Hands-on Windows Internals and Advanced Troubleshooting: 2006
Join Mark Russinovich and Dave Solomon for a 5-day hands-on seminar that takes you deep inside Windows with the Windows kernel debugger and Sysinternals tools like Process Explorer, Filemon and Regmon.
TechEd On-Demand Webcast: Windows Hang and Crash Dump Analysis
Watch the recording of Mark's top-rated TechEd session in this free webcast from Microsoft TechNet. Learn to analyze Microsoft Windows crash dumps, diagnose the cause, pinpoint a solution, and resolve the problem. Intended for system administrators, this webcast explains how system crashes occur and what happens when you reboot a crashed system. Mark leads you through the crash dump analysis process step by step, introducing the latest tools from Microsoft and handy tricks for isolating the cause of a crash.
Process Explorer v10.2
This release targets Windows Vista with new integrity level and virtualized columns as well as a signed driver for 64-bit Vista for x64 processors.
This ZoomIt update now bounds the drawing cursor so that you can't lose track of it off the screen and includes new context menu entries and mouse behaviors so that its fully controllable with just a mouse.
Autoruns now includes an autostart location that's used by malware to hijack the desktop background.
Apple Hi-Res Screen Dump
Mark's first magazine article, one he published in Compute! in 1985 that describes a program he wrote to dump Apple ][ hi-resolution screen contents to Epson printers, is now on line!
The Sysinternals Video Library
We're pleased to announce The Sysinternals Video Library, a set of six DVDs that cover essential Windows troubleshooting topics. Each video is personally presented by Mark Russinovich and David Solomon. The complete set is available for pre-order at a discounted price and the first video, Tour of the Sysinternals Tools, is free for download.
RootkitRevealer Top 100 Products of 2006
RootkitRevealer has earned a spot in PC World's top 100 products of the year (it might be #100, but its still in)! We're honored to be in the company of products like the Xbox 360 and the iPod.
London Seminar Registration Reopened!
We've found a larger venue and so have reopened registration for our upcoming Windows Internals and Advanced Troubleshooting seminar in London June 26-30. Sign up now before we sell out again!
AccessChk now has an option to dump security descriptors and also has support for showing and filtering Vista object Integrity Levels.
This Handle update includes an option for not prompting on handle closes and also reports the sharing flags configured for open files.
Process Explorer v10.11
Through support from HP, Process Explorer is now available on 64-bit Windows for Itanium-based systems to support increased market demand. In addition, this release adds I/O counter columns and process statistics, system-wide and per-process I/O history graphs, memory and I/O minigraphs, service permissions editing, and support for Vista process cycle counters.
This new security utility shows you what accesses that a user or group you specify has to files, Registry keys or Windows services.
As a result of more field testing ZoomIt now includes a break timer hotkey and tweaks to its drawing behavior.
This DebugView release adds support for Windows Vista and fixes a buffer overflow that could occur when the option to force carriage returns is off.
PsService now includes an option to dump service security descriptors.
ZoomIt is a presentation tool that let's you zoom the screen and move around, draw on a zoomed image, and display a fullscreen break countdown timer. Mark wrote it specifically for use during his presentations.
This new Autoruns release adds scanning of LSA security, notification, and authentication providers as well as Explorer protocol handlers and extensions.
The Sysinternals Newsletter
Another issue of the Sysinternals newsletter has gone out to update you on what's going on at Sysinternals.
Mark to Speak at Microsoft TechEd 2006
Mark is copresenting a preconference tutorial on advanced malware cleaning at TechEd US in Boston on June 12. In addition, he's delivering breakout sessions on topics including Vista kernel changes, troubleshooting with Filemon and Regmon, analyzing Windows crashes and hangs, Vista security changes, and advanced malware cleaning techniques.
Process Explorer v10.06
This major Process Explorer update has an extensive list of new features and enhancements aimed at usability and malware hunting. Just some of the examples include Runas and Run As Limited User commands, process restart, column sets, enhanced process tooltips for service-hosting and Rundll32 processes, working set breakdown columns, and DLL image verification and packed-image detection.
This new RootkitRevealer release includes more sophisticated rootkit counter-measures, scanning of all Registry hives including user profiles, and numerous bug fixes.
In response to the use of such keys by malware, RegDelNull can now unlock and delete keys that not only have embedded nulls, but that also have security permissions that make them otherwise inaccessible.
Sigcheck, a powerful command-line file version information and signature verification tool, now includes a new flag that has it only show a file's version number.
