1 [General] 2 Name=Sysinternals Suite 3 GroupCount=7 4 SoftwareCount=87 5 6 [Group0] 7 Name=All Utilities 8 ShowAll=1 9 10 [Group1] 11 Name=File and Disk Utilities 12 13 [Group2] 14 Name=Networking Utilities 15 16 [Group3] 17 Name=Process Utilities 18 19 [Group4] 20 Name=Security Utilities 21 22 [Group5] 23 Name=System Information Utilities 24 25 [Group6] 26 Name=Miscellaneous Utilities 27 28 [Software0] 29 exe=accesschk.exe 30 help= 31 url=https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk 32 exe64=accesschk64.exe 33 group=4 34 Name=AccessChk 35 ShortDesc=Shows accesses the user or group has to files, Registry keys or Windows services 36 LongDesc=As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. 37 38 [Software1] 39 exe=AccessEnum.exe 40 help= 41 url=https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum 42 exe64= 43 group=4 44 Name=AccessEnum 45 ShortDesc=Shows who has what access to directories, files and Registry keys on your systems 46 LongDesc=While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. 47 48 [Software2] 49 exe=accvio.exe 50 help= 51 exe64= 52 url= 53 group=6 54 Name=Accvio 55 ShortDesc= 56 LongDesc= 57 58 [Software3] 59 exe=ADExplorer.exe 60 help=AdExplorer.chm 61 url=https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer 62 exe64= 63 group=2 64 Name=ADExplorer 65 ShortDesc=Advanced Active Directory (AD) viewer and editor 66 LongDesc=Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute. AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer's comparison functionality to see what objects, attributes and security permissions changed between them. 67 68 [Software4] 69 exe=ADInsight.exe 70 help=ADInsight.chm 71 url=https://docs.microsoft.com/en-us/sysinternals/downloads/adinsight 72 exe64= 73 group=2 74 Name=ADInsight 75 ShortDesc=LDAP (Light-weight Directory Access Protocol) real-time monitoring tool 76 LongDesc=ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems. 77 78 [Software5] 79 exe=adrestore.exe 80 help= 81 url=https://docs.microsoft.com/en-us/sysinternals/downloads/adrestore 82 exe64= 83 group=2 84 Name=ADRestore 85 ShortDesc=Undeletes Server 2003 Active Directory objects 86 LongDesc=Windows Server 2003 introduces the ability to restore deleted ("tombstoned") objects. This simple command-line utility enumerates the deleted objects in a domain and gives you the option of restoring each one. 87 88 [Software6] 89 exe=Autologon.exe 90 help= 91 url=https://docs.microsoft.com/en-us/sysinternals/downloads/autologon 92 exe64= 93 group=4 94 Name=Autologon 95 ShortDesc=Bypasses password screen during logon 96 LongDesc=Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically. 97 98 [Software7] 99 exe=Autoruns.exe 100 help=Autoruns.chm 101 url=https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns 102 exe64=Autoruns64.exe 103 group=5 104 Name=Autoruns 105 ShortDesc=Shows what programs are configured to run during system bootup or login 106 LongDesc=This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP. 107 108 [Software8] 109 exe=AutorunsC.exe 110 help=Autoruns.chm 111 url=https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns 112 exe64=AutorunsC64.exe 113 group=5 114 Name=Autoruns Command-line 115 ShortDesc=Shows what programs are configured to run during system bootup or login. Command-line version 116 LongDesc=This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP. 117 118 [Software9] 119 exe=Bginfo.exe 120 help= 121 url=https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo 122 exe64= 123 group=6 124 Name=BGInfo 125 ShortDesc=Displays relevant information about a Windows computer on the desktop background 126 LongDesc=How many times have you walked up to a system in your office and needed to click through several diagnostic windows to remind yourself of important aspects of its configuration, such as its name, IP address, or operating system version? If you manage multiple computers you probably need BGInfo. It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. You can edit any field as well as the font and background colors, and can place it in your startup folder so that it runs every boot, or even configure it to display as the background for the logon screen. 127 128 [Software10] 129 exe=Cacheset.exe 130 help= 131 url=https://docs.microsoft.com/en-us/sysinternals/downloads/cacheset 132 exe64= 133 group=1 134 Name=CacheSet 135 ShortDesc=Allows to control the Cache Manager's working set size 136 LongDesc=CacheSet is an applet that allows you to manipulate the working-set parameters of the system file cache. Unlike CacheMan, CacheSet runs on all versions of NT and will work without modifications on new Service Pack releases. In addition to providing you the ability to control the minimum and maximum working set sizes, it also allows you to reset the Cache's working set, forcing it to grow as necessary from a minimal starting point. Also unlike CacheMan, changes made with CacheSet have an immediate effect on the size of the Cache. 