Volume 5, Number 2

Copyright (C) 2003 Mark Russinovich

June 23, 2003 - In this issue:


- Filemon v6.06, Regmon v6.06
- PsPassword v1.01
- PsLoglist v2.3
- AccessEnum v1.0
- Process Explorer v6.03

- PsExec Part of Deloader Worm
- Using PsTools to Cause Problems
- Microsoft documents NtQuerySystemInformation (sort of)

- Summer Video Special
- Microsoft TechEd Europe
- Next public Windows Internals class

The Sysinternals Newsletter is sponsored by Winternals Software, on the Web
at http://www.winternals.com. Winternals Software is the leading developer
and provider of advanced systems tools for Windows NT/2K/XP.

Winternals is pleased to announce the release of Administrator's Pak 4.0
with a comprehensive update of our flagship product, ERD Commander 2003.
New features in ERD Commander 2003 include: FileRestore, for recovering
deleted files; ability to use Windows XP System Restore Points to roll back
systems; Disk Commander, for master boot record (MBR) repairs and salvaging
data even from
deleted volumes; and a "System Compare" diagnostic tool to compare
system and configuration files on a dead system to working systems. To
request a trial version, please visit http://www.winternals.com/sn


Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has 36,000

I finally did it. I switched from Internet Explorer to Mozilla
(http://www.mozilla.org). Bryce Cogswell (my Sysinternals and Winternals
cofounder) has been using Mozilla for a couple of years now and he's
periodically updated me about all the cool features it has that IE doesn't.
Most obviously, instead of opening new pages in separate windows you can
have them open in tabbed pages of the same browser window. If you have
multiple pages you want the browser to open when you launch it, just make a
group of tabs your startup group.

Whereas IE has a global setting for remembering web page passwords, Mozilla
lets you specify web pages for which you want it to remember passwords and
you can use the password manager to remove remembered passwords at any time.
Add in a built-in download manager, integrated e-mail client (which I don't
use), multiple profiles, a built-in chat program, integration with popular
search engines, and the distance between Mozilla and IE starts to look

However, Mozilla really shines when it comes to annoying web sites. It
includes a built-in popup manager where you can configure popup filtering on
a site-by-site basis if you desire. It has a cookie manager you use to block
cookies, also by site if you want, and to view the cookies that have been
dropped on your system. You can also configure Mozilla's behavior when it
comes to images. Most sites that have obnoxious banners pull the graphic
files from external sponsor sites and you can configure Mozilla to ignore
external images, again, site-by-site if you want. Finally, a nice visual
touch is Mozilla's skinning support, with numerous skins freely available.

I'm sure this sounds like a sales pitch, but its not. Its more a commentary
on what lack of competition does to a product segment. Why doesn't IE have
features like cookie management and popup blocking that consumers have to
spend money for when Mozilla includes those features and more for free? Why
did IE change so little between version 5 and 6 and why hasn't it been
updated in two years? The vast majority of consumers uses whatever software
they have on their computers and don't read open-source newsgroups or visit
Slashdot.org and so they are unaware that better, freely available
alternatives exist. Microsoft and Netscape made browsers free in their
competition to dominate the web server application market so there's no
financial benefit in Microsoft improving IE - they don't lose any money when
a power user like me switches to Mozilla.

You can see the same effect even in Microsoft's add-on software. I used to
use Eudora as my e-mail client, but about two years ago switched to Outlook.
It seemed like everyone was using Outlook and I wanted to take advantage of
its calendaring feature. I immediately found a number of small annoyances.
For instance, you can configure Eudora to leave e-mail over a certain size
on the server, which is helpful when you're dialed in at 25 Kb in a hotel
room. Outlook has a similar feature, but Eudora downloads the first few
lines of message text so that you see what the e-mail is about and use that
information to decide whether or not to suffer a long download. Outlook

I could go on, but you've got my message by now and can probably add a list
of your own anecdotes. The bottom line is that competition is good for the
computer consumer. Maybe IE "Longhorn" will blow Mozilla away?

Please pass the newsletter to friends you think might be interested in its




Filemon and Regmon have jumped a two full version numbers in less than six
months. This latest major update brings enhancements that make them easier
to use and their display more informative.

When you run the new versions you immediately see that process icons display
in the process column, providing you a visual cue as to what application is
associated with the I/O you see. If you want detailed information about a
process, including its version information, full path and command-line,
right click on a line having that process' I/O and select Process

In some cases you might not see an appropriate icon for a process and get an
error dialog when you try to view its properties. This results when a
process starts and exits before the user interface has a chance to access
the process and get its path.

