Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as https://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at
What's New (November 28, 2016)
Announcing a new book, Troubleshooting with the Windows Sysinternals Tools
Become a Windows troubleshooting master and get the most out of the Sysinternals tools. Completely updated and expanded, this book by Sysinternals co-creator Mark Russinovich and Windows expert Aaaron Margosis covers all the tools, with full chapters on the major tools like Process Explorer, Process Monitor, Autoruns, and has 45 “case of the unexplained…” examples of the tools solving real-world problems.
What's New (November 18, 2016)
This major update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, introduces file create and registry modification logging. These event types make it possible to configure filters that capture updates to critical system configuration as well as changes to autostart entry points used by malware.
Process Explorer v16.20
This release of Process Explorer, a powerful process management and diagnostic utility, adds reporting of process Control Flow Guard (CFG) status and dynamically updates to reflect changes to process Data Execution Prevention (DEP) configuration.
Procdump, a command-line utility that generates process dumps on demand or based on triggers that include memory, CPU, exception and performance counter thresholds, adds a -kill option that terminates a process after its dump completes rather than allowing an exception to pass to Windows Error Reporting (WER), and a -wer switch to copy dumps to the WER queue.
LiveKd, a tool that enables interactive kernel debugger analysis of a live system or virtual machine, includes a batch-mode option designed for scripted analysis that omits the prompt to re-execute LiveKD after a debugger session terminates.
What's New (August 29, 2016)
Autologon, a utility that configures Windows to automatically log on a specified user account after booting, now validates the entered credentials before accepting them.
What's New (July 29, 2016)
Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, now includes the ability to log process opens of other processes. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. It also adds a configuration switch that disables checks of Certificate Revocation List (CRL) servers for digital signature validation, preventing Sysmon-initiated network activity.
What's New (July 4, 2016)
- Sysinternals Support for Nano Server
Over 40 of the Sysinternals tools now support Nano Server! You can download the full set by clicking on the Sysinternals Nano Server Suite on the
Sysinternals suite page, and each tool that supports Nano Server reports that on its download page. The Nano versions are also compatible with 64-bit Windows and have “64.exe” as their suffix in the download files. Many of the updated tools include bug fixes as well. Check out the
Channel 9 Defrag Tools episode where Mark and Andrew Mason, Program Manager for Nano Server, describe Nano Server, show how the tools work on Nano Server, and describe how the tools were ported.