137 138 [Software11] 139 exe=Clockres.exe 140 help= 141 url=https://docs.microsoft.com/en-us/sysinternals/downloads/clockres 142 exe64=Clockres64.exe 143 group=5 144 Name=ClockRes 145 ShortDesc=Views resolution of the system clock 146 LongDesc=Ever wondered what the resolution of the system clock was, or perhaps the maximum timer resolution that your application could obtain The answer lies in a simple function named GetSystemTimeAdjustment, and the ClockRes applet performs the function and shows you the result. 147 148 [Software12] 149 exe=Contig.exe 150 help= 151 url=https://docs.microsoft.com/en-us/sysinternals/downloads/contig 152 exe64=Contig64.exe 153 group=1 154 Name=Contig 155 ShortDesc=Optimizes individual files or creates new files that are contiguous 156 LongDesc=Contig is a single-file defragmenter that attempts to make files contiguous on disk. Its perfect for quickly optimizing files that are continuously becoming fragmented, or that you want to ensure are in as few fragments as possible. Contig can be used to defrag an existing file, or to create a new file of a specified size and name, optimizing its placement on disk. Contig uses standard Windows defragmentation APIs so it won't cause disk corruption, even if you terminate it while its running. 157 158 [Software13] 159 exe=Coreinfo.exe 160 help= 161 url=https://docs.microsoft.com/en-us/sysinternals/downloads/coreinfo 162 exe64=Coreinfo64a.exe 163 group=5 164 Name=Coreinfo 165 ShortDesc=Shows CPU caps and memory topology 166 LongDesc=Coreinfo is a command-line utility that shows you the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside, as well as the cache’s assigned to each logical processor. It uses the Windows’ GetLogicalProcessorInformation function to obtain this information and prints it to the screen, representing a mapping to a logical processor with an asterisk e.g. ‘*’. Coreinfo is useful for gaining insight into the processor and cache topology of your system. 167 168 [Software14] 169 exe=CpuStres.exe 170 help= 171 url=https://docs.microsoft.com/en-us/sysinternals/downloads/cpustres 172 exe64=CpuStres64.exe 173 group=6 174 Name=CPU Stress 175 ShortDesc=Cpustres is a utility that can be used to simulate CPU activity by running up to 64 threads in a tight loop. 176 LongDesc=Cpustres is a utility that can be used to simulate CPU activity by running up to 64 threads in a tight loop. Each thread can be started, paused or stopped independently and can be configured with the following parameters: Activity Level; This can be Low, Medium, Busy or Maximum which controls how long the thread sleepss between cycles. Setting this value to Maximum causes the thread to run continuously. Priority; This controls the thread priority. 177 178 [Software15] 179 exe=ctrl2cap.exe 180 help= 181 url=https://docs.microsoft.com/en-us/sysinternals/downloads/ctrl2cap 182 exe64= 183 group=6 184 Name=Ctrl2Cap 185 ShortDesc=Kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys 186 LongDesc=Ctrl2Cap is a kernel-mode device driver that filters the system's keyboard class driver in order to convert caps-lock characters into control characters. Install Ctrl2Cap running the command "ctrl2cap /install" from the directory into which you've unzipped the Ctrl2Cap files. To uninstall type "ctrl2cap /uninstall". 187 188 [Software16] 189 exe=Dbgview.exe 190 help=Dbgview.chm 191 url=https://docs.microsoft.com/en-us/sysinternals/downloads/debugview 192 exe64= 193 group=6 194 Name=DebugView 195 ShortDesc=Monitors debug output on your local system or any computer on the network 196 LongDesc=DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs. 197 198 [Software17] 199 exe=Desktops.exe 200 help= 201 url=https://docs.microsoft.com/en-us/sysinternals/downloads/desktops 202 exe64= 203 group=6 204 Name=Desktops 205 ShortDesc=Organizes your applications on up to four virtual desktops 206 LongDesc=Desktops allows you to organize your applications on up to four virtual desktops. Read email on one, browse the web on the second, and do work in your productivity software on the third, without the clutter of the windows you're not using. After you configure hotkeys for switching desktops, you can create and switch desktops either by clicking on the tray icon to open a desktop preview and switching window, or by using the hotkeys. 207 208 [Software18] 209 exe=Disk2vhd.exe 210 help=Disk2vhd.chm 211 url=https://docs.microsoft.com/en-us/sysinternals/downloads/disk2vhd 212 exe64=Disk2vhd64.exe 213 group=1 214 Name=Disk2vhd 215 ShortDesc=Simplifies migration of physical systems into virtual machines (p2v) 216 LongDesc=Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). 217 218 [Software19] 219 exe=diskext.exe 220 help= 221 url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskext 222 exe64=diskext64.exe 223 group=1 224 Name=DiskExt 225 ShortDesc=Displays volume disk-mappings 226 LongDesc=DiskExt demonstrates the use of the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS command that returns information about what disks the partitions of a volume are located on (multipartition disks can reside on multiple disks) and where on the disk the partitions are located. 