When you open the context menu you'll also see entries that allow you to add
the process or the path to the Include or Exclude filter. If you choose to
apply a new filter you get a new prompt that asks if you want to apply the
new filter to the collected output. That enables you to quickly trim the
output to just the information you're interested in, without resorting to
saving the output and loading it into a spreadsheet for post-processing.

Another enhancement is the ability to load saved log files back into the
display. This capability, when coupled with the new filtering features and
highlighting, make the tools versatile at post-mortem problem analysis.

Download Filemon v6.06 at
Download Regmon v6.06 at

This latest addition to the PsTools suite brings the total count of the
number of bundled command-line, remotely-capable administrative tools that
make up the suite to 12. Many systems administrators, including the ones at
Winternals, the company I co-founded, periodically change the local
administrative passwords of the client machines they manage. There's no
built-in way to remotely change local passwords, which is PsPassword's
purpose. You can use it to change local (or domain) passwords on a remote
computer. Adding it to a script or batch file that executes it against a
list of computers makes it an ideal mass-password changing utility.

Download PsPassword v1.01 at
Download the entire PsTools suite at

PsLoglist is one of the many Sysinternals tools for which I receive frequent
feature requests. Version 2.3's enhancements all reflect user input. The
area with the most improvement is filtering. PsLoglist has new switches that
allow you to limit the event records displayed to only those that match a
specified event ID or that have a specified event source, like IIS for
example. In past versions the event-type filter only accepted one event
type, but now it permits you to enter multiple types. For instance, to see
all errors and warnings you would use a command-line like the following:
"psloglist -t f w".

Download PsLoglist v2.3 at
Download the entire PsTools suite at

The rich permissions model employed by NTFS provides tremendous flexibility.
With that flexibility comes the potential for complexity and misconfigured
security. Unfortunately, there are no built-in tools that make managing
security across directories and files easy. While the cacls command-line
utility has the right idea, the fact that it's a command-line tool makes its
output difficult to parse. That's where AccessEnum comes in. AccessEnum
provides you an easy-to-understand view of the file and directory
permissions for entire directory trees. With AccessEnum you can easily spot
permissions problems.

When you run AccessEnum you specify a directory and AccessEnum will show you
what users have what access to that directory, if applicable, the files and
directories under that directory. By default, AccessEnum only lists a
directory if the permissions on the directory differ from that of its parent
directory, and it only shows files if the file's permissions are more lax
than that of its parent directory. If you want you can use the Options
dialog to have AccessEnum display files if their permissions differ from its
parent directory.

Download AccessEnum v1.0 at

Process Explorer is a process viewer and control utility that picks up where
Task Manager leaves off. Among its extensive list of capabilities, Process
Explorer shows you the process creation tree, displays handles that
processes have open, lists DLLs (and other memory mapped files) that
processes have loaded, and enables you to search for the process or
processes that have a particular file opened.

The most significant enhancements in version 6.0 relate to view columns. Up
until this version there was no column configurability, so I carefully chose
what columns to show in order to maximize the limited space available. That
limited the data you could see without opening a properties dialog to that
which I considered most universally useful.

Now, just like with Task Manager, you can use the View|Select Columns menu
item to choose what columns you want to see in each of the three views,
process, handle and DLL. You can also drag columns to reorder them. Besides
enabling you to customize the display to your liking, there are lots more
column selections. For example, the Process View supports the column
selections that Task Manager does as well as other useful ones like process
image path, command-line, version number, and company name.

In previous versions Process Explorer refreshed its display synchronously,
meaning that there could be periods of time where the user interface would
become unresponsive, especially when you had handle view active and selected
process with thousands of handles. Version 6.0 introduces asynchronous
updates of all three views, making the user interface always responsive and
Process Explorer seem snappier.

A powerful feature I pioneered with an earlier version of Process Explorer
is difference highlighting, where new items in the display highlight in
green and deleted items in red. I've extended the feature so that in version
6.0, unless you've paused the display, the refresh highlighting lasts for 4
seconds, making it easier to spot changes (in paused mode the highlighting
remains until the next manual update).

