SAP TechEd 2016 maximizing_user_productivity_with_sap_screen_personas
Sysinternals Primer: TechEd 2014 Edition
Transcript of Sysinternals Primer: TechEd 2014 Edition
![Page 1: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/1.jpg)
![Page 2: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/2.jpg)
TWCAaron Margosis,Microsoft Cybersecurity Services
Sysinternals Primer: TechEd 2014 Edition
DCIM-B340
![Page 3: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/3.jpg)
Suite of around 70 systems diagnostics, troubleshooting and management tools
Started in 1996 by Mark Russinovich and Bryce CogswellFreeware, lightweight, single-image, xcopy-deployedCan also execute from Web: \\live.sysinternals.com\tools\<toolname>3 million downloads/monthMost popular tools: Process Explorer, Autoruns, Process Monitor
Authored and maintained by Mark Russinovich (Technical Fellow in Azure)
Many co-authored by Bryce Cogswell (retired in 2010)Two tools have key contributors:
ProcDump – Andrew RichardsLiveKd – Ken Johnson
Windows Sysinternals - www.sysinternals.com
![Page 4: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/4.jpg)
The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals toolsCovers every tool, every feature, with tipsWritten by Mark Russinovich and Aaron Margosis
Full chapters on the major toolsProcess ExplorerProcess MonitorAutoruns
Other chapters by tool groupSecurity, Process, AD, Desktop, …
Case of the Unexplained
![Page 5: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/5.jpg)
MICROSOFT CONF IDENTIAL – INTERNAL ONLY
{
![Page 6: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/6.jpg)
The Sysinternals Primer Series @ TechEdTechEd 2010
Process Explorer, Process Monitor, PsExec
TechEd 2011
Autoruns, Disk2Vhd, ProcDump, BgInfo, AccessChk
TechEd 2012
“Gems” (Procmon tricks, nerd-out on TS sessions/winsta/desktops, LogonSessions, DU)
TechEd 2013
What’s New/Updated Since the Book
TechEd 2014
More Cool Stuff You Can Do
![Page 7: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/7.jpg)
More Cool Stuff for 2014…VirusTotal integrationOutput as CSVNew AccessChk featuresExport to XML “App Install Recorder”And more…
![Page 8: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/8.jpg)
VirusTotal integration
![Page 9: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/9.jpg)
Sysinternals and VirusTotal.comScans files with 50+ anti-malware enginesVirusTotal APIsHash only or file uploadUser must agree to VirusTotal’s terms of service
Process Explorer inspect running EXE/DLL filesSigCheck inspect any files on disk
![Page 10: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/10.jpg)
SigCheck and VirusTotalsigcheck ... [-v[r][s]] [-u] [-vt] <file or directory>
-v Query VirusTotal for malware based on file hash.Add ‘r’ to open reports for files with non-zero
detection. Add ‘s’ to upload file if not previously scanned by VT.-u When used with -v, reports files that are unknown or
have non-zero detection.-vt Accept VT terms of service without opening web page.
![Page 11: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/11.jpg)
Output as CSV
![Page 12: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/12.jpg)
Output as CSV-c Comma-separated values-ct Tab-delimited CSVSupported by:
SigCheckAutorunsCDU (Disk Usage)RU (Registry Usage)
![Page 13: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/13.jpg)
New AccessChk Features
![Page 14: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/14.jpg)
New AccessChk Features-h SMB Shares (including admin shares)
-f Filtering “uninteresting” entities
![Page 15: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/15.jpg)
RpcLocatorRpcSsRSoPProvsacsvrSamSsSCardSvrScheduleSCPolicySvcseclogonSENSSessionEnvSharedAccessShellHWDetectionSNMP RW CONTOSO\An_Admin_Group RW EveryoneSNMPTRAP
AccessChk -c -w -f %filter% *
![Page 16: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/16.jpg)
SNMP DESCRIPTOR FLAGS: [SE_DACL_PRESENT] [SE_SACL_PRESENT] OWNER: NT AUTHORITY\SYSTEM [0] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
SERVICE_ALL_ACCESS [1] ACCESS_ALLOWED_ACE_TYPE: CONTOSO\An_Admin_Group
SERVICE_ALL_ACCESS [2] ACCESS_ALLOWED_ACE_TYPE: Everyone
SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLREAD_CONTROL
[3] ACCESS_ALLOWED_ACE_TYPE: Everyone [OBJECT_INHERIT_ACE] [CONTAINER_INHERIT_ACE]
SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLWRITE_DACWRITE_OWNER
[4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEMSERVICE_ALL_ACCESS
AccessChk -c -l SNMP
![Page 17: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/17.jpg)
Export to XML
![Page 18: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/18.jpg)
Export to XML “App Install Recorder”
![Page 19: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/19.jpg)
And more!
![Page 20: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/20.jpg)
And more!Process ExplorerRun At Logon
PsExec 2.11-r to specify name of service and exeEncrypts sensitive data on the wire
PsPing 2.0UDP latency and bandwidth testingTimed testsHistogram customization optionsConfigures necessary firewall rules
![Page 21: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/21.jpg)
And even more!BgInfoSupports Windows 8.1
Disk2Vhd 2.01Support for disks up to 2TBSupport for VHDX-formatted VHDsSupport for WinRE volumesCan capture removable mediaOption to capture live volumes instead of using volume shadow copy
![Page 22: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/22.jpg)
Wrapping up…
![Page 23: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/23.jpg)
Sysinternals Primers @ TechEdProcess Explorer, Process Monitor, and PsExechttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/WCL314
Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChkhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL312
"Gems"http://channel9.msdn.com/events/TechEd/Europe/2012/SIA311
What’s new/updated since the book …http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B313
![Page 24: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/24.jpg)
Sysinternals ResourcesSysinternals web sitehttp://www.Sysinternals.com http://technet.microsoft.com/sysinternals
Sysinternals blog (announces updates)http://blogs.technet.com/b/sysinternals
Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich
Windows Sysinternals Administrator’s Referencehttp://www.amazon.com/Windows-Sysinternals-Administrators-Reference-Russinovich/dp/073565672X
![Page 25: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/25.jpg)
More Sysinternals ResourcesBlog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosis http://blogs.technet.com/fdcc
Andrew Richards’ blog & Defrag Tools on Channel 9http://blogs.msdn.com/b/andrew_richards/ http://channel9.msdn.com/Shows/Defrag-Tools
Andrew Richards in MSDN Magazine: Writing a Plug-in for Sysinternals ProcDump v4.0http://msdn.microsoft.com/en-us/magazine/hh580738.aspx
![Page 26: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/26.jpg)
DCIM-B368 TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools
Related content
WIN-B354 Case of the Unexplained: Troubleshooting with Mark RussinovichWIN-B412 Hardcore DebuggingWIN-B413 Windows Performance Deep Dive Troubleshooting DCIM-B359 TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them
![Page 27: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/27.jpg)
Come Visit Us in the Microsoft Solutions Experience!Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
![Page 28: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/28.jpg)
ResourcesLearning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
msdnResources for Developers
http://microsoft.com/msdn
TechNetResources for IT Professionals
http://microsoft.com/technet
Sessions on Demandhttp://channel9.msdn.com/Events/TechEd
![Page 29: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/29.jpg)
Complete an evaluation and enter to win!
![Page 30: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/30.jpg)
Evaluate this session
Scan this QR code to evaluate this session.
![Page 31: Sysinternals Primer: TechEd 2014 Edition](https://reader030.fdocuments.in/reader030/viewer/2022020314/58a01ffd1a28abdb378b53e5/html5/thumbnails/31.jpg)
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.