Windows Sysinternals is a suite of more than 70 freeware utilities that was initially developed by Mark Russinovich and Bryce Cogswell that is used to monitor, manage and troubleshoot the Windows operating system, and which Microsoft now owns and hosts on its TechNet site.
These utilities are executable files that do not require installation to run. Administrators can access the utilities from TechNet -- either as a single suite download or individually -- or run them directly from the Sysinternals Live service. Certain applications that have no troubleshooting features are not included in the Sysinternals suite download, such as BlueScreen, which emulates the blue screen of death and can be used as a screensaver.
Cogswell retired from Microsoft in 2010, but Russinovich -- currently CTO of the Microsoft Azure cloud platform -- continues to update the utilities and develop new additions to the Sysinternals suite.
Some utilities no longer exist as stand-alone applications after their functionality moved to other Sysinternals applications. For example, the features in RegMon and FileMon were absorbed into the Process Monitor tool.
History of Sysinternals
Russinovich and Cogswell started a site named NT Internals in 1996 that hosted the Sysinternals freeware utilities and related articles. They released their first free application, named NTFSDOS, which enabled an MS-DOS machine to read NTFS volumes.
Next, the duo sold commercial versions of their security and recovery utilities for the Windows platform at a company named Winternals Software.
In 1998, the NT Internals site was renamed to Sysinternals after Microsoft's legal department noted the similarity to the name of the Windows NT operating system and requested the change.
In 2006, Microsoft acquired Winternals and Sysinternals.
The Sysinternals site divides the utilities into six main categories: file and disk, networking, process, security, system information and miscellaneous.
- File and disk: This section hosts utilities that monitor file usage and disk status. One of the more popular applications in this section is Process Monitor, which displays real-time activity in the file system, registry and processes.
- Networking: This area features applications to troubleshoot and monitor connections on desktop and server systems. Two of the more popular tools in this section are TCPView, which checks TCP and UDP endpoints, and PsTools, which is a set of command-line utilities that can help administrators monitor and manage remote systems.
- Process: This section holds utilities to monitor and troubleshoot running applications. A popular application here is Process Explorer, which monitors the files and directories that a particular process has open.
- Security: This area features security-based utilities, including Autoruns, which shows the applications that start automatically when the system boots.
- System information: This category hosts applications that display general information about a workstation or server.
- Miscellaneous: Utilities in this section do not fit in other categories, and have limited diagnostic or troubleshooting capabilities. One of the more popular downloads in this area is BgInfo, which creates a background image that shows key features of the system's configuration, such as the IP address and computer name.
Sysinternals for Nano Server
Microsoft also released Sysinternals tools to manage Nano Server, its minimal server deployment option for Windows Server 2016. Because Nano Server does not run 32-bit applications or have a GUI, Russinovich and other Microsoft engineers developed 64-bit versions of more than 40 Sysinternals applications that are compatible with this compact version of the Windows Server OS.
The utilities written for Nano Server, which have 64 at the end of the file name, will also work with other 64-bit versions of Windows.
RootkitRevealer uncovers hidden tools
In 2005, Sysinternals received widespread exposure when Russinovich wrote a blog that explained how he found a rootkit on one of his computers as he tested the RootkitRevealer Sysinternals application. The utility -- since discontinued -- produced a report of all the files and registry entries hidden from the system's APIs.
RootkitRevealer detected a rootkit that originated from a Sony BMG audio CD, which installed a Digital rights management component that changed the operating system to prevent a user from copying the CD.
Bowing to public pressure after the blog's release, Sony BMG recalled products with the rootkit and released an uninstaller to remove it. The company also settled class-action lawsuits related to the rootkit with the Federal Trade Commission, several states and the Electronic Frontier Foundation.
Additional reference guide available
Russinovich also co-authored a companion book for the utilities called Troubleshooting with the Windows Sysinternals Tools that gives further details about the history behind the applications and examples on how to use them.