Last active
October 29, 2024 15:18
-
-
Save githubfoam/d4c4f3c956f5dbdd527f330c7fa6ae78 to your computer and use it in GitHub Desktop.
sysinternals cheat sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ------------------------------------------------------------------------------------------ | |
| ------------------------------------------------------------------------------------------ | |
| AccessChk - Lets you see what type of access users and groups have to files, directories, registry keys, etc. | |
| AccessEnum - Full view of your file system and registry security settings. | |
| AdExplorer - Active Directory viewer and editor. | |
| AdInsight - LDAP real-time monitoring tool used to troubleshoot Active Directory applications. | |
| AdRestore - Ability to restore deleted Active Directory objects. | |
| Autologon - Easily configure autologon mechanism. | |
| Autoruns - Displays programs that are configured to run at startup. | |
| BgInfo - Displays relevant information about the computer on the desktop, such as computer name, IP address, etc. | |
| CacheSet - An applet to manipulate the working-set parameters of the system file cache. | |
| ClockRes - Shows the resolution of the system clock. | |
| Contig - Defragments a specified file or files. | |
| Coreinfo - Shows you the mapping between logical processors and the physical processor. | |
| Ctrl2Cap - Kernel-mode device driver that filters the system's keyboard class driver. | |
| DebugView - Monitors debug output on your local system. | |
| Desktops - Allows you to organize up to four virtual desktops. | |
| Disk2vhd - Creates VHD (virtual hard disk) versions of physical disks. | |
| DiskExt - Returns information about what disks the partition of a volume is located on. | |
| DiskMon - Logs and displays all hard disk activity. | |
| DiskView - A graphical map of your hard drive. | |
| DiskUsage (DU) - Reports the disk space usage for a specified directory. | |
| EFSDump - Allows you to see who has access to encrypted files. | |
| FindLinks - Reports the file index and hard links that exist for a specified file. | |
| Handle - Displays information about open handles for any process. | |
| Hex2dec - Converts hex to decimal and vice versa. | |
| Junction - Creates junctions (symbolic links that combine directories from multiple locations). | |
| LDMDump - Let's you examine exactly what is stored in a disks copy of the system. | |
| ListDLLs - Reports the DLLs that are loaded into processes. | |
| LiveKd - Allows you to run the Kd and Windbg kernel debuggers. | |
| LoadOrder - Shows the order in which the system loads device drivers. | |
| LogonSessions - Lists currently active logon sessions. | |
| MoveFile - Dumps the content of the pending rename/delete value. | |
| NTFSInfo - Shows you information about NTFS volumes. | |
| PageDefrag - Shows you have fragmented your paging files and registry hives are. | |
| PendMoves - Dumps the content of the pending rename/delete value. | |
| PipeList - Lists the pipes. | |
| PortMon - Monitors and displays all serial and parallel port activity. | |
| ProcDump - Monitors CPU spikes. | |
| Process Explorer - Shows information about which handles and DLL processes are loaded. | |
| Process Monitor - Shows real-time file system, registry, and process/thread activity. | |
| PsExec - Allows you to execute processes on remote systems. | |
| PsGetSid - Allows you to translate SIDs to their display name and vice versa. | |
| PsInfo - Gathers key information about the local or remote system including kernel build and the amount of memory. | |
| PsPing - Implements ping functionality. | |
| PsKill - Can kill processes on local and remote systems. | |
| PsList - Displays information about processes, memory, and threads. | |
| PsLoggedOn - This shows who is using what resources on a local or remote machine. | |
| PsLogList - Allows you to login to remote systems in situations where security credentials do not permit it. | |
| PsPasswd - Allows you to change an account password on local or remote systems. | |
| PsService - A service viewer and controller for Windows. | |
| PsShutdown - Allows you to logoff the console user or lock the console among other things. | |
| PsSuspend - Allows you to suspend processes on the local or a remote system. | |
| RAMMap - A physical memory usage analysis tool to see how Windows is assigning physical memory. | |
| RegDelNull - Allows you to search for and delete registry keys. | |
| Registry Usage (RU) - Reports the registry space usage. | |
| RegJump - Opens Regedit directly to a specified registry path. | |
| RootkitRevealer - Detects rootkits. | |
| SDelete - Allows you to delete one or more files/directories or to cleanse the free space on a drive. | |
| ShareEnum - Allows you to lock down file shares. | |
| ShellRunas - Allows you to launch programs under different accounts. | |
| SigCheck - Shows file version number, timestamp, and digital signature details. | |