Knowing what services are running within a process is one of the
capabilities of Process Explorer's process view. You can choose to highlight
service-hosting processes by selecting Options|Highlight Services. If you
view the properties of a service-hosting process there's an additional tab
entitled Services that shows you the list of services running in the
process, including their service and display names. Now, on Win2K and
higher, Process Explorer also shows you the description of a service you
select in the service list if the service's developer provided one. This
additional information makes identifying services easier with Process
Explorer than any other tool (such as Tlist /s or the new tasklist /svc
command in XP and 2003).

Some more minor improvements include the fact that when you save, Process
Explorer now saves the contents of both the process view and the bottom view
(handle or DLL), instead of just the bottom view. There's also now a
minimize-to-tray option so that you can keep Process Explorer handy.

Download Process Explorer v6.03 at

Here's the latest installment of Sysinternals references in Microsoft
Knowledge Base (KB) articles released since the last newsletter. This brings
to 41 the total number of KB references to Sysinternals.

ACC2002: Error Message: ActiveX Component Can't Create Object

FIX: Slow Performance When the Browser Capabilities Evaluator Is Removed
from the Cache

HOW TO: Troubleshoot Site Deployment Issues in Microsoft Content Management
Server 2002

PSVR2002: "There Is No Information to Display in This View" Error Message
When You Try to Access a Project View


PsExec, a tool that allows you to execute processes on remote systems to
which you have administrator access, has made its way into several worms,
most notably, Deloader (http://www.f-secure.com/v-descs/deloader.shtml ),
which hit the internet this spring. I've gotten a number of e-mails from
users not familiar with Sysinternals that, because they saw my name in the
banner that PsExec displays when it executes, accuse me of trying to hack
their systems.

It's unfortunate that people have chosen to use Sysinternals software
maliciously, but there's not much I can do about it. An important fact to
remember is that a user cannot use any of the tools to affect a remote
system unless the account they're running in has administrative privilege on
the remote system. Given such privileges, they can do whatever damage they
want to the remote system, without using any tools: a "rmdir /s
\\remotesystem\admin$" will wipe out the SystemRoot directory of a remote

As for remote process execution, if they weren't using PsExec they'd use
other tools. In fact, Windows Management Instrumentation, which is built
into Windows 2000 and higher, and available as an add-on to NT 4 and Windows
9x, has a remote-process execution interface that provides a subset of
PsExec's functionality.

Most tools Bryce and I post on Sysinternals are primarily intended for
systems administration and troubleshooting. A notable exception is the
Sysinternals Bluescreen Screen Saver
(http://www.sysinternals.com/ntw2k/freeware/bluescreensaver), which depicts
an authentic-looking blue screen of death and reboot sequence specific to
the version of Windows NT on which you run it (it even runs on Windows 9x).
You might not have realized, though, that some of the other tools on the
site can be used to have fun with coworkers in your office.

There are three tools in particular that make tormenting officemates easy:
PsExec, PsKill and PsSuspend. You can use them to remotely manipulate
computers as long as your account has administrative access to the remote
system or you have access to an account that does.

PsExec lets you launch applications on a remote system, so an easy way to
baffle someone is to launch random programs on their console. To execute
Solitaire on their machine you'd use a line like this:

psexec \\remotesystem -i sol.exe

The "-i" switch has PsExec launch the process on the console instead of
launching it on the hidden services desktop. PsExec will exit when the user
closes the Solitaire process. If you want to launch multiple instances to
overwhelm the user, use the "-d" switch so that PsExec exits without waiting
for the processes to exit.

What's even more devious is launching the Bluescreen Screen Saver on their
system to make them think that their system has crashed. Use this
command-line to do so:

psexec \\remotesystem -i -c "sysinternals bluescreen.scr" /s

The "-c" switch copies the specified file to the remote system.

If you want to cause more problems, use PsKill to terminate processes on
their system. A good one is Explorer, which everyone has running, which will
restart automatically, and which randomly crashes during usual operation
(for me, anyway).

Finally, if you really want to mess with someone use PsSuspend to suspend
random processes on their system for short periods of time. Again, they
might think its just normal abnormal Windows behavior, but you'll know

Download PsExec, PsKill and PsSuspend from

The other day I was pursuing April 2003's MSDN Library and ran across a
documentation page for NtQuerySystemInformation. NtQuerySystemInformation is
part of the "native" API that sits under much of the Win32 API and that is
used almost exclusively by system processes that are part of the operating
system (you can read about the native API at
http://www.sysinternals.com/ntw2k/info/ntdll.shtml ). Some Sysinternals
tools make use of the APIs to gain access to functionality not exposed by
Win32, but that functionality is related only to obtaining process and
thread information.

