Skip to navigation
Real World Computing
USB stick

The hidden treasures of Sysinternals

Posted on 9 Feb 2010 at 15:02

Jon Honeyball has a rummage on Sysinternals and discovers a few very useful applications

Every few months I make a pilgrimage to the Sysinternals website to look at its superb collection of tools. It’s now hosted inside the Microsoft Technet monster since its authors joined Microsoft as employees some while ago, but the value of their site is still as strong as ever and the tools are now guaranteed not to be ignored or left to rust.

So what’s new there? Well, there’s a tool called Disk2vhd, which creates VHDs (virtual hard disks, Microsoft’s VM disk format) from physical drives. You can then use these within Virtual PC or the server-side Hyper-V engine. What’s important about Disk2vhd is that you can even run it on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces.

It can do this because it uses the Windows Volume Snapshot technology to take an instant snapshot of the disk on which to do its work, even while the disk continues to be written and read by other programs.

You can even run Disk2vhd on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces

A couple of points to note here. Obviously, when you take a virtualised snapshot for the first time within your chosen VM environment, it won’t be running on the original native hardware. Fortunately, Windows does a plug-and-play hunt for new drivers, and should have no problem swapping out the original hardware-specific drivers for the correct ones for the VM environment.

A second gotcha is worth quoting from the site: “Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.”

Which should be a salutary reminder that Windows will happily rewrite these signatures for you, but might screw things up in the process.

There’s another Sysinternals tool I’ve used recently called DiskMon, which captures information about every read and write to your hard disk and shows it in a fast-moving list. The reason I needed this tool was that a Windows Vista machine had suddenly started thrashing its disk for no apparent reason.

Task Manager didn’t really show me what was happening and I’d already turned off the Windows Search service, which is the built-in disk indexer engine within Vista. DiskMon wouldn’t run on Vista at first, just returning an error – it turned out I needed to run it as an Administrator to give it elevated privileges. Once I’d done this it was soon obvious which application was chewing away at the disk, and a quick exorcism resulted. It’s times like this when a highly focused tool can help you get to the answer quickly.

Another useful present from Microsoft (it must be Christmas) is a tool that lets you blow ISO images onto any bootable medium such as a USB stick. This permits you to take an ISO image of, for example, Windows 7 and write it to a suitably large USB stick, which you’ll need to do if you want to install it onto a laptop or netbook that has no local CD/DVD drive.

Download a year of Jon Honeyball's Advanced Windows columns by heading to our Free Downloads site

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments


Jon writes: "it was soon obvious which application was chewing away at the disk". Not being Jon it isn't abvious to me at all: the utility doesn't show which process or app is initiating the read/write so how can you tell?

By RBHannam on 9 Feb 2010

Re: RBHannam / DiskMon

I suspect he's confusing DiskMon and FileMon. FileMon shows you the read/writes as well as the application doing the talking with a sophisticated filtering system to narrow down activity.

By eos367 on 9 Feb 2010

I'm with RBHannam, I tried out Diskmon as well, and the only columns of data we have to work with is #, Time, Duration, Disk, Request, Sector, and Length. None of this information really leads to a solution.

By mcdonamw on 9 Feb 2010

Unless they updated the "Windows 7 USB/DVD Download Tool", it only works with Windows 7 ISOs. You can't use any random ISO.

By StealthyC on 9 Feb 2010

You gotta be kidding me

Diskmon has not been updated since November 2006 and is useless. Most of the apps are years old and have *long* been replaced by far better tools.

Bloody clownshoes investigative reporting.

By Cyclic on 10 Feb 2010

Diskmon has LONG been sent to sleep in favour of ProcMon

Process Monitor has been the replacement for Diskmon for ages now (and it is way more powerful and captures file access, registry access, network stuff etc. etc.)
Where did they dig out this article, 1996?

By ripclaw666 on 10 Feb 2010

Tools are Tools

yes they are old and yes they are limited. But I have them none the less and have used them many times here and there.
No different in the special wrench I have in my tool chest, when I need it, its handy to have

By ridn4free on 10 Feb 2010


I would use go for ProcessExplorer. If the application that's chewing away happen to be hidden within generic host process (svchost.exe), you can kill its services one by one until – in accordance to your computer knowledge - either you crash your computer or solve your problem.

By stasi47 on 10 Feb 2010

Links would be nice.

Searching these applications reveals that they have been superseded by more sophisticated software:

By urbanaught on 11 Feb 2010


PMLogAnalyzer Provides many new Functions for ProcMon

see for full details
a) Automates Capture (can be run directly from PMLogAnalyzer's copy of the PCs StartMenu)
b) Extended Reports Listing Files/Registry Entries read/written by Application
c) CrossReference Report Files/Registry Entries - Event Log Records
Plus many reports on MSIs
a) Listing Files/registry against ProcMon and PC entries
b) Scanning all Installed MSIs to see which MSIs install a particular File/registry entry

By PMLogAnalyzer on 4 Mar 2010

Leave a comment

You need to Login or Register to comment.



Latest Real World Computing
Latest Blog Posts Subscribe to our RSS Feeds
Latest News Stories Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.