Windows Sysinternals is a website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website (formerly known as ntinternals) was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.
The website featured several freeware tools to administer and monitor computers running Microsoft Windows. The software can now be found at Microsoft. The company also sold data recovery utilities and professional editions of their freeware tools.
|Winternals Software LP|
|Founder||Bryce Cogswell and Mark Russinovich|
On July 18, 2006, Microsoft Corporation acquired the company and its assets. Russinovich explained that Sysinternals will remain active until Microsoft agrees on a method of distributing the tools provided there. However, NT Locksmith, a Windows password recovery utility, was immediately removed. Currently, the Sysinternals website is moved to the Windows Sysinternals website and is a part of Microsoft Docs.
In late 2010, Bryce Cogswell retired from Sysinternals.
Windows Sysinternals supplies users with numerous free utilities, most of which are being actively developed by Mark Russinovich and Bryce Cogswell, such as Process Explorer, an advanced version of Windows Task Manager, Autoruns, which Windows Sysinternals claims is the most advanced manager of startup applications, RootkitRevealer, a rootkit detection utility, Contig, PageDefrag and a total of 65 other utilities. NTFSDOS, which allowed NTFS volumes to be read by Microsoft's MS-DOS operating system, is now discontinued and is no longer available for download. A larger number of these utilities are nowadays bundled by the publishers for the sake of simpler downloading of all, or most, current versions in the so-called Sysinternals Suite.
Previously available for download was the Winternals Administrator Pak which contained ERD Commander 2005, Remote Recover 3.0, NTFSDOS Professional 5.0, Crash Analyzer Wizard, FileRestore 1.0, Filemon Enterprise Edition 2.0, Regmon Enterprise Edition 2.0, AD Explorer Insight for Active Directory 2.0, and TCP Tools.
On May 18, 2010 Sysinternals released its first new utility since its acquisition by Microsoft. Named RAMMap, it is a diagnostic utility similar to the memory tab of Windows Resource monitor, but more advanced. RAMMap runs only on Windows Vista and later.
In April 2006, Geek Squad, a tech support company working in cooperation with Best Buy, was accused of using unlicensed versions of the ERD Commander software. Winternals supplied Best Buy with copies of its software so that Best Buy could evaluate the software while conducting contract negotiations for using it on a permanent basis. When contract talks broke down Best Buy did not notify its Geek Squad Agents to stop using the software and discard all copies. A judge granted a restraining order on April 14, requiring that use of all unlicensed software be stopped, and forcing Best Buy to turn over all copies of Winternals software within 20 days. After settlement, a version of the Winternals software was released to be used by Geek Squad.
...that's when Sysinternals started, originally called ntinternals...
Contig is a command line defragmentation utility for Windows currently owned by Microsoft subsidiary SysInternals.Extended Copy Protection
Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet (which on 20 November 2006, changed its name to Fortium Technologies Ltd) and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.
Security researchers, beginning with Mark Russinovich in October 2005, have described the program as functionally identical to a rootkit: a computer program used by computer intruders to conceal unauthorised activities on a computer system. Russinovich broke the story on his Sysinternals blog, where it gained attention from the media and other researchers. This ultimately led to a civil lawsuit and criminal investigations, which forced Sony to discontinue use of the system.
While Sony eventually recalled the CDs that contained the XCP system, the web-based uninstaller was investigated by noted security researchers Ed Felten and Alex Halderman, who stated that the ActiveX component used for removing the software exposed users to far more significant security risks, including arbitrary code execution from websites on the internet.List of Microsoft software
Microsoft Corporation is a leading developer of PC software. It is best known for its Windows operating system, the Microsoft Office family of productivity software plus services, and the Visual Studio IDE. The company also publishes books (through Microsoft Press) and video games (through Microsoft Studios), and produces its own line of hardware. The following is a list of the notable Microsoft software applications.List of rogue security software
The following is a partial list of rogue security software, most of which can be grouped into families. These are functionally identical versions of the same program repackaged as successive new products by the same vendor.
