The hidden treasures of Sysinternals
Posted on 9 Feb 2010 at 15:02
Jon Honeyball has a rummage on Sysinternals and discovers a few very useful applications
Every few months I make a pilgrimage to the Sysinternals website to look at its superb collection of tools. It’s now hosted inside the Microsoft Technet monster since its authors joined Microsoft as employees some while ago, but the value of their site is still as strong as ever and the tools are now guaranteed not to be ignored or left to rust.
So what’s new there? Well, there’s a tool called Disk2vhd, which creates VHDs (virtual hard disks, Microsoft’s VM disk format) from physical drives. You can then use these within Virtual PC or the server-side Hyper-V engine. What’s important about Disk2vhd is that you can even run it on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces.
It can do this because it uses the Windows Volume Snapshot technology to take an instant snapshot of the disk on which to do its work, even while the disk continues to be written and read by other programs.
You can even run Disk2vhd on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces
A couple of points to note here. Obviously, when you take a virtualised snapshot for the first time within your chosen VM environment, it won’t be running on the original native hardware. Fortunately, Windows does a plug-and-play hunt for new drivers, and should have no problem swapping out the original hardware-specific drivers for the correct ones for the VM environment.
A second gotcha is worth quoting from the site: “Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.”
Which should be a salutary reminder that Windows will happily rewrite these signatures for you, but might screw things up in the process.
There’s another Sysinternals tool I’ve used recently called DiskMon, which captures information about every read and write to your hard disk and shows it in a fast-moving list. The reason I needed this tool was that a Windows Vista machine had suddenly started thrashing its disk for no apparent reason.
Task Manager didn’t really show me what was happening and I’d already turned off the Windows Search service, which is the built-in disk indexer engine within Vista. DiskMon wouldn’t run on Vista at first, just returning an error – it turned out I needed to run it as an Administrator to give it elevated privileges. Once I’d done this it was soon obvious which application was chewing away at the disk, and a quick exorcism resulted. It’s times like this when a highly focused tool can help you get to the answer quickly.
Another useful present from Microsoft (it must be Christmas) is a tool that lets you blow ISO images onto any bootable medium such as a USB stick. This permits you to take an ISO image of, for example, Windows 7 and write it to a suitably large USB stick, which you’ll need to do if you want to install it onto a laptop or netbook that has no local CD/DVD drive.
Jon writes: "it was soon obvious which application was chewing away at the disk". Not being Jon it isn't abvious to me at all: the utility doesn't show which process or app is initiating the read/write so how can you tell?
By RBHannam on 9 Feb 2010
Re: RBHannam / DiskMon
I suspect he's confusing DiskMon and FileMon. FileMon shows you the read/writes as well as the application doing the talking with a sophisticated filtering system to narrow down activity.
By eos367 on 9 Feb 2010
I'm with RBHannam, I tried out Diskmon as well, and the only columns of data we have to work with is #, Time, Duration, Disk, Request, Sector, and Length. None of this information really leads to a solution.
By mcdonamw on 9 Feb 2010
Unless they updated the "Windows 7 USB/DVD Download Tool", it only works with Windows 7 ISOs. You can't use any random ISO.
By StealthyC on 9 Feb 2010
You gotta be kidding me
Diskmon has not been updated since November 2006 and is useless. Most of the apps are years old and have *long* been replaced by far better tools.
Bloody clownshoes investigative reporting.
By Cyclic on 10 Feb 2010
Diskmon has LONG been sent to sleep in favour of ProcMon
Process Monitor has been the replacement for Diskmon for ages now (and it is way more powerful and captures file access, registry access, network stuff etc. etc.)
Where did they dig out this article, 1996?
By ripclaw666 on 10 Feb 2010
Tools are Tools
yes they are old and yes they are limited. But I have them none the less and have used them many times here and there.
No different in the special wrench I have in my tool chest, when I need it, its handy to have
By ridn4free on 10 Feb 2010
I would use go for ProcessExplorer. If the application that's chewing away happen to be hidden within generic host process (svchost.exe), you can kill its services one by one until – in accordance to your computer knowledge - either you crash your computer or solve your problem.
By stasi47 on 10 Feb 2010
Links would be nice.
Searching these applications reveals that they have been superseded by more sophisticated software:
By urbanaught on 11 Feb 2010
PMLogAnalyzer Provides many new Functions for ProcMon
see www.winok-msixray.com/procmon.html for full details
a) Automates Capture (can be run directly from PMLogAnalyzer's copy of the PCs StartMenu)
b) Extended Reports Listing Files/Registry Entries read/written by Application
c) CrossReference Report Files/Registry Entries - Event Log Records
Plus many reports on MSIs
a) Listing Files/registry against ProcMon and PC entries
b) Scanning all Installed MSIs to see which MSIs install a particular File/registry entry
By PMLogAnalyzer on 4 Mar 2010
- The importance of load balancing
- Windows Phone App Studio: an easy way to create your first Windows Phone 8 app
- The end of Windows XP support: what it really means for businesses
- Don't rely on Chrome's password vault
- Using Buffer to manage your social media
- Microsoft needs its own Steve Jobs
- Forget credit cards: hackers want your Facebook account
- Can't get fast enough broadband? Here's what to do
- Leap Motion and the battle against UI stagnation
- How to build a really bad network
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Google’s support policies shove users towards Chrome
- Lenovo Yoga Tablet review: first look
- Michael Dell's reasons to be cheerful
- Microsoft patches TIFF flaw in next Patch Tuesday
- Microsoft expands encryption over NSA spying "threat"
- UK Cloud Awards 2014: nominations now open
- BlackBerry says "we're still alive" as sales hit new low
- Has HP turned a corner?
- Adobe admits it's struggling to notify hack victims
- Microsoft rolls out Office 365 admin app for mobile
- Office 2013 Service Pack 1 to arrive early next year
- Backup the best defence against CryptoLocker
- UK SMBs can now buy ads on Twitter