Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as https://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at
What's New (April 28, 2016)
This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, introduces more powerful filtering capabilities, allowing for both include and exclude rules to be specified for specific events types, as well as complex matching on different event fields.
Procdump, a utility for capturing process dump files based on CPU, memory, and other triggers, has improved support for lightweight reflection dumps on Windows 7 and Windows 8, now creates a named event that can be signaled by another process to gracefully terminate it, does more intelligent default path searches for the debugging tools libraries, and makes trigger timing and repeat behaviors consistent across trigger types.
What's New (February 2, 2016)
This update to Sigcheck, a command-line utility that reports detailed information about images, including their signatures and VirusTotal status, as well as certificate stores, now reports all the signatures of images that have multiple signers.
What's New (January 4, 2016)
This update to Sigcheck, a powerful command-line utility that reports image file and signing information, as well as information on certificates, now has an option that will report any certificates installed on the system that do not chain to one of the certificates in the Microsoft certificate trust list (CTL). It also adds the ability to take image information captured from Sigcheck on a system disconnected from the Internet and obtain VirusTotal status from one that’s connected.
This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features. Thanks to David Magnotti for the contribution.
Process Explorer v16.1
Process Explorer now includes a column in the handle view that reports the text version of handle access masks, as well as several bug fixes including one that would result in the suspension of .NET threads when viewed via the stack dialog.
What's New (October 26, 2015)
This update to Autoruns, the most comprehensive autostart viewer and manager available for Windows, now shows 32-bit Office addins and font drivers, and enables resubmission of known images to Virus Total for a new scan.
Sigcheck, a command-line utility for displaying detailed file version information, image signing status, catalog and certificate store contents, includes updated Windows 10 certificate OIDs, support for checking corresponding MUI (internationalization strings) files for more accurate version data, and now shows the version company name as well as signature publisher for signed files.