Windows Sysinternals is a website which offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.[1] Originally, the Sysinternals website (formerly known as ntinternals[2]) was created in 1996 and was operated by the company Winternals Software LP,[1] which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich.[1] Microsoft acquired Winternals and its assets on July 18, 2006.[3]

The website featured several freeware tools to administer and monitor computers running Microsoft Windows. The software can now be found at Microsoft. The company also sold data recovery utilities and professional editions of their freeware tools.

Winternals Software LP
GenreSoftware development
FounderBryce Cogswell and Mark Russinovich

Winternals Software LP

Winternals Software LP was founded by Bryce Cogswell and Mark Russinovich, who sparked the 2005 Sony BMG CD copy protection scandal in an October 2005 posting to the Sysinternals blog.[4]

On July 18, 2006, Microsoft Corporation acquired the company and its assets. Russinovich explained that Sysinternals will remain active until Microsoft agrees on a method of distributing the tools provided there.[5] However, NT Locksmith, a Windows password recovery utility, was immediately removed. Currently, the Sysinternals website is moved to the Windows Sysinternals website and is a part of Microsoft Docs.[1]

In late 2010, Bryce Cogswell retired from Sysinternals.[6]


Windows Sysinternals supplies users with numerous free utilities, most of which are being actively developed by Mark Russinovich and Bryce Cogswell,[7] such as Process Explorer, an advanced version of Windows Task Manager,[8] Autoruns, which Windows Sysinternals claims is the most advanced manager of startup applications,[9] RootkitRevealer, a rootkit detection utility,[10] Contig, PageDefrag and a total of 65 other utilities.[11] NTFSDOS, which allowed NTFS volumes to be read by Microsoft's MS-DOS operating system, is now discontinued and is no longer available for download.[11] A larger number of these utilities are nowadays bundled by the publishers for the sake of simpler downloading of all, or most, current versions in the so-called Sysinternals Suite.

Previously available for download was the Winternals Administrator Pak which contained ERD Commander 2005, Remote Recover 3.0, NTFSDOS Professional 5.0, Crash Analyzer Wizard, FileRestore 1.0, Filemon Enterprise Edition 2.0, Regmon Enterprise Edition 2.0, AD Explorer Insight for Active Directory 2.0, and TCP Tools.

On May 18, 2010 Sysinternals released its first new utility since its acquisition by Microsoft. Named RAMMap, it is a diagnostic utility similar to the memory tab of Windows Resource monitor, but more advanced. RAMMap runs only on Windows Vista and later.[12]

In November 2018, Microsoft confirmed it is porting Sysinternals tools, including ProcDump and ProcMon, to Linux.[13]

Licensing issue with Best Buy

In April 2006, Geek Squad, a tech support company working in cooperation with Best Buy, was accused of using unlicensed versions of the ERD Commander software. Winternals supplied Best Buy with copies of its software so that Best Buy could evaluate the software while conducting contract negotiations for using it on a permanent basis. When contract talks broke down Best Buy did not notify its Geek Squad Agents to stop using the software and discard all copies. A judge granted a restraining order on April 14, requiring that use of all unlicensed software be stopped, and forcing Best Buy to turn over all copies of Winternals software within 20 days.[14] After settlement, a version of the Winternals software was released to be used by Geek Squad.[15]