This PsExec update includes a new -l switch for use by administrative accounts to run processes with limited-user account privileges. Run a low-rights Internet Explorer before IE 7 comes out simply by creating a shortcut to launch it with the switch.
The Sony rootkit story Mark broke on Halloween in his blog has taken a major step forward.
Austin American-Statesman Profiles Mark
The major Austin daily ran a feature on Mark in the business section yesterday.
This update fixes several bugs and adds on-demand signature verification for individual items.
This version runs from Windows XP remote desktop sessions, includes a number of bug fixes and reduces the number of false positive descrepancies.
Inside Sony's Rootkit
Mark dives into the technical details of Sony's rootkit implementation in the December issue of Virus Bulletin, the magazine for professional anti-malware researchers (subscription required).
This version of Autoruns adds enumeration of kernel-mode drivers, yet another attack vector being used by malware.
Use this new applet to find and delete Registry keys that are "undeleteable" by standard Registry-editing utilities because they have embedded null characters in their names.
Four Sysinternals Tools Picked as Pricelessware 2006
Filemon, Regmon, Process Explorer and Autoruns have been picked as the "best of the
best" by alt.comp.freeware newsgroup participants.
Sony, Rootkits and Digital Rights Management Gone Too Far
Mark's recent blog entry on his discovery and analysis of a Sony rootkit on one of his computers is getting a lot of attention, including from Slashdot and The Register.
Another Autoruns update adds print monitor DLLs and Explorer column handlers - both of which have been used by real malware - and dramatically improves scan times when image verification is selected.
This version adds support for NTFS volumes with cluster sizes larger than 4 KB.
This applet reports processor and Windows support for Physical Address Extensions and No Execute buffer overflow protection.
What do Mark and Bryce have on their new iPod nanos?
Winternals is running a special deal on the Administrator's Pak that includes a free iPod nano.
This Autorun update supports arbitrary length Registry and file system paths, adds a find capability to search through configured items, introduces a comparison feature to compare current autostarts with a previously saved version so that you can easily identify new additions, and knows about yet more autostart locations including the Winlogon boot verification Registry value and Shell open hijacks.
Mark's Interview with SearchWin2000.com
In this interview Mark talks about Sysinternals, the most popular tools, and gives a brief introduction to an exciting upcoming tool.
Diskview, a utility that lets you look at the cluster allocations of a volume, now shows a summary of a file's fragments when you double-click on any of the file's clusters and the Show Next button navigates to the next fragment of a selected file.
DebugView is a developer tool that captures user and kernel mode debug output. After many user requests for the feature DebugView now has an option to create a new log file and clear the display each day.
AccessEnum is a powerful security utilty that makes it easy to spot misconfigured file and Registry security descriptors. Version 1.3 includes bug fixes, Windows XP theming, and a new file format that's compatible with Excel importing.
LiveKd, a utility that allows you to view the local system as if it were a crash dump using the standard Microsoft kernel debuggers, now supports x64 versions of Windows and includes some minor bug fixes.
This minor update has clearer error messages for when an account does not have privileges required to run Regmon or Regmon is already running and consolidates the 32-bit and 64-bit (x64) versions into a single binary.
Windows Internals Sample Chapter
If you haven't bought a copy of Windows Internals and wonder what you might be missing check out the posted sample chapter, "Chapter 4: Management Mechanisms", which covers the Registry, Services, and WMI.
Process Explorer v9.25
Process Explorer v9.2 shows a real-time CPU graph in its tray icon, adds CPU graph and I/O delta columns to the process view, reports 32-bit loaded DLLs for 32-bit processes on Windows 64-bit systems, and lets you view and edit process security descriptors. It also supports Windows Vista.
Several Pstools have updates in this release: PsShutdown includes a -v switch for specifying the duration the notification dialog displays or omitting the dialog altogether; PsLoglist has a time formatting fix for its csv output; PsInfo now shows full hotfix information, including IE hotfixes; and PsExec now works like Runas when you run commands on the local system, allowing you to run it from a non-administrator account and script the password entry.
Power Tools: BgInfo
Check out Mark's Power Tools column in the August issue of Windows and IT Pro Magazine for tips on getting the most out of BgInfo (subscription required for accesss to the article).
This minor update has clearer error messages for when an account does not have privileges required to run FIlemon or Filemon is already running and consolidates the 32-bit and 64-bit (x64) versions into a single binary.