Skip to main content
TechNet

Windows Sysinternals

The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.

Get up to speed fast!


Sysinternals Live

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as https://live.sysinternals.com/<toolname> or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at https://live.sysinternals.com.

What's New What's New

What's New (July 4, 2016)

  • Sysinternals Support for Nano Server
    Over 40 of the Sysinternals tools now support Nano Server! You can download the full set by clicking on the Sysinternals Nano Server Suite on the Sysinternals suite page, and each tool that supports Nano Server reports that on its download page. The Nano versions are also compatible with 64-bit Windows and have “64.exe” as their suffix in the download files. Many of the updated tools include bug fixes as well. Check out the Channel 9 Defrag Tools episode where Mark and Andrew Mason, Program Manager for Nano Server, describe Nano Server, show how the tools work on Nano Server, and describe how the tools were ported.

What's New (April 28, 2016)

  • Sysmon v4.0
    This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, introduces more powerful filtering capabilities, allowing for both include and exclude rules to be specified for specific events types, as well as complex matching on different event fields.
  • Procdump v8.0
    Procdump, a utility for capturing process dump files based on CPU, memory, and other triggers, has improved support for lightweight reflection dumps on Windows 7 and Windows 8, now creates a named event that can be signaled by another process to gracefully terminate it, does more intelligent default path searches for the debugging tools libraries, and makes trigger timing and repeat behaviors consistent across trigger types.

What's New (February 2, 2016)

  • Sigcheck v2.5
    This update to Sigcheck, a command-line utility that reports detailed information about images, including their signatures and VirusTotal status, as well as certificate stores, now reports all the signatures of images that have multiple signers.

What's New (January 4, 2016)

  • Sigcheck v2.4
    This update to Sigcheck, a powerful command-line utility that reports image file and signing information, as well as information on certificates, now has an option that will report any certificates installed on the system that do not chain to one of the certificates in the Microsoft certificate trust list (CTL). It also adds the ability to take image information captured from Sigcheck on a system disconnected from the Internet and obtain VirusTotal status from one that’s connected.
  • Sysmon v3.2
    This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features. Thanks to David Magnotti for the contribution.
  • Process Explorer v16.1
    Process Explorer now includes a column in the handle view that reports the text version of handle access masks, as well as several bug fixes including one that would result in the suspension of .NET threads when viewed via the stack dialog.