See also


  1. ^ a b c d "Windows Sysinternals". Microsoft Docs. Microsoft Corporation. August 12, 2009. Retrieved August 15, 2009.
  2. ^ Mark Russinovich (May 9, 2011). Podnutz Episode #64 - Mark Russinovich Talks Tech (Flash) (Podcast). Podnutz. Event occurs at 0:02:01. Retrieved June 18, 2011. ...that's when Sysinternals started, originally called ntinternals...
  3. ^ "Microsoft Acquires Winternals Software". Company Press Releases. Winternals Software. July 18, 2006. Retrieved March 14, 2007.
  4. ^ Mark Russinovich (October 31, 2005). "Sony, Rootkits and Digital Rights Management Gone Too Far". Sysinternals Blog. Retrieved December 18, 2006.
  5. ^ Mark Russinovich (July 18, 2006). "On My Way to Microsoft!". Sysinternals Blog. Retrieved December 18, 2006.
  6. ^ "Mark Russinovich Discusses Windows Azure", Windows IT Pro. Retrieved on April 16, 2011.
  7. ^ "What is new (August 5, 2009)". Windows Sysinternals. Microsoft Corporation. August 15, 2009. Retrieved August 15, 2009.
  8. ^ "Process Explorer v11.33". Windows Sysinternals. Microsoft Corporation. February 4, 2009. Retrieved August 15, 2009.
  9. ^ "Autoruns for Windows v9.53". Windows Sysinternals. Microsoft Corporation. August 12, 2009. Retrieved August 15, 2009.
  10. ^ "RootkitRevealer v1.71". Windows Sysinternals. Microsoft Corporation. November 1, 2006. Retrieved August 15, 2009.
  11. ^ a b "Sysinternals Utilities Index". Windows Sysinternals. Microsoft Corporation. August 12, 2009. Retrieved August 15, 2009.
  12. ^ Russinovich, Mark; Cogswell, Bryce (May 18, 2011). "RAMMap v1.11". Windows Sysinternals. Microsoft. Retrieved June 12, 2011.
  13. ^ Cimpanu, Catalin (November 5, 2018). "Microsoft working on porting Sysinternals to Linux". ZDNet. CBS Interactive. Retrieved November 5, 2018.
  14. ^ "Best Buy's Geek Squad Accused of Pirating Software", FOX News. Retrieved on December 16, 2006.
  15. ^ "Winternals & Best Buy/Geek Squad Settle Federal Lawsuit", Winternals press release. Retrieved on December 16, 2006. Archived March 14, 2007, at the Wayback Machine

External links

Contig (defragmentation utility)

Contig is a command line defragmentation utility for Windows currently owned by Microsoft subsidiary SysInternals.

Extended Copy Protection

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet (which on 20 November 2006, changed its name to Fortium Technologies Ltd) and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

Security researchers, beginning with Mark Russinovich in October 2005, have described the program as functionally identical to a rootkit: a computer program used by computer intruders to conceal unauthorised activities on a computer system. Russinovich broke the story on his Sysinternals blog, where it gained attention from the media and other researchers. This ultimately led to a civil lawsuit and criminal investigations, which forced Sony to discontinue use of the system.

While Sony eventually recalled the CDs that contained the XCP system, the web-based uninstaller was investigated by noted security researchers Ed Felten and Alex Halderman, who stated that the ActiveX component used for removing the software exposed users to far more significant security risks, including arbitrary code execution from websites on the internet.

List of Microsoft software

Microsoft Corporation is a leading developer of PC software. It is best known for its Windows operating system, the Microsoft Office family of productivity software plus services, and the Visual Studio IDE. The company also publishes books (through Microsoft Press) and video games (through Microsoft Studios), and produces its own line of hardware. The following is a list of the notable Microsoft software applications.

List of rogue security software

The following is a partial list of rogue security software, most of which can be grouped into families. These are functionally identical versions of the same program repackaged as successive new products by the same vendor.

360 Security

ANG Antivirus (knock-off of AVG Anti-virus)


Antivirus 360

Antivirus 2008

Antivirus 2009

Antivirus 2010 (also known as Anti-virus-1),

AntiVirus Gold or AntivirusGT

Antivirus Master

Antivirus Pro 2009

Antivirus Pro 2010

Antivirus Pro 2017

Antivirus System PRO

Antivirus XP 2008

Antivirus XP 2010

AV Antivirus Suite

AVG Antivirus 2011 (fake version)

AV Security Essentials

AV Security Suite


BestsellerAntivirus, Browser Defender

ByteDefender also known as ByteDefender Security 2010 (Knock-off of the legitimate BitDefender Antivirus software)



Cloud Protection


Control Center

Cyber Security, Core Security

Data Protection

Defense Center


Desktop Security 2010

Disc Antivirus Professional

Disk Doctor

Doctor Antivirus

Dr Guard


EasySpywareCleaner, EasyFix Tools

Eco AntiVirus

Errorsafe, Error Expert

Essential Cleaner

Flu Shot 4 (probably the earliest well-known instance of rogue security software)

Green Antivirus 2009

Hard Drive Diagnostic


HDD Plus

HDD Rescue

Home Security Solutions



Internet Antivirus, InstallShield(aka Internet Antivirus Pro, distributed by

Internet Antivirus 2011

Internet Defender 2011

Internet Security 2010,

Internet Security 2011

Internet Security 2012

Internet Security Essentials

Internet Security Guard

Live PC Care

Live Security Platinum

Live Security Suite

Mac Defender

Mac Protector





Malware Defense

Malware Protection Center

Memory Fixer

MS AntiSpyware 2009 (not to be confused with Microsoft AntiSpyware, now Windows Defender)

