This content is part of the Essential Guide: IT admin's guide to the Sysinternals suite

The very best Sysinternals tools for Windows server security

Admins can save themselves a lot of aggravation by taking advantage of Microsoft's free Sysinternals toolset. Here are some of the top security utilities available.

I'm often surprised by the lack of Windows server administration tools that are used in some enterprises. Many administrators I work with just use the built-in tools that ship with Windows Server -- something I liken to going through life without experiencing the exhilaration of a powerful and great-handling sports car.

This is likely a side-effect of the "always putting out fires" mode of operation common among IT professionals, but that doesn't mean there isn't anything that can (or should) be done about it.

There are many options out there designed to help simplify and enhance your Windows server administration tasks. In particular, one of my all-time favorite toolsets is Windows Sysinternals. It's free and ever so handy when it comes to keeping your Windows servers secure. You can download any or all Sysinternals utilities directly from the following links:


Microsoft's Sysinternals toolset is broken down into six distinct categories, as shown in Figure 1.

Figure 1. A breakdown of the Sysinternals toolset
A breakdown of the Sysinternals toolset

The tools you'll likely use most often for Windows server administration fall into two categories: 1) File and Disk and 2) Process. Specifically, the tools I've found to be most beneficial from a security perspective are:


  • AccessChk and AccessEnum for enumerating user rights and privileges

  • AdExplorer for viewing and editing Active Directory objects

  • LogonSessions for viewing active logon sessions and associated processes

  • Process Explorer for analyzing and killing live/hung Windows processes

  • Process Monitor for monitoring real-time file, registry, etc. thread activity

  • PsLoggedOn for viewing users logged onto local and remote sessions

  • TCPView for determining which programs are using specific TCP and UDP connections

  • VMMap for analyzing virtual and physical memory utilization of suspect processes

If you're like me and need a way to centralize all Sysinternals applications into one interface, check out the third-party freeware tool Windows System Control Center. It not only pulls the Sysinternals GUI and command-line tools into one cohesive environment, but also allows you to check for the latest Sysinternals updates (a huge plus) as shown in the figure below.

Figure 2. The Windows System Control Center interface (click to enlarge)
The Windows System Control Center interface

As much as I love the Sysinternals security utilities, they're not going to be everything to everyone. That being said, they sure do provide a heck of an improvement over the traditional -- and common -- toolsets I see in use today.

If you like digging deeper into the innards of Windows beyond the tools that ship with the OS, the Microsoft Sysinternals toolset is a must-have. You'll not only be able to do more with your Windows servers, but just as importantly, they will help you learn more about how to keep them secure.

About the author:
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at

Dig Deeper on Windows Server troubleshooting