227 228 [Software20] 229 exe=Diskmon.exe 230 help=Diskmon.hlp 231 url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskmon 232 exe64= 233 group=1 234 Name=DiskMon 235 ShortDesc=Captures all hard disk activity 236 LongDesc=DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity. 237 238 [Software21] 239 exe=DiskView.exe 240 help= 241 url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskview 242 exe64=DiskView64a.exe 243 group=1 244 Name=DiskView 245 ShortDesc=Views disk usage by directory 246 LongDesc=DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated. 247 248 [Software22] 249 exe=du.exe 250 help= 251 url=https://docs.microsoft.com/en-us/sysinternals/downloads/du 252 exe64=du64.exe 253 group=1 254 Name=DiskUsage 255 ShortDesc=Reports disk space usage for the specified directory 256 LongDesc=Du (disk usage) reports the disk space usage for the directory you specify. By default it recurses directories to show the total size of a directory and its subdirectories. 257 258 [Software23] 259 exe=efsdump.exe 260 help= 261 url=https://docs.microsoft.com/en-us/sysinternals/downloads/efsdump 262 exe64= 263 group=1 264 Name=EFSDump 265 ShortDesc=Views encrypted files information 266 LongDesc=Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including one-QueryUsersOnEncryptedFile-that lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files. 267 268 [Software24] 269 exe=Filemon.exe 270 help=Filemon.hlp 271 url= 272 exe64=Filemon64a.exe 273 group=6 274 Name=FileMon 275 ShortDesc=This monitoring tool lets you see all file system activity in real-time 276 LongDesc=FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters. 277 278 [Software25] 279 exe=FindLinks.exe 280 help= 281 url=https://docs.microsoft.com/en-us/sysinternals/downloads/findlinks 282 exe64=FindLinks64.exe 283 group=1 284 Name=FindLinks 285 ShortDesc=File index and any hard links reporter 286 LongDesc=FindLinks reports the file index and any hard links (alternate file paths on the same volume) that exist for the specified file. A file's data remains allocated so long as at it has at least one file name referencing it. 287 288 [Software26] 289 exe=handle.exe 290 help= 291 url=https://docs.microsoft.com/en-us/sysinternals/downloads/handle 292 exe64=handle64.exe 293 group=3 294 Name=Handle 295 ShortDesc=Shows what files are open by which processes 296 LongDesc=Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program. 297 298 [Software27] 299 exe=hex2dec.exe 300 help= 301 url=https://docs.microsoft.com/en-us/sysinternals/downloads/hex2dec 302 exe64=hex2dec64.exe 303 group=6 304 Name=Hex2dec 305 ShortDesc=Converts a hexadecimal number to decimal and vice versa 306 LongDesc=Tired of running Calc everytime you want to convert a hexadecimal number to decimal? Now you can convert hex to decimal and vice versa with this simple command-line utility. 307 308 [Software28] 309 exe=Hostname.exe 310 help= 311 url= 312 exe64= 313 group=3 314 Name=Hostname 315 ShortDesc=Convert IP address to hostname, and vice versa 316 LongDesc=Hostname is a very simply utility that takes either an IP address (e.g. 123.456.7.8), or a host name (e.g. ftp.ntinternals.com), and performs a translation into its inverse form. For example, if you pass Hostname an IP address, you'll get back a host name, and if you pass it a host name it will give you the corresponding IP address. 317 318 [Software29] 319 exe=junction.exe 320 help= 321 url=https://docs.microsoft.com/en-us/sysinternals/downloads/junction 322 exe64=junction64.exe 323 group=1 324 Name=Junction 325 ShortDesc=Creates NTFS symbolic links 326 LongDesc=Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Windows. Unfortunately, Windows comes with no tools for creating junctions—you have to purchase the Win2K Resource Kit, which comes with the linkd program for creating junctions. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Windows' Remote Storage Service (RSS), as well as volume mount points. 327 328 [Software30] 329 exe=ldmdump.exe 330 help= 331 url=https://docs.microsoft.com/en-us/sysinternals/downloads/ldmdump 332 exe64= 333 group=1 334 Name=LDMDump 335 ShortDesc=Dumps contents of Logical Disk Manager on-disk database 336 LongDesc=Windows 2000 introduces a new type of disk partitioning scheme that is managed by a component called the Logical Disk Manager (LDM). Windows 2000 introduces a new type of disk partitioning scheme that is managed by a component called the Logical Disk Manager (LDM).LDMDump is a utility that lets you examine exactly what is stored in a disk's copy of the system LDM database. LDMDump shows you the contents of the LDM database private header, table-of-contents, and object database (where partition, component and volume definitions are stored), and then summarizes its finding with partition table and volume listings. 