Sysinternals Primer: TechEd 2014 Edition

TWCAaron Margosis,Microsoft Cybersecurity Services

Sysinternals Primer: TechEd 2014 Edition

DCIM-B340

Suite of around 70 systems diagnostics, troubleshooting and management tools

Started in 1996 by Mark Russinovich and Bryce CogswellFreeware, lightweight, single-image, xcopy-deployedCan also execute from Web: \\live.sysinternals.com\tools\<toolname>3 million downloads/monthMost popular tools: Process Explorer, Autoruns, Process Monitor

Authored and maintained by Mark Russinovich (Technical Fellow in Azure)

Many co-authored by Bryce Cogswell (retired in 2010)Two tools have key contributors:

ProcDump – Andrew RichardsLiveKd – Ken Johnson

Windows Sysinternals - www.sysinternals.com

The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals toolsCovers every tool, every feature, with tipsWritten by Mark Russinovich and Aaron Margosis

Full chapters on the major toolsProcess ExplorerProcess MonitorAutoruns

Other chapters by tool groupSecurity, Process, AD, Desktop, …

Case of the Unexplained

MICROSOFT CONF IDENTIAL – INTERNAL ONLY

{

The Sysinternals Primer Series @ TechEdTechEd 2010

Process Explorer, Process Monitor, PsExec

TechEd 2011

Autoruns, Disk2Vhd, ProcDump, BgInfo, AccessChk

TechEd 2012

“Gems” (Procmon tricks, nerd-out on TS sessions/winsta/desktops, LogonSessions, DU)

TechEd 2013

What’s New/Updated Since the Book

TechEd 2014

More Cool Stuff You Can Do

More Cool Stuff for 2014…VirusTotal integrationOutput as CSVNew AccessChk featuresExport to XML “App Install Recorder”And more…

VirusTotal integration

Sysinternals and VirusTotal.comScans files with 50+ anti-malware enginesVirusTotal APIsHash only or file uploadUser must agree to VirusTotal’s terms of service

Process Explorer inspect running EXE/DLL filesSigCheck inspect any files on disk

SigCheck and VirusTotalsigcheck ... [-v[r][s]] [-u] [-vt] <file or directory>

-v Query VirusTotal for malware based on file hash.Add ‘r’ to open reports for files with non-zero

detection. Add ‘s’ to upload file if not previously scanned by VT.-u When used with -v, reports files that are unknown or

have non-zero detection.-vt Accept VT terms of service without opening web page.

Output as CSV

Output as CSV-c Comma-separated values-ct Tab-delimited CSVSupported by:

SigCheckAutorunsCDU (Disk Usage)RU (Registry Usage)

New AccessChk Features

New AccessChk Features-h SMB Shares (including admin shares)

-f Filtering “uninteresting” entities

RpcLocatorRpcSsRSoPProvsacsvrSamSsSCardSvrScheduleSCPolicySvcseclogonSENSSessionEnvSharedAccessShellHWDetectionSNMP RW CONTOSO\An_Admin_Group RW EveryoneSNMPTRAP

AccessChk -c -w -f %filter% *

SNMP DESCRIPTOR FLAGS: [SE_DACL_PRESENT] [SE_SACL_PRESENT] OWNER: NT AUTHORITY\SYSTEM [0] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators

SERVICE_ALL_ACCESS [1] ACCESS_ALLOWED_ACE_TYPE: CONTOSO\An_Admin_Group

SERVICE_ALL_ACCESS [2] ACCESS_ALLOWED_ACE_TYPE: Everyone

SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLREAD_CONTROL

[3] ACCESS_ALLOWED_ACE_TYPE: Everyone [OBJECT_INHERIT_ACE] [CONTAINER_INHERIT_ACE]

SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLWRITE_DACWRITE_OWNER

[4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEMSERVICE_ALL_ACCESS

AccessChk -c -l SNMP

Export to XML

Export to XML “App Install Recorder”

And more!

And more!Process ExplorerRun At Logon

PsExec 2.11-r to specify name of service and exeEncrypts sensitive data on the wire

PsPing 2.0UDP latency and bandwidth testingTimed testsHistogram customization optionsConfigures necessary firewall rules

And even more!BgInfoSupports Windows 8.1

Disk2Vhd 2.01Support for disks up to 2TBSupport for VHDX-formatted VHDsSupport for WinRE volumesCan capture removable mediaOption to capture live volumes instead of using volume shadow copy

Wrapping up…

Sysinternals Primers @ TechEdProcess Explorer, Process Monitor, and PsExechttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/WCL314

Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChkhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL312

"Gems"http://channel9.msdn.com/events/TechEd/Europe/2012/SIA311

What’s new/updated since the book …http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B313

Sysinternals ResourcesSysinternals web sitehttp://www.Sysinternals.com http://technet.microsoft.com/sysinternals

Sysinternals blog (announces updates)http://blogs.technet.com/b/sysinternals

Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich

Windows Sysinternals Administrator’s Referencehttp://www.amazon.com/Windows-Sysinternals-Administrators-Reference-Russinovich/dp/073565672X

More Sysinternals ResourcesBlog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosis http://blogs.technet.com/fdcc

Andrew Richards’ blog & Defrag Tools on Channel 9http://blogs.msdn.com/b/andrew_richards/ http://channel9.msdn.com/Shows/Defrag-Tools

Andrew Richards in MSDN Magazine: Writing a Plug-in for Sysinternals ProcDump v4.0http://msdn.microsoft.com/en-us/magazine/hh580738.aspx

DCIM-B368 TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools

Related content

WIN-B354 Case of the Unexplained: Troubleshooting with Mark RussinovichWIN-B412 Hardcore DebuggingWIN-B413 Windows Performance Deep Dive Troubleshooting DCIM-B359 TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them

Come Visit Us in the Microsoft Solutions Experience!Look for Datacenter and Infrastructure Management

TechExpo Level 1 Hall CD

For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

ResourcesLearning

Microsoft Certification & Training Resourceswww.microsoft.com/learning

msdnResources for Developers

http://microsoft.com/msdn

TechNetResources for IT Professionals

http://microsoft.com/technet

Sessions on Demandhttp://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.