MS Antivirus Microsoft Anti Malware (not to be confused with Microsoft Antivirus or Microsoft Security Essentials)

MS Removal Tool

Microsoft Security Essentials (fake version)

My Security Engine

My Security Shield

My Security Wall

MxOne Antivirus


Netcom3 Cleaner

Paladin Antivirus

PAL Spyware Remover

PC Antispy

PC Clean Pro

PC Privacy Cleaner

PCPrivacy Tools



Perfect Defender 2009, Perfect Optimizer

PersonalAntiSpy Free

Personal Antivirus

Personal Internet Security 2011

Personal Security

Personal Shield Pro

PC Antispyware

PC Defender Antivirus

PC Optimizer Pro


Privacy CenterSecurity Shield

Security Solution 2011

Security Suite Platinum

Security Tool

Security Tool

Security Toolbar 7.1

Security Essentials 2010 (not to be confused with Microsoft Security Essentials)





SpyEraser (Video demonstration)


SpyHeal (a.k.a. SpyHeals & VirusHeal)




SpySheriff (a.k.a. PestTrap, BraveSentry, SpyTrooper)


SpywareBot (Spybot - Search & Destroy knockoff, Now known as SpywareSTOP).

Spyware Cleaner or Spyware B1aster exploits name SpywareBlaster (should not be confused with the JavaCool app of the same name)

SpywareGuard 2008 (not to be confused with SpywareGuard by Javacool Software)


Spyware Protect 2009


SpywareSheriff (often confused with SpySheriff)

Spyware Stormer, Spyware X-terminator


Spyware Striker Pro


Super AV


Sysinternals Antivirus

System Antivirus 2008

TheSpyBot (Spybot - Search & Destroy knockoff)



Total Secure 2009

Total Win 7 Security

Total Win Vista Security

Total Win XP Security


Ultra Defragger



Virus Locker


VirusProtectPro (a.k.a. AntiVirGear)

Vista Antivirus 2008

Vista Home Security 2011

Vista Internet Security 2012

Vista Security 2011

Vista Security 2012

Vista Smart Security 2010

Volcano Security Suite

Win7 Antispyware 2011

Win Antispyware Center

Win 7 Home Security 2011

WinAntiVirus Pro 2006





Windows Police Pro

Winpc Antivirus

Winpc Defender


WinWeb Security 2008

Wireshark Antivirus


XP AntiMalware

XP AntiSpyware 2009

XP AntiSpyware 2010

XP AntiSpyware 2012

XP Antivirus 2010

XP Antivirus 2012

XP Antivirus Pro 2010

XP Defender Pro

XP Home Security 2011

XP Internet Security 2010

Your PC Protector

RegClean Pro

Mark Russinovich

Mark Eugene Russinovich (born c. 1966) is a Spanish-born American software engineer who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.

Multimedia Class Scheduler Service

Multimedia Class Scheduler Service (MMCSS) is a Windows service that allows multimedia applications to get prioritized access to CPU for time-sensitive processing (such as multimedia applications) as well as prioritized disc access to ensure that the process is not starved of data to process. The MMCSS service monitors the CPU load and dynamically adjusts priority so that the application can use as much CPU time as possible without denying CPU to lower priority applications. MMCSS uses heuristics to determine the relative priority required for the task the thread is performing and dynamically adjusts priority based on that. A thread must invoke MMCSS explicitly to use its services by calling the AvSetMmMaxThreadCharacteristics() or AvSetMmThreadCharacteristics() APIs.

MMCSS is used by the multimedia applications in Windows Vista, including Windows Media Player and Windows Media Center to provide glitch-free audio playback.

NTFS junction point

An NTFS junction point is a symbolic link to a directory that acts as an alias of that directory. This feature of the NTFS file system offers benefits over a Windows shell shortcut (.lnk) file, such as allowing access to files within the directory via Windows Explorer, the Command Prompt, etc.

Unlike NTFS symbolic links, junction points can only link to an absolute path and only to a local volume; junction points from a local volume to a remote share are unsupported.Junction points are a type of NTFS reparse point, internally represented as a mount point. They were introduced with NTFS 3.0, the default file system for Windows 2000. The Windows 2000 and Windows 2003 Resource Kits include a program called linkd, to create junction points; Mark Russinovich of Winternals released a tool called junction which provided more complete functionality. Windows XP includes "fsutil"; Masatoshi Kimura released a filter driver for the soft/symbolic link functionality existing in Windows XP's NTFS version, to be accessible to the end user. Windows Vista, Windows Server 2008, and later operating systems include an mklink command-line utility for creating junction points.