337 338 [Software31] 339 exe=Listdlls.exe 340 help= 341 url=https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls 342 exe64=Listdlls64.exe 343 group=3 344 Name=ListDLLs 345 ShortDesc=Lists all the DLLs that are currently loaded, including where they are loaded and their version numbers 346 LongDesc=Unlike tlist, however, ListDLLs is able to show you the full path names of loaded modules - not just their base names. In addition, ListDLLs will flag loaded DLLs that have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL), and can tell you which DLLs were relocated because they are not loaded at their base address. 347 348 [Software32] 349 exe=livekd.exe 350 help= 351 url=https://docs.microsoft.com/en-us/sysinternals/downloads/livekd 352 exe64=livekd64.exe 353 group=5 354 Name=LiveKd 355 ShortDesc=Uses Microsoft kernel debuggers to examine a live system 356 LongDesc=LiveKd allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. Execute all the debugger commands that work on crash dump files to look deep inside the system. See the Debugging Tools for Windows documentation and our book for information on how to explore a system with the kernel debuggers. While the latest versions of Windbg and Kd have a similar capability on Windows XP and Server 2003, LiveKD enables more functionality, such as viewing thread stacks with the !thread command, than Windbg and Kd's own live kernel debugging facility. 357 358 [Software33] 359 exe=LoadOrd.exe 360 help= 361 url=https://docs.microsoft.com/en-us/sysinternals/downloads/loadorder 362 exe64=LoadOrd64.exe 363 group=5 364 Name=LoadOrder 365 ShortDesc=Shows order in which devices are loaded on Windows system 366 LongDesc=This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. 367 368 [Software34] 369 exe=LoadOrdC.exe 370 help= 371 url=https://docs.microsoft.com/en-us/sysinternals/downloads/loadorder 372 exe64=LoadOrdC64.exe 373 group=5 374 Name=LoadOrder Command-line 375 ShortDesc=Shows order in which devices are loaded on Windows system. Command-line version 376 LongDesc=This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. 377 378 [Software35] 379 exe=logonsessions.exe 380 help= 381 url=https://docs.microsoft.com/en-us/sysinternals/downloads/logonsessions 382 exe64=logonsessions64.exe 383 group=4 384 Name=LogonSessions 385 ShortDesc=Lists active logon sessions 386 LongDesc=If you think that when you logon to a system there's only one active logon session, this utility will surprise you. It lists the currently active logon sessions and, if you specify the -p option, the processes running in each session. 387 388 [Software36] 389 exe=movefile.exe 390 help= 391 url=https://docs.microsoft.com/en-us/sysinternals/downloads/movefile 392 exe64=movefile64.exe 393 group=1 394 Name=MoveFile 395 ShortDesc=Schedules file rename and delete commands for the next reboot 396 LongDesc=There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. 397 398 [Software37] 399 exe=NewSID.exe 400 help= 401 url=https://docs.microsoft.com/en-us/sysinternals/downloads/newsid 402 exe64= 403 group=4 404 Name=NewSID 405 ShortDesc=Learn about the computer SID problem everybody has been talking about and get a free computer SID changer, NewSID 406 LongDesc=NewSID is a program we developed that changes a computer's SID. It is free and is a Win32 program, meaning that it can easily be run on systems that have been previously cloned. 407 408 [Software38] 409 exe=notmyfault.exe 410 help= 411 url=https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault 412 exe64=notmyfault64.exe 413 group=6 414 Name=NotMyFault 415 ShortDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system 416 LongDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. It’s useful for learning how to identify and diagnose device driver and hardware problems, and you can also use it to generate blue screen dump files on misbehaving systems. Chapter 7 in Windows Internals uses Notmyfault to o demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples. 417 418 [Software39] 419 exe=notmyfaultc.exe 420 help= 421 url=https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault 422 exe64=notmyfaultc64.exe 423 group=6 424 Name=NotMyFault Command-line 425 ShortDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. Command-line version 426 LongDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. It’s useful for learning how to identify and diagnose device driver and hardware problems, and you can also use it to generate blue screen dump files on misbehaving systems. Chapter 7 in Windows Internals uses Notmyfault to o demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples. 427 428 [Software40] 429 exe=ntfsinfo.exe 430 help= 431 url=https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo 432 exe64=ntfsinfo64.exe 433 group=1 434 Name=NTFSInfo 435 ShortDesc=Views detailed information about NTFS volumes 436 LongDesc=NTFSInfo is a little applet that shows you information about NTFS volumes. Its dump includes the size of a drive's allocation units, where key NTFS files are located, and the sizes of the NTFS metadata files on the volume. 