TechEd 2013: Sysinternals 2013 Update

Since the release of the Windows Sysinternals Administrator's Reference in 2011 new features have been added to the Sysinternals toolkit.

Tools updated for better x64 support: SYSWOW64 folder redirection support for 32-bit processes. A program can call an API to disable the redirection.

  • Autologon
  • RegJumo
  • MoveFile
  • PendMoves

Better Win8 support:

  • Process Explorer
  • Process Monitor
  • ProcDump
  • DebugView
  • LiveKd
  • AccessChk
  • Desktops
  • TcpView
  • RAMMap

Will there be any Sysinternals tools for WinRT?
You cannot run any Win32 desktop apps on RT unless signed by Microsoft. MS is very tight about anything other than Windows team executables running on RT. Windows team will not allow Sysinternals programs to run on WinRT as they (Microsoft) thinks they are unneeded.

Best Practice for Sysinternals application ease of use: Install Sysinternals tools under Program Files and add path variable to Windows. This will aloow you to run all of the tools without needing to specifiy file location.

/e switch alows for tools to run with elevated credentials.

Process Explorer:

  • Heat maps for processes using increasing amount of resources
  • Flags "Immersive Apps" (running in full screen)
  • Create Dump option to create dump based on process architecture
  • Find dialogue shows greater detail in results

Properties dialogue has been beefed up:

  • Autostart location with Explore button.
  • High entropy ASLR flag
  • Security dialog shows app ID SID, application container ID, sortable columns
  • Services tab allows stop start control
  • Threads tabs shows .NET call process of managed apps
  • GPU statistics
  • System Information screen re-skin. Options > Configure Colors allows changing of background back to black.

Process Monitor:

  • Bookmark feature to bookmark any arbitrary event. F6 or Shift+F6 to cycle through bookmarks.
  • Highlighted events. F4 or Shift+F4 to jump through highlighted events.
  • Filter tweaks: right click > Edit Filter > displays filter logic that you can customize
  • Process Start operations show directories where process started from


  • Many new indexed autostart locations for the computer
  • Jump to Image - takes you to the location of the exe that's getting started
  • Active filter now shown in status bar
  • File association for *.ARN files for Explorer shell integration
  • Autorunc now support file hashes (specifically AppLocker hash IDs)
  • Autorunc can now show autorun points for all users on local computer

PSExec v2.0 (not yet released) - can specify unique service and executable name to be created with -r switch.
PsPing (new utility not in book) - Measure network performance to .001 ms resolution, TCP connection latency, rround-trip time, bandwidth stats, histograms. Can ping via specified ports (ignoring ICMP disabled).


  • ASLR now marked

ProcDump (lots of updates!)

  • -e, f, g, l,
  • -i Define procdump as the just in time debugger and dump in a specified directory
  • -cl,ml,pl capture a dump on specified thresholds
  • Can specify service by name
  • Specify more than one filter
  • Order of the parameters have changed to make it easier


  • -m captures a fully-consistent kernel memory snapshot without having to reboot into debug mode.

SigCheck - used for looking at digital signatures on files

  • -i now shows much more detailed information on certificate information (as well as counter timing signatures)
  • Now shows link date in executable unsigned files


  • Will now show Windows 8 as running operating system (currently displays Windows 8 as Windows NT 6.2)


  • Can turn off animated zooming for smaller bandwidth consumption
  • Run ZoomIt when Windows starts checkbox in the settings

Disk Usage (DU)

  • -c -v CSV output list of content in megabytes and paths
  • -ct tabbed delimited format
  • du -ct -v . | clip.exe
    • Clip.exe - Takes whatever comes in through standard input and puts it onto the clipboard.


  • -v intermediate verbose domain registration referrals
  • For a fun test: whois -v microsoft.com (do not do this from a work computer)

RU (new utility, Registry Usage)

RAMMap (utility shows content of physical RAM)

  • command line to save output to file

CoreInfo (report CPU capabilties)

  • lots of changes but didn't go into any

Grab the toolkit and keep track of updates on the official Sysinternals page: http://technet.microsoft.com/en-us/sysinternals/bb545021.aspx


This post is locked
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