3 Top Tips for Sysinternals Tools
Aaron Margosis (@AaronMargosis), a self-described "Windows nerd" and an 18-year Microsoft veteran who is now a principal consultant for the company's Global Cybersecurity Practice, is one of the leading experts when it comes to Sysinternals, a set of free Windows management utility tools. In addition to working with key customers on various security issues, Margosis focuses on his core expertise of Windows security, least privilege, app compatibility and configuring locked-down environment, according to his bio. He has also collaborated with Microsoft's Mark Russinovich on the recently updated book Troubleshooting with the Windows Sysinternals Tools, 2nd Edition (Microsoft Press).
During Margosis' presentation at this week's annual TechMentor conference in Redmond, Wash., titled "The Sysinternals Tools Can Make You Better at Your Job," he gave a deep dive into several of the more popular tools, including autoruns, process monitor and desktop. "These valuable, lightweight tools that aren't available anywhere else," Margosis said.
Autoruns for Troubleshooting
During his presentation, Margosis shared how to use Autoruns to check out some startup scripts. By default, it hides anything that is part of Windows or comes from Microsoft, to expedite troubleshooting. "The pink items are potentially suspicious," he explained. It can also help verify code signatures, to ensure entries are digitally signed by their vendor and submit questionable entries to Virus Total, a Web application service that hosts more than 60 antivirus engines. "You can submit files and ask it what it thinks of this program," he said. "You can also click on links and get details."
To find the things that are problematic, Hide VirusTotal Clean Entries engine, which leaves you with the unknowns or entries that were flagged by one or more anti-virus engines. "So, what do you do when you find something in there you don't want on your computer?" he asked, segueing into another demo. "Right click on the entry to go to where that item is configured or right click and go to the image," he said. "This goes to actual file in Windows Explorer. Then you can right click to delete the entry completely. When you delete it, there's no way to get it back. That might cause damage you can't undo."
The safer thing to do is simply uncheck the questionable entry. "That will disable the thing from running, but don't delete it." Margosis then used used the Process Monitor to help with a problem he had recently experienced in Office where the white theme occasionally reverted back to the default colorful. "The next thing I want to show you is something I was just working on last week. The 'colorful' theme is new default for Office. It kept switching back to 'white'. The tool I decided to use for this is the Process monitor.
Process Monitor
The Process Monitor is the tool for tracking all system activity. It loads up all registry entries and files. "This is the tool I want to use to determine what is setting the colorful theme back in place," he says. "By default, all that data is stored in virtual memory of the process monitor. So, there are a few different ways to run a trace for a long time."
One is backing files. Instead of writing to virtual memory, write to the file and keep appending that file. Another is history depth, which only stores a certain number of events, then drops off the older ones. Drop filtered events is the third. "And that's what I used," says Margosis. "I set the filter only looking for specific actions. I'm going to look for things happening in Excel and writing to the registry."
Margios said he ran his trace for six hours, captured 21 events and did not bog down system at all. "I was able to nail down exactly what happened," he says. "It was actually [a bug within] Office itself."
Desktops
Margosis wrapped up his presentation with a demo the Sysinternal Desktop tool. Within windows station, you can run one or more desktops. Windows runs on each desktop, and can send messages back and forth to communicate between desktops. You can create up to four desktops and use hotkeys to switch between them. The theory being you could have work on three of them and soccer on the fourth. "The Desktop tool takes care of all that," he says. "And it will not lose track of which should be hidden or shown."
While Sysinternals are a critical tool for maintaining the security of Windows, MVP Sami Laiho will give an all-day workshop on how to secure Windows workstations, servers and domains at the next TechMentor conference, which takes place as a track in the annual Live! 360 confab Nov. 13-17 in Orlando.
Posted by Lafe Low on 08/11/2017 at 8:00 AM