437 438 [Software41] 439 exe=pagedfrg.exe 440 help=pagedfrg.hlp 441 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pagedefrag 442 exe64= 443 group=1 444 Name=PageDefrag 445 ShortDesc=Defragments paging files and Registry hives 446 LongDesc=One of the limitations of the Windows NT/2000 defragmentation interface is that it is not possible to defragment files that are open for exclusive access. Thus, standard defragmentation programs can neither show you how fragmented your paging files or Registry hives are, nor defragment them. Paging and Registry file fragmentation can be one of the leading causes of performance degradation related to file fragmentation in a system. PageDefrag uses advanced techniques to provide you what commercial defragmenters cannot: the ability for you to see how fragmented your paging files and Registry hives are, and to defragment them. In addition, it defragments event log files and Windows 2000/XP hibernation files (where system memory is saved when you hibernate a laptop). 447 448 [Software42] 449 exe=pendmoves.exe 450 help= 451 url=https://docs.microsoft.com/en-us/sysinternals/downloads/movefile 452 exe64=pendmoves64.exe 453 group=1 454 Name=PendMoves 455 ShortDesc=Shows what files are scheduled for delete or rename the next time the system boots 456 LongDesc=There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations value. 457 458 [Software43] 459 exe=PHYSMEM.EXE 460 help= 461 url= 462 exe64= 463 group=6 464 Name=PhysMem 465 ShortDesc= 466 LongDesc= 467 468 [Software44] 469 exe=pipelist.exe 470 help= 471 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist 472 exe64=pipelist64.exe 473 group=5 474 Name=PipeList 475 ShortDesc=Displays the named pipes on your system 476 LongDesc=Did you know that the device driver that implements named pipes is actually a file system driver? In fact, the driver's name is NPFS.SYS, for "Named Pipe File System". What you might also find surprising is that its possible to obtain a directory listing of the named pipes defined on a system. 477 478 [Software45] 479 exe=Portmon.exe 480 help=Portmon.hlp 481 url=https://docs.microsoft.com/en-us/sysinternals/downloads/portmon 482 exe64= 483 group=3 484 Name=Portmon 485 ShortDesc=Monitors serial and parallel port activity 486 LongDesc=Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations. 487 488 [Software46] 489 exe=procdump.exe 490 help= 491 url=https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 492 exe64=procdump64.exe 493 group=3 494 Name=ProcDump 495 ShortDesc=Captures process dumps to isolate and reproduce CPU spikes 496 LongDesc=ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts. 497 498 [Software47] 499 exe=Procexp.exe 500 help=Procexp.chm 501 url=https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer 502 exe64=Procexp64.exe 503 group=3 504 Name=ProcessExplorer 505 ShortDesc=Finds out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more 506 LongDesc=Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. 507 508 [Software48] 509 exe=ProcFeatures.exe 510 help= 511 url=https://docs.microsoft.com/en-us/sysinternals/downloads/procfeatures 512 exe64= 513 group=5 514 Name=ProcFeatures 515 ShortDesc=This applet reports processor and Windows support for Physical Address Extensions and No Execute buffer overflow protection 516 LongDesc=ProcessorFeatures is a no-frills applet that uses the Windows IsProcessorFeaturePresent API to determine if the processor and Windows supports various features such as No-Execute pages, Physical Address Extensions (PAE), and a real-time cycle counter. Its primary purpose is to identify system's running the PAE version of the kernel and that support no-execute buffer overflow protection. 517 518 [Software49] 519 exe=Procmon.exe 520 help=Procmon.chm 521 url=https://docs.microsoft.com/en-us/sysinternals/downloads/procmon 522 exe64=Procmon64.exe 523 group=3 524 Name=ProcessMonitor 525 ShortDesc=Monitors file system, Registry, process, thread and DLL activity in real-time 526 LongDesc=Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. 527 528 [Software50] 529 exe=PsExec.exe 530 help=PsTools.chm 531 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psexec 532 exe64=PsExec64.exe 533 group=3 534 Name=PsExec 535 ShortDesc=Executes processes remotely 536 LongDesc=PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems. 537 538 [Software51] 539 exe=PsFile.exe 540 help=PsTools.chm 541 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psfile 542 exe64=PsFile64.exe 543 group=2 544 Name=PsFile 545 ShortDesc=Shows what files are opened remotely 546 LongDesc=PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier. 547 548 [Software52] 549 exe=PsGetSid.exe 550 help=PsTools.chm 551 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid 552 exe64=PsGetSid64.exe 553 group=4 554 Name=PsGetSid 555 ShortDesc=Displays the SID of a computer or a user 556 LongDesc=PsGetsid allows you to translate SIDs to their display name and vice versa. It works on builtin accounts, domain accounts, and local accounts. 