One of the biggest problems for systems administrators is that they are constantly firefighting, solving problems that need an immediate response, and therefore, dedicating less time to more important tasks like improving their IT infrastructure. In fact, there are studies that show that technicians spend around 80% of their time solving recurring problems, whilst just 20% of their time is dedicated to operations, improvements, etc. Here at Jotelulu, we have been thinking about how we can help sysadmin to optimise their time, and we have decided that one way might be to provide some of the most useful tools for Windows system administrators.
Today, we will take a look at some of the tools provided by Microsoft that are not included in Windows. These tools for system administrators can be downloaded from the Microsoft knowledge base, currently called “Microsoft Docs”, where there are lots of manuals, documents, tutorials and even tools.
The tools that we will look at today are found in “Microsoft SysInternals”, a suite of tools and aids for systems technicians created by Mark Russinovich in 1996.
Image 1: Contents of the SysInternals suite
Since we don’t have time to analyse all of them, we are going to look at 5 tools that tend to be quite useful on a daily basis. In fact, they are probably the best ones available in the entire SysInternals suite, at least we think so anyway.
The tools for system administrators that we have selected are:
- Process Explorer
- Process Monitor
- PsTools
- AccessChk
- TCPview
Process Explorer
Process Explorer is a really great tool for troubleshooting. It allows you to carry out an exhaustive analysis of system performance, finding problems that could be affecting performance, as well as helping to detect malware or viruses.
It shows all the processes running on the system, their process tree and dependencies and how much CPU and memory they are using. It also allows you to see which commands are used to start each process, the file path of the executable file and the system services linked to the process.
Just like the Task Manager, Process Explorer allows you to see resource statistics but also provides the name of the provider that created the process and a description of what it does.
Image 2: Process Explorer on Windows 10
Process Monitor
Process Monitor is the perfect complement for Process Explorer and is designed to monitor and obtain additional information about each system process to provide a clearer idea of what it does.
It allows you to see the registry keys for each program and, therefore, where its settings are stored and which are modified each time a change is made. You can also see which processes access different resources such as file systems, the local network, the internet, etc.
What makes this such a powerful and effective tool is the ability to apply filters, helping you to search for more detailed information about any process and what it is doing on the system.
Image: Process Monitor on Windows 10 and the details for a process
PsTools
PsTools is not an application but a set of applications that have a similar purpose and background. The background of these applications is that you can run processes in a similar way to Unix System V, in other words, using process snapshots.
There is a PowerShell version of each application, so many administrators might say that these tools are obsolete or no longer necessary. However, it is much simpler to use these commands than running through PowerShell, and they will work exactly the same on any version of Windows.
The tools included in this pack are:
- PsExec: Allows you to run processes remotely.
- PsFile: Shows files opened remotely.
- PsGetSid: Shows the device or system SID.
- PsInfo: Show basic but important system information.
- PsKill: Allows you to end running processes.
- PsList: Shows lists of detailed information about running processes.
- PsLoggedOn: Shows who is connected to the system and whether they are connected locally or through shared resources.
- PsLogList: Allows you to perform an event log dump.
- PsPassword: Allows you to change passwords.
- PsPing: Is used to measure network performance.
- PsService: Allows you to see and monitor system services.
- PsShutdown: Allows you to force a system shutdown or reset, which can be very useful when the system becomes overloaded.
- PsSuspend: Allows you to suspend a process.
Image: PsList running on Windows 10
AccessChk
AccessChk allows you to check access permissions for users and user groups. You can review access to resources like files, directories, printers, Windows services, global objects or even registry keys.
It is really very simple to use. Just enter the name of a user or user group and a path, and the command will audit the effective permissions for that specific account and path. The program will then display the effective permissions.
The AccessChk page itself provides numerous example that can be easily applied to your own system.
Image: Checking access permissions for a user to “C:\windows\system32” with AccessChk
TCPview
TCPView is a program that allows you to see a list of all TCP and UDP connections, including local and remote connections, and the status of each one. These are the same details that you can see using “netstat” but, here, they are displayed in a slightly more user-friendly way and with a little more detail.
It includes “Tcpvcon”, the command prompt version that allows you to launch the application and extract specific information through different pipes or parameter passing. It can be really useful when used in combination with other commands and programs.
“TCPView” performs an initial scan and lists the endpoints for both TCP and UDP protocols, showing those that are active. Furthermore, it performs an IP/DNS translation to obtain the name of the target and active services.
It also allows you to close established TCP/IP connections, which can be very useful if you suspect a security breach or some other incident. And finally, you can also save the results window to study it in detail later on.
Image: Running TCPview on Windows 10
That’s all the useful tools for system administrators that we will cover today, but we will be back soon with more!
We hope that this information has been useful for you and helps you manage your Microsoft systems, whether they are servers or client devices.
See you soon!