Sysinternals: the Swiss Army knife for Windows Server
2025-10-13
Introduction
Sysinternals is a collection of free utilities from Microsoft, created by Mark Russinovich and Bryce Cogswell.
It helps system administrators access low-level information about Windows Server: processes, the file system, network connections, and autostart.
The suite includes more than 60 tools and is the de-facto standard for troubleshooting and diagnostics.
Key features
- CPU, disk and memory performance diagnostics.
- Troubleshooting application crashes and errors.
- Security monitoring and analysis of suspicious processes.
- Remote administration via PsTools.
- Work with Active Directory and services.
Key utilities
| Utility | Purpose | Interface |
|---|---|---|
| Process Explorer | Advanced Task Manager; shows process relationships, loaded DLLs and handles. | GUI |
| Process Monitor (ProcMon) | Monitors file, registry and network operations. | GUI |
| PsTools | Remote management suite (PsExec, PsList, PsKill). | CLI |
| Autoruns | View and manage program and service autostart entries. | GUI |
| TCPView | Monitor all TCP/UDP connections and associated processes. | GUI |
| Sysmon | Logs security events and system changes. | CLI |
Practical scenarios
- Slow system boot — use
Autorunsto disable unnecessary autostart items. - “File in use” error —
HandleorProcess Explorerwill show which process holds the file. - High CPU load —
PsListorProcess Explorercan help find the source. - Suspicious network activity —
TCPViewwill show who is establishing connections. - Security auditing — configure
Sysmonand analyze logs in the Event Viewer.
Automation with PsTools
Sysinternals is great for automation. With PsExec you can run PowerShell scripts or CMD commands on dozens of servers at once.
For example, to restart the Windows Update service: