Tip of the Day: Sysinternals updates
Last year I did a tip about updates that were done to some of my favorite SysInternals tools. There have been a number of updates since then. Some tools have been updated a few times.
Autoruns is a utility for enumerating and disabling executables and DLLs configured to activate in dozens of autostart registration points. This update fixes some minor bugs and adds Authenticode SHA1 and SHA256 hash reporting to Autorunsc output.
Autoruns is a utility for managing autostarting applications, DLLs and services. This update adds more autostart locations, fixes a bug that could cause a crash when Autorunsc is directed to calculate file hashes, and fixes a bug in Autoruns’ jump-to-image functionality on 64-bit Windows.
This release fixes a bug in version 11.61’s jump-to-image functionality.
This release of Autoruns, a powerful utility for scanning and disabling autostart code, adds a new option to have it show only per-user locations, something that is useful when analyzing the autostarts of different accounts than the one that
Autoruns is running under.
This release of Autoruns, a powerful utility for scanning and disabling autostart code, adds a new option to have it show only per-user locations, something that is useful when analyzing the autostarts of different accounts than the one that
Autoruns is running under.
Sigcheck is a command-line utility for reporting image version and signature information. With this update, it now includes support for Authenticode SHA256 hashes, which is the same hash type used to identify images by AppLocker.
This major update to Sigcheck, a command-line file version and digital signature verification utility, adds integration with the VirusTotal antivirus scanner aggregation service. Sigcheck can now check the status of a file against over 40 antivirus engines and launch the associated online VirusTotal report, and even upload files for scanning that have not already been scanned by VirusTotal. This release also reports the machine type of executable images, whether 16-, 32-, or 64-bit.
This release fixes a bug that caused the –u switch to filter results incorrectly.
Process Explorer is a powerful process management utility. This update fixes a bug with copying text from the process properties dialog and adds an option to disable the heatmap display in the process view.
Process Explorer, a Task Manager replacement, now shows WMI providers hosted in Wmiprvse processes (thanks to Mohamed Elghetany for contributions); includes an option that configures it to automatically run when you logon; and introduces a
process view column that shows process DPI awareness support on Windows 8.1 systems.
Thanks to collaboration with the team at VirusTotal, this Process Explorer update introduces integration with VirusTotal.com, an online antivirus analysis service. When enabled, Process Explorer sends the hashes of images and files shown in the process and DLL views to VirusTotal and if they have been previously scanned, reports how many antivirus engines identified them as possibly malicious. Hyperlinked results take you to VirusTotal.com report pages and you can even submit files for scanning.
This release fixes a bug that could cause a crash when the VirusTotal column is added to the process view, and another that could cause a crash when verifying digital signatures.
This minor update adds a refresh button to the thread’s stack dialog and ensures that the Virus Total terms of agreement dialog box remains above the main Process Explorer window.
Process Monitor is a powerful file, registry, process, thread and network monitoring tool. This update adds a context-menu entry that opens the filter edit dialog with contents prepopulated with the specified row and column value.
This release adds registry create file disposition (create vs. open) and a new switch, /saveapplyfilter, which has Process Monitor apply the current filter to the output file as it saves it.
This update to Disk2Vhd, a tool for converting physical system disks to VHDs for use by virtual machines, now supports disk sizes of up to 2 TB.
Disk2vhd, a utility for performing physical-to-virtual conversion of Windows systems, adds support for VHDX-formatted VHDs (thanks to Brendan Gruber for contributions), now supports WinRE volumes, can capture removable media, and includes an option to capture live volumes instead of relying on volume shadow copy (VSS).
This update fixes a bug that could result in Disk2vhd crashing when converting to VHDX format and adds a command-line switch, -c, to have Disk2vhd use online copy instead of Volume Shadow Copy.
This update to PsExec, a command-line utility that enables you to execute programs on remote systems without preinstalling an agent, encrypts all communication between local and remote systems, including the transmission of command information such as the user name and password under which the remote program executes.
This release to PsExec, a command-line remote execution utility, fixes a bug in the implementation of the -s (execute as local system) option on Windows Server 2003.
This release fixes a bug that prevented the previous one from running on Windows XP.
Zoomit is a screen zooming and annotation tool for technical presentations. This release introduces better support for zooming in on Windows 8 Windows Store applications.
BgInfo, a utility that creates custom desktop backgrounds that display system information, now correctly reports version information for Windows 8.1 and Windows Server 2012 R2.
PsExec, a popular utility for executing processes on remote systems, introduces a new option, -r, that specifies the name PsExec assigns to its remote service. This can improve performance when multiple users are interacting concurrently with a system, since each will have a dedicated PsExec service.
RAMMap, a graphical utility that provides a comprehensive breakdown of physical memory usage by usage type and process, is updated to work on Windows 8.1.
CoreInfo is a command-line tool for reporting processor topology, NUMA performance, and processor features. The v3.21 release adds microcode reporting.
LiveKd is a utility for performing live kernel debugging of native systems and virtual machines from the host operating system. This release fixes a debugger help library search bug and fixes a bug in Windows 8/Windows Server 2012 mirror dump support.
This is a major release to PsPing, a command-line utility that tests network bandwidth and latency. Version 2.0 adds UDP latency and bandwidth testing, support for timed tests, introduces custom histogram support, has an option for automatically opening Windows firewall ports during execution, and includes usability enhancements.
This minor update improves the usage help text.
This version corrects a bug that caused the output of the –u switch to include signed files, and fixes several other minor bugs.
This release of AccessChk, a security command-line utility that reports the effective access and permissions of files, registry keys, processes, and more, adds support for file and printer shares. In addition, it adds filtering options for viewing accesses related to specified accounts and now includes the System Access Control List (SACL) when it dumps security descriptors.
This update to Sigcheck, a command-line utility that shows file version and digital signature information, now reports a file’s entropy (average bits/byte required to encode its data), can dump information about catalog files including the hashes they store, and can list the certificates installed in the per-user and machine certificate store.
This release of VMMap, a tool for analyzing process virtual and physical memory usage, fixes a bug affecting queries of files stored on file shares, fixes a bug in copy-to-clipboard of 64-bit addresses, now reports an error when attempting to open stacks on loaded traces, and fixes a bug in the reserved memory working set calculation.