionals familiarize themselves with these tools due to their prominence.
This page may be updated.
Direct link to the newest zip containing everything: https://download.sysinternals.com/files/SysinternalsSuite.zip
Download with PowerShell
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile SysinternalsSuite.zip Expand-Archive -Path SysinternalsSuite.zip -DestinationPath C:\Sysinsternals
Installing Individual Tools
Each tool has an individual download link:
Download links to individual tools with descriptions:
Microsoft Win32 API Documentation
Win32 API documentation is useful for developing your own tools and reverse engineering malware.
As an Amazon Associate I earn from qualifying purchases.
Troubleshooting with the Windows Sysinternals Tools
Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (Developer Reference)
Windows Internals, Part 2 (Developer Reference)
Although all of the Sysinternals suite are useful, these are the ones I see and use consistently within the context of security. They are in no particular order.
Many of these tools are used regularly by malicious actors, despite their intended use cases being legitimate. Establishing a baseline of these tools’ usage within your environment provides value. A detection or forensic artifact indicating the use of a Sysinternals tool is neither malicious nor benign. For example, a detection for PsExec being used to spawn a shell as SYSTEM may very well be a true positive and malicious detection. It is just as often used by systems administrators in their day to day workflows.
AccessChk – Show the accesses the specified user or group has to files, Registry keys, or services.
AccessEnum – Shows who has what access to directories, files and Registry keys. Use it to find holes in your permissions.
Process Monitor – Monitor file system, Registry, process, thread and DLL activity in real-time. This is useful for dynamic malware analysis.
MoveFile – Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files.
PsTools – The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
PsExec – Execute processes remotely. Commonly used by sysadmins and attackers to elevate to SYSTEM privileges.
PsFile – See what files are opened remotely.
PsKill – Terminate local or remote processes.
PsGetSid – Displays the SID of a computer or a user.
PsLoggedOn – Show users logged on to a system.
PsLogList – Dump event log records.
PsList – Show information about processes and threads.
PsService – View and control services.
PsSuspend – Suspend and resume processes.
PsPasswd – Change passwords.
SDelete – Securely overwrites files and free space.
ShareEnum – Scan file shares on your network and view their security settings to close security holes.
Sigcheck – Dump file version information and verify that images on your system are digitally signed.
From Sigcheck documentation:
One way to use the tool is to check for unsigned files in your \Windows\System32 directories with this command: sigcheck -u -e c:\windows\system32 You should investigate the purpose of any files that are not signed.
Sigcheck can also be configured to check samples for hits on VirusTotal.
Streams – Enumerate NTFS alternate data streams (ADS).
Malware can hide in ADS. Some browsers and email clients create Zone.Identifier streams to store metadata about a file’s origin.
AD Explorer – GUI Active Directory (AD) viewer and editor.
TCPView – Active socket command-line viewer.
Whois – See who owns an Internet address. This is similar to the whois utility found on Linux, MacOS, and others.
Autoruns – See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
Autoruns can be used to find persistence placed by malware or an attacker.
Handle – Enumerate what files are open by which processes, and much more. Also lets you close handles opened by an arbitrary process.
ListDLLs – List all the DLLs that are currently loaded, including where they are loaded and their version numbers.
Process Explorer – Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more.
The Control-Alt-Delete shortcut to launch Task Manager is often replaced with Process Explorer or Process Hacker.
Rootkit Revealer – RootkitRevealer is an advanced rootkit detection utility.
ShellRunas – Launch programs as a different user via a convenient shell context-menu entry.
LogonSessions – List active logon sessions
Sysmon – Monitors and reports key system activity via the Windows event log. This tool is very powerful and can easily have a book’s worth of material written about its usage.
Strings – Search for ANSI and UNICODE strings in binary images. Similar to strings provided by binutils on Linux.