ANG Antivirus (knock-off of AVG Anti-virus)
Antivirus 2010 (also known as Anti-virus-1),
AntiVirus Gold or AntivirusGT
Antivirus Pro 2009
Antivirus Pro 2010
Antivirus Pro 2017
Antivirus System PRO
Antivirus XP 2008
Antivirus XP 2010
AV Antivirus Suite
AVG Antivirus 2011 (fake version)
AV Security Essentials
AV Security Suite
BestsellerAntivirus, Browser Defender
ByteDefender also known as ByteDefender Security 2010 (Knock-off of the legitimate BitDefender Antivirus software)
Cyber Security, Core Security
Desktop Security 2010
Disc Antivirus Professional
EasySpywareCleaner, EasyFix Tools
Errorsafe, Error Expert
Flu Shot 4 (probably the earliest well-known instance of rogue security software)
Green Antivirus 2009
Hard Drive Diagnostic
Home Security Solutions
Internet Antivirus, InstallShield(aka Internet Antivirus Pro, distributed by plus4scan.com)
Internet Antivirus 2011
Internet Defender 2011
Internet Security 2010,
Internet Security 2011
Internet Security 2012
Internet Security Essentials
Internet Security Guard
Live PC Care
Live Security Platinum
Live Security Suite
Malware Protection Center
MS AntiSpyware 2009 (not to be confused with Microsoft AntiSpyware, now Windows Defender)
MS Antivirus Microsoft Anti Malware (not to be confused with Microsoft Antivirus or Microsoft Security Essentials)
MS Removal Tool
Microsoft Security Essentials (fake version)
My Security Engine
My Security Shield
My Security Wall
PAL Spyware Remover
PC Clean Pro
PC Privacy Cleaner
Perfect Defender 2009, Perfect Optimizer
Personal Internet Security 2011
Personal Shield Pro
PC Defender Antivirus
PC Optimizer Pro
Privacy CenterSecurity Shield
Security Solution 2011
Security Suite Platinum
Security Toolbar 7.1
Security Essentials 2010 (not to be confused with Microsoft Security Essentials)
SpyEraser (Video demonstration)
SpyHeal (a.k.a. SpyHeals & VirusHeal)
SpySheriff (a.k.a. PestTrap, BraveSentry, SpyTrooper)
SpywareBot (Spybot - Search & Destroy knockoff, Now known as SpywareSTOP).
Spyware Cleaner or Spyware B1aster exploits name SpywareBlaster (should not be confused with the JavaCool app of the same name)
SpywareGuard 2008 (not to be confused with SpywareGuard by Javacool Software)
Spyware Protect 2009
SpywareSheriff (often confused with SpySheriff)
Spyware Stormer, Spyware X-terminator
Spyware Striker Pro
System Antivirus 2008
TheSpyBot (Spybot - Search & Destroy knockoff)
Total Secure 2009
Total Win 7 Security
Total Win Vista Security
Total Win XP Security
VirusProtectPro (a.k.a. AntiVirGear)
Vista Antivirus 2008
Vista Home Security 2011
Vista Internet Security 2012
Vista Security 2011
Vista Security 2012
Vista Smart Security 2010
Volcano Security Suite
Win7 Antispyware 2011
Win Antispyware Center
Win 7 Home Security 2011
WinAntiVirus Pro 2006
Windows Police Pro
WinWeb Security 2008
XP AntiSpyware 2009
XP AntiSpyware 2010
XP AntiSpyware 2012
XP Antivirus 2010
XP Antivirus 2012
XP Antivirus Pro 2010
XP Defender Pro
XP Home Security 2011
XP Internet Security 2010
Your PC Protector
RegClean ProMark Russinovich
Mark Eugene Russinovich (born c. 1966) is a Spanish-born American software engineer who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.Multimedia Class Scheduler Service
Multimedia Class Scheduler Service (MMCSS) is a Windows service that allows multimedia applications to get prioritized access to CPU for time-sensitive processing (such as multimedia applications) as well as prioritized disc access to ensure that the process is not starved of data to process. The MMCSS service monitors the CPU load and dynamically adjusts priority so that the application can use as much CPU time as possible without denying CPU to lower priority applications. MMCSS uses heuristics to determine the relative priority required for the task the thread is performing and dynamically adjusts priority based on that. A thread must invoke MMCSS explicitly to use its services by calling the AvSetMmMaxThreadCharacteristics() or AvSetMmThreadCharacteristics() APIs.
MMCSS is used by the multimedia applications in Windows Vista, including Windows Media Player and Windows Media Center to provide glitch-free audio playback.NTFS junction point
An NTFS junction point is a symbolic link to a directory that acts as an alias of that directory. This feature of the NTFS file system offers benefits over a Windows shell shortcut (.lnk) file, such as allowing access to files within the directory via Windows Explorer, the Command Prompt, etc.
