The Microsoft Sysinternals Suite is a collection of free Windows utilities developed by Mark Russinovich and Bryce Cogswell, now maintained by Microsoft. These tools expose deep system internals that Windows’ built-in utilities hide or simplify to the point of uselessness. Whether you’re debugging a performance problem, hunting malware, or understanding what your system is actually doing, Sysinternals tools are essential. This guide covers the tools you’ll use most.
Getting Sysinternals
Download the complete suite as a ZIP from: https://docs.microsoft.com/sysinternals/downloads/sysinternals-suite
Or run tools directly from Microsoft’s live server without downloading:
\\live.sysinternals.com\tools\procexp.exeYou can also install via winget:
winget install Microsoft.Sysinternals.ProcessExplorer
winget install Microsoft.Sysinternals.AutorunsProcess Explorer — The Superior Task Manager
Process Explorer (procexp64.exe) is what Task Manager should be. It shows every process in a hierarchical tree, displays the DLLs and handles each process has open, and color-codes processes for instant visual triage.
Color Coding
| Color | Meaning |
|---|---|
| Purple | Packed/compressed executables |
| Red | Process is exiting |
| Green | Newly created process |
| Blue | Process run by your user |
| Pink | Services |
| Cyan | Immersive/Metro apps |
Purple processes warrant investigation — they may be packed malware or legitimate installers that haven’t extracted yet.
Checking Process Legitimacy
Right-click any process → Properties → Image tab. Check:
- Path — is it running from a legitimate directory? Malware often runs from
AppData\TemporDownloads - Verified Signer — is the binary signed by a trusted publisher?
- VirusTotal — right-click a process → Check VirusTotal.com to instantly submit the hash
Finding DLL Usage
View → Lower Pane → DLLs shows all loaded DLLs for a selected process. This is useful for finding DLL injection and verifying that a program isn’t loading unexpected libraries.
Replacing Task Manager
Options → Replace Task Manager. Now pressing Ctrl+Shift+Esc opens Process Explorer instead of the default Task Manager. Highly recommended.
Autoruns — Complete Startup and Persistence Control
Autoruns (autoruns64.exe) shows everything that runs automatically when Windows starts or when you log in — it’s dramatically more comprehensive than Task Manager’s Startup tab.
What Autoruns Covers
Autoruns checks over 60 different persistence locations, including:
- Registry Run keys (HKLM and HKCU)
- Scheduled Tasks
- Services
- Browser extensions and toolbars
- DLL hijacking paths
- Boot execute entries
- WMI subscriptions
- Explorer shell extensions
Hunting Malware with Autoruns
Most malware persists via one of these locations. Autoruns’ killer feature is VirusTotal integration:
Options → Scan Options → Check VirusTotal.com → Scan
Autoruns submits every startup entry’s hash to VirusTotal and flags anything with detections in red. False positives are rare — a red-flagged entry almost certainly deserves investigation.
Disabling vs. Deleting Entries
Uncheck a startup entry to disable it without deleting. If your system runs fine after disabling it, right-click → Delete to permanently remove it. This is safer than editing the registry manually.
Process Monitor — Real-Time File and Registry Tracing
Process Monitor (procmon64.exe) captures every file system access, registry read/write, network event, and process/thread creation in real time. It’s the definitive tool for understanding what a program is actually doing.
Filtering
The raw output is overwhelming. Use Filter (Ctrl+L) to focus:
Process Name is chrome.exe— watch only ChromeOperation is RegSetValue— watch only registry writesPath contains AppData\Temp— watch suspicious paths
Finding Configuration Files
Running Process Monitor while launching an application and filtering by that application’s name shows you exactly which files and registry keys it reads. This is invaluable for troubleshooting crashes or finding undocumented config file locations.
Diagnosing “Access Denied” Errors
Filter to Result is ACCESS DENIED to quickly identify permission problems that are silently failing in an application.
TCPView — Real-Time Network Connections
TCPView (tcpview64.exe) is a live view of all TCP and UDP connections, similar to netstat -ano but with real-time updates and process names:
- Green rows — newly established connections
- Red rows — connections being closed
- Double-click any connection to see full process details
TCPView is the fastest way to answer “what is connecting to the internet right now?” Sort by Remote Address to spot unexpected outbound connections from system processes.
RAMMap — Physical Memory Analysis
RAMMap analyzes how Windows allocates physical RAM across categories:
- Process Private — application memory
- Mapped File — file-backed memory (DLLs, data files)
- Standby — recently used, available for reuse
- Modified — dirty pages waiting to be written to disk
If your system feels slow despite having available RAM, RAMMap often reveals that most RAM is in Standby. Use Empty → Empty Standby List to flush it and see if performance improves. Chronically high Standby in specific categories can identify memory leak culprits.
ProcDump — Creating Process Dumps for Debugging
ProcDump creates memory dumps of processes for later analysis:
# Dump a process by name
procdump -ma chrome.exe chrome_dump.dmp
# Auto-dump on crash (CPU spike)
procdump -ma -c 90 -s 5 -n 3 notepad.exe
# Dump LSASS (for authorized pentesting)
procdump -accepteula -ma lsass.exe lsass.dmpThe -c 90 -s 5 -n 3 flags mean: capture a dump when CPU usage exceeds 90% for 5 seconds, up to 3 times. This is perfect for catching intermittent hangs.
Strings — Extract Text from Binaries
The strings command-line tool extracts printable ASCII and Unicode strings from any file:
strings.exe suspicious.exe > output.txtThis can reveal hardcoded URLs, registry keys, error messages, and other useful artifacts without running the binary or disassembling it.
WhoIs — IP/Domain Lookup
A simple command-line WHOIS client:
whois.exe example.com
whois.exe 8.8.8.8Useful for quickly looking up the owner of an IP address found in TCPView.
Keeping Sysinternals tools in a folder in your PATH means they’re always one command away. They’re the first thing any experienced Windows troubleshooter reaches for, and spending a few hours learning them will pay dividends for years.