PageDefrag is a program, developed by Sysinternals (now distributed by Microsoft), for Microsoft Windows that runs at start-up to defragment the virtual memory page file, the registry files and the Event Viewer's logs (files such as AppEvent.Evt, SysEvent.Evt, SecEvent.Evt and so on).

Defragmenting these files may improve performance. Since PageDefrag only affects a few files, it takes a relatively short time to run when compared to entire-disk defragmenters such as Windows Defrag, so long as the page file is not fragmented. If the page file is fragmented, PageDefrag can take as long or longer than Windows Defrag.

PageDefrag does not defragment the contents of the registry files, only the placement of these files on the hard drive. Other utilities such as NTREGOPT can optimize the registry files.

PageDefrag runs on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. Though the website erroneously says "runs on Windows XP (32-bit) and higher (32-bit), Windows Server 2003 (32-bit) and higher (32-bit)", the tool cannot defragment the pagefile on Windows Vista, Windows 7, or Server 2008; it is able to defragment registry hives on these versions. Workarounds for higher versions of Windows, including 64-bit versions, include using a BartPE disk or booting from a Windows install CD and using the provided command line interface.

Process Explorer

Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and re-branded as Windows Sysinternals. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system. It can be used as the first step in debugging software or system problems.

Process Explorer can be used to track down problems. For example, it provides a means to list or search for named resources that are held by a process or all processes. This can be used to track down what is holding a file open and preventing its use by another program. As another example, it can show the command lines used to start a program, allowing otherwise identical processes to be distinguished. Like Task Manager, it can show a process that is maxing out the CPU, but unlike Task Manager it can show which thread (with the callstack) is using the CPU – information that is not even available under a debugger.

Process Monitor

Process Monitor is a free tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

Process Monitor monitors and records all actions attempted against the Microsoft Windows Registry. Process Monitor can be used to detect failed attempts to read and write registry keys. It also allows for filtering on specific keys, processes, process IDs, and values. In addition it shows how applications use files and DLLs, detects some critical errors in system files and more.


RootkitRevealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003 (32-bit-versions only). Its output lists Windows Registry and file system API discrepancies that may indicate the presence of a rootkit. It is the same tool that triggered the Sony BMG copy protection rootkit scandal.RootkitRevealer is no longer being developed.


In computing, runas is a command in the Microsoft Windows line of operating systems that allows a user to run specific tools and programs under a different username to the one that was used to logon to a computer interactively. It is similar to the Unix commands sudo and su, but the Unix commands generally require prior configuration by the system administrator to work for a particular user and/or command.

Security Identifier

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.


Sysprep is Microsoft's System Preparation Tool for Microsoft Windows operating system deployment.


In computing, tasklist is a command available in Microsoft Windows and in the AROS shell.It is equivalent to the ps command in Unix and Unix-like operating systems and can also be compared with the Windows task manager (taskmgr).

Windows NT 4.0, Windows 98 Resource Kit, and the Windows 2000 Support Tools include the similar tlist command. Additionally, Microsoft provides the similar PsList command as part of Windows Sysinternals.

Virtual desktop

In computing, a virtual desktop is a term used with respect to user interfaces, usually within the WIMP paradigm, to describe ways in which the virtual space of a computer's desktop environment is expanded beyond the physical limits of the screen's display area through the use of software. This compensates for a limited desktop area and can also be helpful in reducing clutter. There are two major approaches to expanding the virtual area of the screen. Switchable virtual desktops allow the user to make virtual copies of their desktop view-port and switch between them, with open windows existing on single virtual desktops. Another approach is to expand the size of a single virtual screen beyond the size of the physical viewing device. Typically, scrolling/panning a subsection of the virtual desktop into view is used to navigate an oversized virtual desktop.


WinExe is a software that allows administrator users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/2003/2008 systems from GNU/Linux.

WinExe is distributed as pre-built RPM packages, source code is available as well.

WinExe is analogous to the Sysinternals tool PsExec.

Windows NT 3.5

Windows NT 3.5 is an operating system developed by Microsoft, released on September 21, 1994. It is the second release of Windows NT.One of the primary goals during Windows NT 3.5 development was to improve the operating system's performance. As a result, the project was codenamed "Daytona", after the Daytona International Speedway in Daytona Beach, Florida.. Like many other older Windows versions before 1996, Microsoft stopped supporting Windows NT 3.5 on December 31, 2001. Support for Windows NT 3.51 Workstation also ended in that date


This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.