Unlike NTFS symbolic links, junction points can only link to an absolute path and only to a local volume; junction points from a local volume to a remote share are unsupported.Junction points are a type of NTFS reparse point, internally represented as a mount point. They were introduced with NTFS 3.0, the default file system for Windows 2000. The Windows 2000 and Windows 2003 Resource Kits include a program called linkd, to create junction points; Mark Russinovich of Winternals released a tool called junction which provided more complete functionality. Windows XP includes "fsutil"; Masatoshi Kimura released a filter driver for the soft/symbolic link functionality existing in Windows XP's NTFS version, to be accessible to the end user. Windows Vista, Windows Server 2008, and later operating systems include an mklink command-line utility for creating junction points.PageDefrag
PageDefrag is a program, developed by Sysinternals (now distributed by Microsoft), for Microsoft Windows that runs at start-up to defragment the virtual memory page file, the registry files and the Event Viewer's logs (files such as AppEvent.Evt, SysEvent.Evt, SecEvent.Evt and so on).
Defragmenting these files may improve performance. Since PageDefrag only affects a few files, it takes a relatively short time to run when compared to entire-disk defragmenters such as Windows Defrag, so long as the page file is not fragmented. If the page file is fragmented, PageDefrag can take as long or longer than Windows Defrag.
PageDefrag does not defragment the contents of the registry files, only the placement of these files on the hard drive. Other utilities such as NTREGOPT can optimize the registry files.
PageDefrag runs on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. Though the website erroneously says "runs on Windows XP (32-bit) and higher (32-bit), Windows Server 2003 (32-bit) and higher (32-bit)", the tool cannot defragment the pagefile on Windows Vista, Windows 7, or Server 2008; it is able to defragment registry hives on these versions. Workarounds for higher versions of Windows, including 64-bit versions, include using a BartPE disk or booting from a Windows install CD and using the provided command line interface.Process Explorer
Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and re-branded as Windows Sysinternals. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system. It can be used as the first step in debugging software or system problems.
Process Explorer can be used to track down problems. For example, it provides a means to list or search for named resources that are held by a process or all processes. This can be used to track down what is holding a file open and preventing its use by another program. As another example, it can show the command lines used to start a program, allowing otherwise identical processes to be distinguished. Like Task Manager, it can show a process that is maxing out the CPU, but unlike Task Manager it can show which thread (with the callstack) is using the CPU – information that is not even available under a debugger.Process Monitor
Process Monitor is a free tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.
Process Monitor monitors and records all actions attempted against the Microsoft Windows Registry. Process Monitor can be used to detect failed attempts to read and write registry keys. It also allows for filtering on specific keys, processes, process IDs, and values. In addition it shows how applications use files and DLLs, detects some critical errors in system files and more.RootkitRevealer
RootkitRevealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003 (32-bit-versions only). Its output lists Windows Registry and file system API discrepancies that may indicate the presence of a rootkit. It is the same tool that triggered the Sony BMG copy protection rootkit scandal.RootkitRevealer is no longer being developed.Runas
In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a computer interactively. It is similar to the Unix commands sudo and su, but the Unix commands generally require prior configuration by the system administrator to work for a particular user and/or command.Security Identifier
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.Sysprep
Sysprep is Microsoft's System Preparation Tool for Microsoft Windows operating system deployment.Tasklist
In computing, tasklist is a command available in Microsoft Windows and in the AROS shell.It is equivalent to the ps command in Unix and Unix-like operating systems and can also be compared with the Windows task manager (taskmgr).
Windows NT 4.0, Windows 98 Resource Kit, and the Windows 2000 Support Tools include the similar tlist command. Additionally, Microsoft provides the similar PsList command as part of Windows Sysinternals.Virtual desktop
In computing, a virtual desktop is a term used with respect to user interfaces, usually within the WIMP paradigm, to describe ways in which the virtual space of a computer's desktop environment is expanded beyond the physical limits of the screen's display area through the use of software. This compensates for a limited desktop area and can also be helpful in reducing clutter. There are two major approaches to expanding the virtual area of the screen. Switchable virtual desktops allow the user to make virtual copies of their desktop view-port and switch between them, with open windows existing on single virtual desktops. Another approach is to expand the size of a single virtual screen beyond the size of the physical viewing device. Typically, scrolling/panning a subsection of the virtual desktop into view is used to navigate an oversized virtual desktop.WinExe
WinExe is a software that allows administrator users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/2003/2008 systems from GNU/Linux.
WinExe is distributed as pre-built RPM packages, source code is available as well.
WinExe is analogous to the Sysinternals tool PsExec.Windows NT 3.5
Windows NT 3.5 is an operating system developed by Microsoft, released on September 21, 1994. It is the second release of Windows NT.One of the primary goals during Windows NT 3.5 development was to improve the operating system's performance. As a result, the project was codenamed "Daytona", after the Daytona International Speedway in Daytona Beach, Florida.. Like many other older Windows versions before 1996, Microsoft stopped supporting Windows NT 3.5 on December 31, 2001. Support for Windows NT 3.51 Workstation also ended in that date