Richard Diver, Microsoft Premier Field Engineer, returned to Newcastle on the evening of 25th November 2009 to give a tour of some of the SysInternals tools which are available for IT Professionals.

Process Explorer

ProcExp.exe

Process Explorer can be used as a replacement for Task Manager.

Hide when minimized to always have it available.

CPU History can be viewed by opening the System Information graph.

Allows sorting of Parent/Child processes.

Enough data available to choke a whale.

The target icon can be used to find the process attached to a certain window/application.

Highlighting of processes can be found under Options -> Configure Highlighting.

Process Monitor

ProcMon.exe

Process monitor is a real time file, registry and process thread monitor.

When in doubt, use Process Monitor.

Enhancements over Filemon/Regmon include:

  • More advanced filtering
  • Operation call stacks
  • Boot-time logging
  • Data mining views
  • Process tree to see short lived processes

ProcMon can see associated files or registry settings.

If using ProcMon on another machine, you need to capture data first over a period of time, then bring it back to analyse.

Autoruns

MsConfig.exe == Bad, don’t use.

Autoruns.exe, is better than MsConfig, due the facet of having a lot more options to remove disable start-up process in a number of places.

Boot execute should be empty.

Resources