557 558 [Software53] 559 exe=PsInfo.exe 560 help=PsTools.chm 561 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psinfo 562 exe64=PsInfo64.exe 563 group=5 564 Name=PsInfo 565 ShortDesc=Obtains information about system 566 LongDesc=PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date. 567 568 [Software54] 569 exe=PsKill.exe 570 help=PsTools.chm 571 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pskill 572 exe64=PsKill64.exe 573 group=3 574 Name=PsKill 575 ShortDesc=Terminates local or remote processes 576 LongDesc=Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process. 577 578 [Software55] 579 exe=PsList.exe 580 help=PsTools.chm 581 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pslist 582 exe64=PsList64.exe 583 group=3 584 Name=PsList 585 ShortDesc=Shows information about processes and threads 586 LongDesc=PsList shows information about processes on local or remote systems. Like Windows NT/2K's built-in PerfMon monitoring tool, PsList uses the Windows NT/2K performance counters to obtain the information it displays. 587 588 [Software56] 589 exe=PsLoggedOn.exe 590 help=PsTools.chm 591 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon 592 exe64=PsLoggedOn64.exe 593 group=4 594 Name=PsLoggedOn 595 ShortDesc=Shows users logged on to a system 596 LongDesc=You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. 597 598 [Software57] 599 exe=PsLogList.exe 600 help=PsTools.chm 601 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psloglist 602 exe64=PsLogList64.exe 603 group=4 604 Name=PsLogList 605 ShortDesc=Dumps event log records 606 LongDesc=The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides. 607 608 [Software58] 609 exe=PsPasswd.exe 610 help=PsTools.chm 611 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pspasswd 612 exe64=PsPasswd64.exe 613 group=4 614 Name=PsPasswd 615 ShortDesc=Local and remote password changer 616 LongDesc=Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password. 617 618 [Software59] 619 exe=PsPing.exe 620 help=PsTools.chm 621 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psping 622 exe64=PsPing64.exe 623 group=2 624 Name=PsPing 625 ShortDesc=PsPing is a command-line utility for measuring network performance 626 LongDesc=PsPing is a command-line utility for measuring network performance. In addition to standard ICMP ping functionality, it can report the latency of connecting to TCP ports, the latency of TCP round-trip communication between systems, and the TCP bandwidth available to a connection between systems. Besides obtaining min, max, and average values in 0.01ms resolution, you can also use PsPing to generate histograms of the results that are easy to import into spreadsheets. 627 628 [Software60] 629 exe=PsService.exe 630 help=PsTools.chm 631 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psservice 632 group=3 633 exe64=PsService64.exe 634 Name=PsService 635 ShortDesc=Views and controls services 636 LongDesc=PsService is a service viewer and controller for Windows. Like the SC utility that's included in the Windows NT and Windows 2000 Resource Kits, PsService displays the status, configuration, and dependencies of a service, and allows you to start, stop, pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to a remote system using a different account, for cases when the account from which you run it doesn't have required permissions on the remote system. PsService includes a unique service-search capability, which identifies active instances of a service on your network. You would use the search feature if you wanted to locate systems running DHCP servers, for instance. 637 638 [Software61] 639 exe=PsShutdown.exe 640 help=PsTools.chm 641 url=https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown 642 exe64= 643 group=4 644 Name=PsShutdown 645 ShortDesc=Shutdowns, logoffs and power manages local and remote systems 646 LongDesc=PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software. 647 648 [Software62] 649 exe=PsSuspend.exe 650 help=PsTools.chm 651 url=https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend 652 exe64=PsSuspend64.exe 653 group=3 654 Name=PsSuspend 655 ShortDesc=Suspends and resumes processes 656 LongDesc=PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that's consuming the resource, suspending permits you to let it continue operation at some later point in time. 657 658 [Software63] 659 exe=PsUptime.exe 660 help= 661 url= 662 exe64= 663 group=5 664 Name=PsUptime 665 ShortDesc= 666 LongDesc= 667 668 [Software64] 669 exe=RAMMap.exe 670 help= 671 url=https://docs.microsoft.com/en-us/sysinternals/downloads/rammap 672 exe64=RAMMap64a.exe 673 group=5 674 Name=RAMMap 675 ShortDesc=Advanced physical memory usage analysis utility 676 LongDesc=RAMMap is an advanced physical memory usage analysis utility for Windows Vista and higher. Use RAMMap to gain understanding of the way Windows manages memory, to analyze application memory usage, or to answer specific questions about how RAM is being allocated. RAMMap’s refresh feature enables you to update the display and it includes support for saving and loading memory snapshots. 