Richard Diver, Microsoft Premier Field Engineer, returned to Newcastle on the evening of 25th November 2009 to give a tour of some of the SysInternals tools which are available for IT Professionals.
Below are a few notes which I jotted down during the evening:
Process Explorer:
ProcExp.exe
Process Explorer can be used as a replacement for Task Manager.
Hide when minimized to always have it available.
CPU History can be viewed by opening the System Information graph.
Allows sorting of Parent/Child processes.
Enough data available to choke a whale.
The target icon can be used to find the process attached to a certain window/application.
Highlighting of processes can be found under Options -> Configure Highlighting.
Process Monitor
ProcMon.exe
Process monitor is a real time file, registry and process thread monitor.
When in doubt, use Process Monitor.
Enhancements over Filemon/Regmon include:
- More advanced filtering
- Operation call stacks
- Boot-time logging
- Data mining views
- Process tree to see short lived processes
ProcMon can see associated files or registry settings.
If using ProcMon on another machine, you need to capture data first over a period of time, then bring it back to analyse.
Autoruns
MsConfig.exe == Bad, don't use.
Autoruns.exe, is better than MsConfig, due the facet of having a lot more options to remove disable start-up process in a number of places.
Boot execute should be empty.
Resources
live.sysinternals.com
http://technet.microsoft.com/en-us/sysinternals
Wikipedia Article
SysInternals Forum
Below are a few notes which I jotted down during the evening:
Process Explorer:
ProcExp.exe
Process Explorer can be used as a replacement for Task Manager.
Hide when minimized to always have it available.
CPU History can be viewed by opening the System Information graph.
Allows sorting of Parent/Child processes.
Enough data available to choke a whale.
The target icon can be used to find the process attached to a certain window/application.
Highlighting of processes can be found under Options -> Configure Highlighting.
Process Monitor
ProcMon.exe
Process monitor is a real time file, registry and process thread monitor.
When in doubt, use Process Monitor.
Enhancements over Filemon/Regmon include:
- More advanced filtering
- Operation call stacks
- Boot-time logging
- Data mining views
- Process tree to see short lived processes
ProcMon can see associated files or registry settings.
If using ProcMon on another machine, you need to capture data first over a period of time, then bring it back to analyse.
Autoruns
MsConfig.exe == Bad, don't use.
Autoruns.exe, is better than MsConfig, due the facet of having a lot more options to remove disable start-up process in a number of places.
Boot execute should be empty.
Resources
live.sysinternals.com
http://technet.microsoft.com/en-us/sysinternals
Wikipedia Article
SysInternals Forum
No comments:
Post a Comment