Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as https://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at
What's New (July 29, 2016)
Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, now includes the ability to log process opens of other processes. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks. It also adds a configuration switch that disables checks of Certificate Revocation List (CRL) servers for digital signature validation, preventing Sysmon-initiated network activity.
What's New (July 4, 2016)
- Sysinternals Support for Nano Server
Over 40 of the Sysinternals tools now support Nano Server! You can download the full set by clicking on the Sysinternals Nano Server Suite on the
Sysinternals suite page, and each tool that supports Nano Server reports that on its download page. The Nano versions are also compatible with 64-bit Windows and have “64.exe” as their suffix in the download files. Many of the updated tools include bug fixes as well. Check out the
Channel 9 Defrag Tools episode where Mark and Andrew Mason, Program Manager for Nano Server, describe Nano Server, show how the tools work on Nano Server, and describe how the tools were ported.
What's New (April 28, 2016)
This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, introduces more powerful filtering capabilities, allowing for both include and exclude rules to be specified for specific events types, as well as complex matching on different event fields.
Procdump, a utility for capturing process dump files based on CPU, memory, and other triggers, has improved support for lightweight reflection dumps on Windows 7 and Windows 8, now creates a named event that can be signaled by another process to gracefully terminate it, does more intelligent default path searches for the debugging tools libraries, and makes trigger timing and repeat behaviors consistent across trigger types.
What's New (February 2, 2016)
This update to Sigcheck, a command-line utility that reports detailed information about images, including their signatures and VirusTotal status, as well as certificate stores, now reports all the signatures of images that have multiple signers.
What's New (January 4, 2016)
This update to Sigcheck, a powerful command-line utility that reports image file and signing information, as well as information on certificates, now has an option that will report any certificates installed on the system that do not chain to one of the certificates in the Microsoft certificate trust list (CTL). It also adds the ability to take image information captured from Sigcheck on a system disconnected from the Internet and obtain VirusTotal status from one that’s connected.
This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features. Thanks to David Magnotti for the contribution.
Process Explorer v16.1
Process Explorer now includes a column in the handle view that reports the text version of handle access masks, as well as several bug fixes including one that would result in the suspension of .NET threads when viewed via the stack dialog.