The hidden treasures of Sysinternals
Posted on 9 Feb 2010 at 15:02
Jon Honeyball has a rummage on Sysinternals and discovers a few very useful applications
Every few months I make a pilgrimage to the Sysinternals website to look at its superb collection of tools. It’s now hosted inside the Microsoft Technet monster since its authors joined Microsoft as employees some while ago, but the value of their site is still as strong as ever and the tools are now guaranteed not to be ignored or left to rust.
So what’s new there? Well, there’s a tool called Disk2vhd, which creates VHDs (virtual hard disks, Microsoft’s VM disk format) from physical drives. You can then use these within Virtual PC or the server-side Hyper-V engine. What’s important about Disk2vhd is that you can even run it on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces.
It can do this because it uses the Windows Volume Snapshot technology to take an instant snapshot of the disk on which to do its work, even while the disk continues to be written and read by other programs.
You can even run Disk2vhd on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces
A couple of points to note here. Obviously, when you take a virtualised snapshot for the first time within your chosen VM environment, it won’t be running on the original native hardware. Fortunately, Windows does a plug-and-play hunt for new drivers, and should have no problem swapping out the original hardware-specific drivers for the correct ones for the VM environment.
A second gotcha is worth quoting from the site: “Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.”
Which should be a salutary reminder that Windows will happily rewrite these signatures for you, but might screw things up in the process.
There’s another Sysinternals tool I’ve used recently called DiskMon, which captures information about every read and write to your hard disk and shows it in a fast-moving list. The reason I needed this tool was that a Windows Vista machine had suddenly started thrashing its disk for no apparent reason.
Task Manager didn’t really show me what was happening and I’d already turned off the Windows Search service, which is the built-in disk indexer engine within Vista. DiskMon wouldn’t run on Vista at first, just returning an error – it turned out I needed to run it as an Administrator to give it elevated privileges. Once I’d done this it was soon obvious which application was chewing away at the disk, and a quick exorcism resulted. It’s times like this when a highly focused tool can help you get to the answer quickly.
Another useful present from Microsoft (it must be Christmas) is a tool that lets you blow ISO images onto any bootable medium such as a USB stick. This permits you to take an ISO image of, for example, Windows 7 and write it to a suitably large USB stick, which you’ll need to do if you want to install it onto a laptop or netbook that has no local CD/DVD drive.
Jon writes: "it was soon obvious which application was chewing away at the disk". Not being Jon it isn't abvious to me at all: the utility doesn't show which process or app is initiating the read/write so how can you tell?
By RBHannam on 9 Feb 2010
Re: RBHannam / DiskMon
I suspect he's confusing DiskMon and FileMon. FileMon shows you the read/writes as well as the application doing the talking with a sophisticated filtering system to narrow down activity.
By eos367 on 9 Feb 2010
I'm with RBHannam, I tried out Diskmon as well, and the only columns of data we have to work with is #, Time, Duration, Disk, Request, Sector, and Length. None of this information really leads to a solution.
By mcdonamw on 9 Feb 2010
Unless they updated the "Windows 7 USB/DVD Download Tool", it only works with Windows 7 ISOs. You can't use any random ISO.
By StealthyC on 9 Feb 2010
You gotta be kidding me
Diskmon has not been updated since November 2006 and is useless. Most of the apps are years old and have *long* been replaced by far better tools.
Bloody clownshoes investigative reporting.
By Cyclic on 10 Feb 2010
Diskmon has LONG been sent to sleep in favour of ProcMon
Process Monitor has been the replacement for Diskmon for ages now (and it is way more powerful and captures file access, registry access, network stuff etc. etc.)
Where did they dig out this article, 1996?
By ripclaw666 on 10 Feb 2010
Tools are Tools
yes they are old and yes they are limited. But I have them none the less and have used them many times here and there.
No different in the special wrench I have in my tool chest, when I need it, its handy to have
By ridn4free on 10 Feb 2010
I would use go for ProcessExplorer. If the application that's chewing away happen to be hidden within generic host process (svchost.exe), you can kill its services one by one until – in accordance to your computer knowledge - either you crash your computer or solve your problem.
By stasi47 on 10 Feb 2010
Links would be nice.
Searching these applications reveals that they have been superseded by more sophisticated software:
By urbanaught on 11 Feb 2010
PMLogAnalyzer Provides many new Functions for ProcMon
see www.winok-msixray.com/procmon.html for full details
a) Automates Capture (can be run directly from PMLogAnalyzer's copy of the PCs StartMenu)
b) Extended Reports Listing Files/Registry Entries read/written by Application
c) CrossReference Report Files/Registry Entries - Event Log Records
Plus many reports on MSIs
a) Listing Files/registry against ProcMon and PC entries
b) Scanning all Installed MSIs to see which MSIs install a particular File/registry entry
By PMLogAnalyzer on 4 Mar 2010
- The ICO's shame-faced u-turn on cookies
- Start8 and ModernMix: making Windows 8 work on a desktop
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- BBC admits £100 million IT project was a "waste"
- IBM's Watson answers customers' questions
- New CEO reorganises Intel to target "new devices"
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- Google pools storage across Gmail and Drive
- Ofcom accused of killing off VoIP competition
- ShoreTel dock turns iPhones and iPads into desk phones