677 678 [Software65] 679 exe=RegDelNull.exe 680 help= 681 url=https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull 682 exe64=RegDelNull64.exe 683 group=6 684 Name=RegDelNull 685 ShortDesc=Scans for and deletes Registry keys that contain embedded null-characters 686 LongDesc=This command-line utility searches for and allows you to delete Registry keys that contain embedded-null characters and that are otherwise undeleteable using standard Registry-editing tools. Note: deleting Registry keys may cause the applications they are associated with to fail. 687 688 [Software66] 689 exe=Reghide.exe 690 help= 691 url=https://docs.microsoft.com/en-us/sysinternals/downloads/reghide 692 exe64= 693 group=6 694 Name=RegHide 695 ShortDesc=Creates a key called "HKEY_LOCAL_MACHINE\Software\Sysinternals\Can't touch me!\0" using the Native API, and inside this key it creates a value 696 LongDesc= 697 698 [Software67] 699 exe=regjump.exe 700 help= 701 url=https://docs.microsoft.com/en-us/sysinternals/downloads/regjump 702 exe64= 703 group=6 704 Name=RegJump 705 ShortDesc=Jumps to the specified registry path in Regedit 706 LongDesc=This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM). 707 708 [Software68] 709 exe=Regmon.exe 710 help=Regmon.hlp 711 url= 712 exe64=Regmon64a.exe 713 group=6 714 Name=RegMon 715 ShortDesc=This monitoring tool lets you see all Registry activity in real-time 716 LongDesc=Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed.. 717 718 [Software69] 719 exe=RootkitRevealer.exe 720 help=RootkitRevealer.chm 721 url=https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer 722 exe64= 723 group=4 724 Name=RootkitRevealer 725 ShortDesc=Scans your system for rootkit-based malware 726 LongDesc=RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP (32-bit) and Windows Server 2003 (32-bit), and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know! 727 728 [Software70] 729 exe=ru.exe 730 help= 731 url=https://docs.microsoft.com/en-us/sysinternals/downloads/ru 732 exe64=ru64.exe 733 group=6 734 Name=RegistryUsage 735 ShortDesc=Registry usage reports the registry space usage for the registry key you specify 736 LongDesc=Ru (registry usage) reports the registry space usage for the registry key you specify. By default it recurses subkeys to show the total size of a key and its subkeys. 737 738 [Software71] 739 exe=sdelete.exe 740 help= 741 url=https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete 742 exe64=sdelete64.exe 743 group=1 744 Name=SDelete 745 ShortDesc=Securely overwrites files and cleanses free space of previously deleted files 746 LongDesc=The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techiques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. You can use SDelete both to securely delete existing files, as well as to securely erase any file data that exists in the unallocated portions of a disk (including files that you have already deleted or encrypted). 747 748 [Software72] 749 exe=ShareEnum.exe 750 help= 751 url=https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum 752 exe64= 753 group=2 754 Name=ShareEnum 755 ShortDesc=Scans file shares on network and views their security settings 756 LongDesc=An aspect of Windows NT/2000/XP network security that's often overlooked is file shares. A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. There are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network. 757 758 [Software73] 759 exe=ShellRunas.exe 760 help= 761 url=https://docs.microsoft.com/en-us/sysinternals/downloads/shellrunas 762 exe64= 763 group=3 764 Name=ShellRunas 765 ShortDesc=Launches programs as a different user via a convenient shell context-menu entry 766 LongDesc=The command-line Runas utility is handy for launching programs under different accounts, but it’s not convenient if you’re a heavy Explorer user. ShellRunas provides functionality similar to that of Runas to launch programs as a different user via a convenient shell context-menu entry. 767 768 [Software74] 769 exe=sigcheck.exe 770 help= 771 url=https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck 772 exe64=sigcheck64.exe 773 group=1 774 Name=Sigcheck 775 ShortDesc=Dumps file version information and verify that image is digitally signed 776 LongDesc=Verify that images are digitally signed and dump version information with this simple command-line utility. 777 778 [Software75] 779 exe=streams.exe 780 help= 781 url=https://docs.microsoft.com/en-us/sysinternals/downloads/streams 782 exe64=streams64.exe 783 group=1 784 Name=Streams 785 ShortDesc=Reveals NTFS alternate streams 786 LongDesc=The NTFS file system provides applications the ability to create alternate data streams of information. