The hidden treasures of Sysinternals
Posted on 9 Feb 2010 at 15:02
Jon Honeyball has a rummage on Sysinternals and discovers a few very useful applications
Every few months I make a pilgrimage to the Sysinternals website to look at its superb collection of tools. It’s now hosted inside the Microsoft Technet monster since its authors joined Microsoft as employees some while ago, but the value of their site is still as strong as ever and the tools are now guaranteed not to be ignored or left to rust.
So what’s new there? Well, there’s a tool called Disk2vhd, which creates VHDs (virtual hard disks, Microsoft’s VM disk format) from physical drives. You can then use these within Virtual PC or the server-side Hyper-V engine. What’s important about Disk2vhd is that you can even run it on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces.
It can do this because it uses the Windows Volume Snapshot technology to take an instant snapshot of the disk on which to do its work, even while the disk continues to be written and read by other programs.
You can even run Disk2vhd on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces
A couple of points to note here. Obviously, when you take a virtualised snapshot for the first time within your chosen VM environment, it won’t be running on the original native hardware. Fortunately, Windows does a plug-and-play hunt for new drivers, and should have no problem swapping out the original hardware-specific drivers for the correct ones for the VM environment.
A second gotcha is worth quoting from the site: “Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.”
Which should be a salutary reminder that Windows will happily rewrite these signatures for you, but might screw things up in the process.
There’s another Sysinternals tool I’ve used recently called DiskMon, which captures information about every read and write to your hard disk and shows it in a fast-moving list. The reason I needed this tool was that a Windows Vista machine had suddenly started thrashing its disk for no apparent reason.
Task Manager didn’t really show me what was happening and I’d already turned off the Windows Search service, which is the built-in disk indexer engine within Vista. DiskMon wouldn’t run on Vista at first, just returning an error – it turned out I needed to run it as an Administrator to give it elevated privileges. Once I’d done this it was soon obvious which application was chewing away at the disk, and a quick exorcism resulted. It’s times like this when a highly focused tool can help you get to the answer quickly.
Another useful present from Microsoft (it must be Christmas) is a tool that lets you blow ISO images onto any bootable medium such as a USB stick. This permits you to take an ISO image of, for example, Windows 7 and write it to a suitably large USB stick, which you’ll need to do if you want to install it onto a laptop or netbook that has no local CD/DVD drive.
Jon writes: "it was soon obvious which application was chewing away at the disk". Not being Jon it isn't abvious to me at all: the utility doesn't show which process or app is initiating the read/write so how can you tell?
By RBHannam on 9 Feb 2010
Re: RBHannam / DiskMon
I suspect he's confusing DiskMon and FileMon. FileMon shows you the read/writes as well as the application doing the talking with a sophisticated filtering system to narrow down activity.
By eos367 on 9 Feb 2010
I'm with RBHannam, I tried out Diskmon as well, and the only columns of data we have to work with is #, Time, Duration, Disk, Request, Sector, and Length. None of this information really leads to a solution.
By mcdonamw on 9 Feb 2010
Unless they updated the "Windows 7 USB/DVD Download Tool", it only works with Windows 7 ISOs. You can't use any random ISO.
By StealthyC on 9 Feb 2010
You gotta be kidding me
Diskmon has not been updated since November 2006 and is useless. Most of the apps are years old and have *long* been replaced by far better tools.
Bloody clownshoes investigative reporting.
By Cyclic on 10 Feb 2010
Diskmon has LONG been sent to sleep in favour of ProcMon
Process Monitor has been the replacement for Diskmon for ages now (and it is way more powerful and captures file access, registry access, network stuff etc. etc.)
Where did they dig out this article, 1996?
By ripclaw666 on 10 Feb 2010
Tools are Tools
yes they are old and yes they are limited. But I have them none the less and have used them many times here and there.
No different in the special wrench I have in my tool chest, when I need it, its handy to have
By ridn4free on 10 Feb 2010
I would use go for ProcessExplorer. If the application that's chewing away happen to be hidden within generic host process (svchost.exe), you can kill its services one by one until – in accordance to your computer knowledge - either you crash your computer or solve your problem.
By stasi47 on 10 Feb 2010
Links would be nice.
Searching these applications reveals that they have been superseded by more sophisticated software:
By urbanaught on 11 Feb 2010
PMLogAnalyzer Provides many new Functions for ProcMon
see www.winok-msixray.com/procmon.html for full details
a) Automates Capture (can be run directly from PMLogAnalyzer's copy of the PCs StartMenu)
b) Extended Reports Listing Files/Registry Entries read/written by Application
c) CrossReference Report Files/Registry Entries - Event Log Records
Plus many reports on MSIs
a) Listing Files/registry against ProcMon and PC entries
b) Scanning all Installed MSIs to see which MSIs install a particular File/registry entry
By PMLogAnalyzer on 4 Mar 2010
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools
- Microsoft targets Windows in next Patch Tuesday