I was therefore surprised to find NtQuerySystemInformation and my first
thought was that Microsoft had decided to expose some of the useful
functionality provided by the API. Reading the documentation convinced me
otherwise. All of the described uses of the API are provided by well-defined
Win32 APIs that the documentation strongly encourages you to use instead,
starting with the statement at the top of the function description that
reads: "NtQuerySystemInformation is an internal Windows function that
retrieves various kinds of system information. Because this function may
change in future versions of Windows, use the alternate functions listed

In fact, some of the uses show in the documentation are totally useless. For
instance, the desription of the API's SYSTEM_PERFORMANCE_INFORMATION variant
states that you get back a data structure that, instead of being able use
the same way Windows uses it, you should treat as a random layout of bytes
and that you might use as a random number. It then goes on to say that you
really shouldn't generate random numbers with the API, but instead call the
documented Win32 function CryptGenRandom. The bottom line is that there's
really no use they document that isn't more reliably and easily provided by

Curiosity piqued, I noted that the include file they list as containing the
information required to use the API is winternl.h in the SDK. Doing a search
in MSDN documentation for that file reveals more of the same: documentation
for a handful of native APIs with equally useless uses or functionality
better accessed through Win32. The header file itself reveals nothing not
documented in the SDK.

So what are these useless APIs doing in MSDN and the SDK? My guess it that
its part of Microsoft's compliance with the DOJ consent decree where
Microsoft is "documenting" more of the internal APIs that are used by some
its applications. Here's a line from the documentation for NtOpenFile that
implies that its there for nothing more than legal purposes: "The NtOpenFile
documentation is provided for the sake of full API coverage."

Because of the lack of any useful information and the fact that I'm fairly
certain that whatever Microsoft applications that use the
SYSTEM_PERFORMANCE_INFORMATION class of the NtQuerySystemInformation API
don't use it to just get a random number, I'm left wondering if the
documentation of the winternl.h functions is really in compliance with
whatever legal directive lead to their inclusion in the SDK.

If you're interested in the full documentation of NtQuerySystemInformation
and the other native APIs, get a copy of "Inside Windows NT/2000 Native API
(http://www.amazon.com/exec/obidos/ASIN/1578701996/103-8560745-7945431 )


BUY: Inside Windows 2000
GET: XP/Server 2003 Update FREE

Now you can own the ultimate internals training package at great savings.
For a limited time, when you buy the very popular video INSIDE Windows 2000
at the already discounted internet price, you will get the XP/Server 2003
UPDATE absolutely FREE. That's almost 35% off the retail price.

Both of these outstanding learning tools are used by Microsoft worldwide for
their corporate training. According to Rob Short, Vice President Core
Technologies at Microsoft, "These videos drill into the core of the
platform, capture its technical essence and present it in a powerful
interactive video format."

Check out the product details or download a video sample at www.solsem.com.
Don't wait too long. Take advantage of this limited time offer now!

Dave Solomon (http://www.solsem.com) and I taught a one-day pre-conference
tutorial at TechEd US in Dallas two weeks ago with lab exercises that
highlighted the use of Sysinternals tools and a one hour, fifteen minute
breakout session that covered a small subset of the same material. Both were
top-rated sessions. If you live in Europe you might be interested to know
we're doing even more at TechEd Europe next week.

TechEd Europe is being held in Barcelona from June 30 through July 4. Dave
and I are listed again as "top speakers"
(http://www.microsoft.com/europe/teched/Speakers.asp) and are jointly
teaching a one-day pre-conference tutorial
(http://www.microsoft.com/europe/teched/PreConfWinInt.asp) on
troubleshooting Windows process, memory, and crash problems (without labs),
and four other sessions that include: A Tour of Sysinternals Tools,
Troubleshooting with Sysinternals Tools, Windows Crash Dump Analysis, and
Windows XP and Server 2003 Kernel Changes.

You can find complete descriptions and registration information at
We hope to see you in Spain!

Our next 3 day public Windows Internals & Advanced Troubleshooting class is
planned for September in New York City (and if you can't wait, last minute
registrations are still possible for our London class which starts this week
on June 25!). Stay tuned to www.sysinternals.com for dates and registration

Thank you for reading the Sysinternals Newsletter.

Skip to main content