Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Sysinternals Suit
What is Sysinternals Suit and what does it contain?

The Sysinternals utilities offer a powerful, convenient way to knock out all kinds of Windows
tasks.
Sysinternals has been around for quite some time and was acquired by Microsoft in 2006.
These are great little tools for getting some heavy-hitting Windows things done and
sometimes done better than when using the built-in tools for a task. The entire suite of
products is available free for download.
Windows Sysinternals is a part of the Microsoft TechNet website which offers technical
resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft
Windows environment.Originally, the Sysinternals website (formerly known as ntinternals)
was created in 1996 and was operated by the company Winternals Software LP.
Here below is the screenshot of the different utilities in the Sysinternal suit.

Figure 1

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Understanding the Sysinternal Suit in detail:

1. Accesschk:
Accesschk is a console program. It shows which user has permissions to use the
applications. Which users are using the different services or having the access on the
services also it gives the details of the registry used by the different users and is
permissions. What are the global objects available and who can access them. Below
screenshot shows the files that has integrity level.

Figure 2

2. Accessenum:
While the flexible security model employed by Windows NT-based systems allows full
control over security and file permissions, managing permissions so that users have
appropriate access to files, directories and Registry keys can be difficult. There's no builtin way to quickly view user accesses to a tree of directories or keys. AccessEnum gives
ii

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

you a full view of your file system and Registry security settings in seconds, making it
the ideal tool for helping you for security holes and lock down permissions where
necessary. Below is the screenshot of its usage.

Figure 3

3. Autoruns:
Simply run Autoruns and it shows you the currently configured auto-start applications as
well as the full list of Registry and file system locations available for auto-start
configuration. Autostart locations displayed by Autoruns include logon entries, Explorer
add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit
DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows
Services and Winsock Layered Service Providers. Switch tabs to view autostarts from
different categories.

iii

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Figure 4

4. Bginfo:
When you run BGInfo it shows you the appearance and content of its default desktop
background. If left untouched it will automatically apply these settings and exit after its
10 second count-down timer expires.
Selecting any button or menu item will disable the timer, allowing you to customize the
layout and content of the background information. By placing BGInfo in
your Startup folder, you can ensure that the system information being displayed is up to
date each time you boot. Once you've settled on the information to be displayed, use the
command-line option /timer:0 to update the display without showing the dialog box.

iv

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Figure 5

5. Clockres:
Ever wondered what the resolution of the system clock was, or perhaps the maximum
timer resolution that your application could obtain? The answer lies in a simple function
named GetSystemTimeAdjustment, and the ClockRes applet performs the function and
shows you the result. See " Inside Windows NT High Resolution Timers" for information
on increasing the resolution.

Figure 6

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

6. Contig:
Contig is a utility that defragments a specified file or files. Use it to optimize execution of
your frequently used files. Contig is a single-file defragmenter that attempts to make files
contiguous on disk. Its perfect for quickly optimizing files that are continuously
becoming fragmented, or that you want to ensure are in as few fragments as possible.
Usage:
Contig.exe [-a] [-s] [-q] [-v] [existing file]
or Contig.exe [-f] [-q] [-v] [drive:]
or Contig.exe [-v] [-l] -n [new file] [new file length]

Figure 7

7. Coreinfo:
Coreinfo is a command-line utility that shows you the mapping between logical
processors and the physical processor, NUMA node, and socket on which they reside, as
vi

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)
well as the caches assigned to each logical processorCoreinfo is useful for gaining
insight into the processor and cache topology of your system.

Figure 8

8. Disk2vhd:
Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine
disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft
Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physicalto-virtual tools is that you can run Disk2vhd on a system thats online. Disk2vhd uses
Windows' Volume Snapshot capability, introduced in Windows XP, to create consistent
point-in-time snapshots of the volumes you want to include in a conversion. You can
even have Disk2vhd create the VHDs on local volumes, even ones being converted
(though performance is better when the VHD is on a disk different than ones being
converted). It will create one VHD for each disk on which selected volumes reside. It
preserves the partitioning information of the disk, but only copies the data contents for

vii

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

volumes on the disk that are selected. This enables you to capture just system volumes
and exclude data volumes.

Figure 9

9. Diskext:
DiskExt demonstrates returns information about what disks the partitions of a volume are
located on and where on the disk the partitions are located. Information regarding the SID
of the disk partition offsets and length of the partition.

viii

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Figure 10

10. Hex2Dec:
You can convert hex to decimal and vice versa with this simple command-line utility.
Usage: hex2dec [hex|decimal]
Include x or 0x as the prefix of the number to specify a hexadecimal value.
e.g. To translate 1233 decimal to hexadecimal: hex2dec 1233
e.g. To translate 0x1233 decimal to hexadecimal: hex2dec 0x1233

ix

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Figure 11

11. Junction:
Junction not only allows you to create NTFS junctions, it allows you to see if files or
directories are actually reparse points. Reparse points are the mechanism on which NTFS
junctions are based, and they are used by Windows' Remote Storage Service (RSS), as
well as volume mount points. For example, if the directory E:\test\1.txt specified D:\test
as its target, then an application accessing E:\test\1.txt would in reality be accessing
D:\test. Directory symbolic links are known as NTFS junctions in Windows.

Figure 12

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

12. Diskview:
DiskView shows you a graphical map of your disk, allowing you to determine where a
file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to
get more information about a file to which a cluster is allocated.

Figure 13

13. ListDLLs:
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all
DLLs loaded into all processes, into a specific process, or to list the processes that have a
particular DLL loaded. ListDLLs can also display full version information for DLLs,
including their digital signature, and can be used to scan processes for unsigned DLLs.

xi

Name: NIRAV PAREKH

Branch: M.TECH-CYBER SECURITY AND INCIDENT RESPONSE (SEM-I)

Usage
listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]

Figure 14

xii