Some Windows Server admins who grapple with security issues or access control might not know that they have a comprehensive...
set of free tools just a mouse click away.
The Sysinternals tools -- a collection of more than 70 utilities for diagnostic, troubleshooting and monitoring purposes from Microsoft -- have been around since 1996.
Mark Russinovich, CTO of Microsoft Azure, still has a hand in updating the tools he produced more than two decades ago to ensure they work with the latest Windows OSes and to add new features and capabilities, such as enhanced malware detection.
This year saw quite a few updates to the Sysinternals tools collection. Here's a rundown of what additional functionality was added that could help untangle a few issues in your data center.
ProcDump, currently at version 9.0, checks running applications for CPU spikes and, if found, provides a dump to help the administrator determine the origin of the spike. As a secondary feature, ProcDump also generates crash dump data for hung applications.
Microsoft's recent improvements to ProcDump should benefit Windows Server admins who need to troubleshoot application performance on a server. The most significant change is ProcDump now features triggers to start the dump process. ProcDump is a command-line utility, and prior to the current release, the administrator ran ProcDump on an as-needed basis. Starting with version 9.0, ProcDump can be set up to watch for a problematic condition, such as a stuck application, and perform a dump automatically. This helps collect relevant data when problems occur, as opposed to gathering data minutes or even hours after an issue happens.
The Sysmon (System Monitor) tool runs in the background to check and record system activity to the Windows event log. Sysmon is normally used to detect malware, but it also assists with other types of security incident management.
While the Windows OS also logs system activity, Sysmon gathers even more detail. Sysmon collects very granular information about network connections, process creations and any changes that are made to a file's creation time.
Microsoft put in quite a bit of work on Sysmon in 2017. Version 6.0, released in February, added the option to show event schema and monitor itself for configuration changes. This version also introduced support for named pipes and a feature to display registry entries in its native format.
A few months after it released Sysmon 6.0, Microsoft put out version 6.1 in September to correct several bugs and add support for monitoring Windows Management Instrumentation event filters and event consumers for enhanced malware detection capabilities. Microsoft also added an autostart option to the tool.
Version 6.2, released in November, lets the user alter the names of the Sysmon service and driver to avoid detection from malware.
Windows servers have a tendency to evolve over time. As OS and application updates take place, they can leave behind remnants of the previous version. Although Autoruns is not designed to check systems for OS or application leftovers, it detects anything configured to run automatically when the system boots. In essence, Autoruns reveals anything from legitimate system processes to processes that are still running but are no longer needed. Admins can also use Autoruns to detect malware.
In September 2017, Microsoft published version 13.80 of Autoruns. While it was largely a bug fix release, Microsoft did add a few new capabilities. For example, the latest version of Autoruns performs asynchronous file saves and displays names for drivers and services.
The AccessChk command-line tool validates the level of access users or groups have to specific network resources.
Windows Server has multiple ways to approve access to a particular resource; sometimes, a user gets excessive, cumulative or even contradictory permissions as a result. AccessChk tests access permissions through its examination of files, folders, registry keys and Windows services.
In February 2017, Microsoft updated AccessChk to report on process trust access control and token security attributes. Microsoft further tweaked the utility in September 2017 with a cache for improved handling of multiple object enumeration.
One of the more recent additions to the utilities lineup is Sysinternals Live, which offers web-based versions of some of the Sysinternals tools. The advantage to Sysinternals Live is it provides the most current version of the tools directly from Microsoft without the need to download or install the utilities.