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. 787 788 [Software76] 789 exe=strings.exe 790 help= 791 url=https://docs.microsoft.com/en-us/sysinternals/downloads/strings 792 exe64=strings64.exe 793 group=6 794 Name=Strings 795 ShortDesc=Searches for ANSI and UNICODE strings in binary images 796 LongDesc=Working on NT and Win2K means that executables and object files will many times have embedded UNICODE strings that you cannot easily see with a standard ASCII strings or grep programs. Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. 797 798 [Software77] 799 exe=sync.exe 800 help= 801 url=https://docs.microsoft.com/en-us/sysinternals/downloads/sync 802 exe64=sync64.exe 803 group=1 804 Name=Sync 805 ShortDesc=Flushes cached data to disk 806 LongDesc=Sync directs the operating system to flush all file system data to disk in order to insure that it is stable and won't be lost in case of a system failure. Otherwise, any modified data present in the cache would be lost. 807 808 [Software78] 809 exe=Sysmon.exe 810 help= 811 url=https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 812 exe64=Sysmon64.exe 813 group=4 814 Name=SystemMonitor 815 ShortDesc=Monitors and reports key system activity via the Windows event log 816 LongDesc=System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. 817 818 [Software79] 819 exe=tcpvcon.exe 820 help= 821 url=https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview 822 exe64= 823 group=2 824 Name=TCPView Command-line 825 ShortDesc=Active sockets command-line viewer 826 LongDesc=TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. 827 828 [Software80] 829 exe=Tcpview.exe 830 help=Tcpview.chm 831 url=https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview 832 exe64= 833 group=2 834 Name=TCPView 835 ShortDesc=Active sockets viewer 836 LongDesc=TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. 837 838 [Software81] 839 exe=Tokenmon.exe 840 help=Tokenmon.hlp 841 url= 842 exe64= 843 group=3 844 Name=TokenMon 845 ShortDesc=Watch security-related activity, including logon, logoff, privilege usage, and impersonation with this monitoring tool 846 LongDesc=Tokenmon is a application that monitors and displays a variety of security-related activity taking place on a system. Tokenmon gets its name from the fact that Windows NT/2000 stores a process' security information, including the user account context in which the process executes, in an object called a token. 847 848 [Software82] 849 exe=Vmmap.exe 850 help=Vmmap.chm 851 url=https://docs.microsoft.com/en-us/sysinternals/downloads/vmmap 852 exe64=Vmmap64a.exe 853 group=5 854 Name=VMMap 855 ShortDesc=Process virtual and physical memory analysis utility 856 LongDesc=VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features. 857 858 [Software83] 859 exe=Volumeid.exe 860 help= 861 url=https://docs.microsoft.com/en-us/sysinternals/downloads/volumeid 862 exe64=Volumeid64.exe 863 group=1 864 Name=VolumeID 865 ShortDesc=Sets Volume ID of FAT or NTFS drives 866 LongDesc=While WinNT/2K and Windows 9x's built-in Label utility lets you change the labels of disk volumes, it does not provide any means for changing volume ids. This utiltity, VolumeID, allows you to change the ids of FAT and NTFS disks (floppies or hard drives). 867 868 [Software84] 869 exe=whois.exe 870 help= 871 url=https://docs.microsoft.com/en-us/sysinternals/downloads/whois 872 exe64=whois64.exe 873 group=2 874 Name=Whois 875 ShortDesc=Shows who owns an Internet address 876 LongDesc=Whois performs the registration record for the domain name or IP address that you specify. 877 878 [Software85] 879 exe=Winobj.exe 880 help= 881 url=https://docs.microsoft.com/en-us/sysinternals/downloads/winobj 882 exe64= 883 group=5 884 Name=WinObj 885 ShortDesc=Object Manager namespace viewer 886 LongDesc=WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's namespace. Winobj may seem similar to the Microsoft SDK's program of the same name, but the SDK version suffers from numerous significant bugs that prevent it from displaying accurate information (e.g. its handle and reference counting information are totally broken). In addition, our WinObj understands many more object types. Finally, Version 2.0 of our WinObj has user-interface enhancements, knows how to open device objects, and will let you view and change object security information using native NT security editors. 887 888 [Software86] 889 exe=ZoomIt.exe 890 help= 891 url=https://docs.microsoft.com/en-us/sysinternals/downloads/zoomit 892 exe64=ZoomIt64.exe 893 group=6 894 Name=ZoomIt 895 ShortDesc=Presentation utility for zooming and drawing on the screen 896 LongDesc=ZoomIt is screen zoom and annotation tool for technical presentations that include application demonstrations. ZoomIt runs unobtrusively in the tray and activates with customizable hotkeys to zoom in on an area of the screen, move around while zoomed, and draw on the zoomed image.