| Streams - Allows you to see which NTFS files have alternate streams associated with them. | |
| Strings - Searches files for a specified string. | |
| Sync - Allows you to flush all file system data to disk. | |
| TCPView - Shows detailed listings of all TCP and UDP endpoints on your system. | |
| VMMap - A process virtual and physical memory analysis tool. | |
| VolumeID - Allows you to change the IDs of FAT and NTFS disks. | |
| WhoIs - Performs a registration record for the specified domain name or IP address. | |
| WinObj - Displays information of the NT Object Manager's name space. | |
| ZoomIt - A screen zoom and annotation tool for technical presentations. | |
| ------------------------------------------------------------------------------------------ | |
| # Using PsTools to Control Other PCs from the Command Line | |
| PsExec – executes processes on a remote computer | |
| psexec \\computername -u User -p Password ipconfig | |
| psexec \\computername ipconfig | |
| psexec \\computername <options> xxx.exe <arguments> | |
| PsExec.exe \\computer net stop servicename && net start servicename | |
| psexec \\computername cmd #get command prompt | |
| psexec \\computername powershell #get command prompt | |
| psexec \\remotecomputername msiexec /x /q pathtotheMSIfile #uninstall the program | |
| psexec \\[computername or IP] -h cmd /c "c:\program files (x86)\uninstall.exe /silent" #'-h' switch for running an elevated session | |
| #Run PowerShell scripts on remote PC | |
| PsExec.exe \\<SERVER FQDN> -u <DOMAIN\USER> -p <PASSWORD> /accepteula cmd /c "powershell -noninteractive -command gci c:\" | |
| #-i option to launch process on remote in interactive mode | |
| PSExec \\RPC001 -i -u myID -p myPWD PowerShell C:\script\StartPS.ps1 par1 par2 | |
| #script in the location (c:\temp_ below on each remote server. servers.txt contains a list of IP addresses (one per line). | |
| psexec @servers.txt -u <username> cmd /c "powershell -noninteractive -file C:\temp\script.ps1" | |
| psexec \\server cmd /c "echo . | powershell script.ps1" | |
| $computerName = 'REMOTECOMPUTER' | |
| #calling the winrm.cmd batch file on a remote computer running as the SYSTEM account. | |
| #the output from that command isn’t needed, it’s silenced with 2>&1> $null | |
| psexec "\\$Computername" -s c:\windows\system32\winrm.cmd quickconfig -quiet 2&>&1> $null | |
| ------------------------------------------------------------------------------------------ | |
| psinfo \\IP | |
| ------------------------------------------------------------------------------------------ | |
| PsService.exe \\computer query servicename #the status of the service | |
| PsService.exe \\computer config servicename #view the configuration | |
| PsService.exe \\computer restart servicename | |
| PsService.exe \\computer stop servicename | |
| ------------------------------------------------------------------------------------------ | |
| SysinternalsSuite> .\PsLoggedon.exe \\pc1 -l #find user logged on a remote pc | |
| ------------------------------------------------------------------------------------------ | |
| psloglist \\workstation64 -h 24 application #List everything in the application event log on \\workstation64 from the last 24 hours | |
| PsLogList Security | More | |
| psloglist -s -x security | |
| PsLogList -i 861 Security | More #security log events with an event code of 861 | |
| psloglist -f ew #see only errors and warnings,The -f argument takes a string of letters that represent the starting letter of the event types | |
| psloglist -o "windows update agent","ntservicepack" #dump event-log records generated by the Windows Update Agent and NtServicePack sources, | |
| PsLoglist -i 861 -s -t , Security > EventListing.txt | |
| psloglist file -c #clear an event log after extracting its contents | |
| psloglist -s > events.csv start events.csv #redirect CSV-formatted PsLoglist output to a file,open that file in Excel | |
| #processing logs that contain commas in text, use the -t switch to specify a different delimiter character | |
| #the tab character is a CSV delimiter,PsLoglist to use that character | |
| psloglist -s -t \t > events.csv | |
| #aggregate event-log data from multiple computers | |
| #List the computer names (with or without the double-backslash prefix) on separate lines in a text file | |
| #append the name of that file to the @ switch | |
| psloglist @computers.txt application | |
| ------------------------------------------------------------------------------------------ | |
| #Process Explorer - Shows information about which handles and DLL processes are loaded. | |
| procexp64-Flash plug-in process-properties-Permissions #Unknown Account has permissions | |
| procexp64-Flash plug-in process-properties-Strings #ASCII strings embedded in this process,any comments the developers left | |
| ------------------------------------------------------------------------------------------ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment