Sysinternals is a free suite of cybersecurity tools for Windows users that help you manage, troubleshoot, and diagnose your Windows systems and applications. While it’s not limited to security-related tools, it’s been growing in popularity as a more convenient option for security professionals instead of using clumsy command-line interfaces.
You can complete almost any administrative tasks, from monitoring or starting processes to see what files and registry keys your applications are accessing. While we’ll focus on security utilities, its tools span:
- File and Disk Utilities
- Network Utilities
- Process Utilities
- System Utilities, and more
It was developed by software engineer and cybersecurity enthusiast Mark Russinovich and purchased by Microsoft in 2006 as a freely downloadable utility for Windows. You can get it here from the official Microsoft Technet blog.
Used correctly, it can be a great tool to augment your proactive cybersecurity procedures.
With the launch of Sysinternals Live, you can launch any of its modules from the browser or command line simply by using the path live.sysinternals.com/. This way, you can run these diagnostic tools without having to download or install them.
The combination of versatility and ease of use has made it a staple for administrators as well as SecOps professionals the world over. With new Windows flaws and exploits still being discovered on a regular basis, combined with it being the most computing platform, any utility that helps you harden your Windows systems’ defenses is a welcome addition.
How to Use Sysinternals?
First things first, Sysinternals include some heavy-duty utilities that shouldn’t be messed around with if you don’t know what you’re doing. Sysinternals needs and uses full administrator rights to delve into every aspect of your Windows system, including the registry.
Using the tool is as easy as downloading the .zip file (either the entire suite, sub-suites of modules, or specific modules) from Microsoft, extracting the files, and then running specific tools with admin privileges. Here is a screengrab of the unzipped folder:
Even just the security-related utilities are too extensive to cover. However, here are some of the most important tools you should be aware of and learn to use:
Process Monitor: You can think of Process Monitor as an extremely powerful and advanced version of the Task Manager. It will not only show you what processes are active but even information like registry access, file writes, and network connections. It also provides an in-depth process tree similar to Process Explorer so that you can see exactly what each process is up to.
RootkitRevealer: Sysinternals partly achieved fame for helping discover rootkits that Sony tried to hide in their CDs. RootkitRevealer runs on Windows XP (32-bit) and Windows Server 2003 (32-bit). It uses output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkits, such as AFX, Vanquish, and HackerDefender.
AccessChk: This tool shows you the accesses the user or group you specify has to files, Registry keys, or Windows services. You can either search for objects or groups of objects to see which users/groups have what type of access to them or do it the other way around by searching the rights and privileges of specific users/groups.
AccessEnum: This tool provides you with a listview of all read, write and deny access information for user access. You can use this to enumerate user rights and privileges and ensure that users only have the correct access to specific objects.
TCPView: This tool is useful in a situation where you’re detecting unusual amounts of incoming/outgoing traffic but you’re not sure where the packets are coming from or going to. TCPView can drill down into specific TCP/UDP connections, almost as a GUI alternative to the command-line tool netstat.
While these will already help you achieve greater visibility and exercises better control over your systems, it’s only the tip of the iceberg. Other useful security utilities include:
Autorun: View all programs are configured to startup automatically when your system boots.
SDelete: Securely overwrite your sensitive files and cleanse your free space of previously deleted files.
Sigcheck: Dump file version information and verify that images on your system are digitally signed.
So, hopefully, you now have a better idea of how to use Sysinternals for cybersecurity. This suite of tools has wide-ranging utilities that can help you with anything from assessing the security of your systems through to threat hunting to forensic investigation after an incident has occurred. Thanks to its GUI and easy-to-use nature, it’s an easy tool to incorporate into your daily security practices.
