The hidden treasures of Sysinternals
Posted on 9 Feb 2010 at 15:02
Jon Honeyball has a rummage on Sysinternals and discovers a few very useful applications
Every few months I make a pilgrimage to the Sysinternals website to look at its superb collection of tools. It’s now hosted inside the Microsoft Technet monster since its authors joined Microsoft as employees some while ago, but the value of their site is still as strong as ever and the tools are now guaranteed not to be ignored or left to rust.
So what’s new there? Well, there’s a tool called Disk2vhd, which creates VHDs (virtual hard disks, Microsoft’s VM disk format) from physical drives. You can then use these within Virtual PC or the server-side Hyper-V engine. What’s important about Disk2vhd is that you can even run it on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces.
It can do this because it uses the Windows Volume Snapshot technology to take an instant snapshot of the disk on which to do its work, even while the disk continues to be written and read by other programs.
You can even run Disk2vhd on a disk that’s actually in use at the time, which is like pulling yourself up by your own boot laces
A couple of points to note here. Obviously, when you take a virtualised snapshot for the first time within your chosen VM environment, it won’t be running on the original native hardware. Fortunately, Windows does a plug-and-play hunt for new drivers, and should have no problem swapping out the original hardware-specific drivers for the correct ones for the VM environment.
A second gotcha is worth quoting from the site: “Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.”
Which should be a salutary reminder that Windows will happily rewrite these signatures for you, but might screw things up in the process.
There’s another Sysinternals tool I’ve used recently called DiskMon, which captures information about every read and write to your hard disk and shows it in a fast-moving list. The reason I needed this tool was that a Windows Vista machine had suddenly started thrashing its disk for no apparent reason.
Task Manager didn’t really show me what was happening and I’d already turned off the Windows Search service, which is the built-in disk indexer engine within Vista. DiskMon wouldn’t run on Vista at first, just returning an error – it turned out I needed to run it as an Administrator to give it elevated privileges. Once I’d done this it was soon obvious which application was chewing away at the disk, and a quick exorcism resulted. It’s times like this when a highly focused tool can help you get to the answer quickly.
Another useful present from Microsoft (it must be Christmas) is a tool that lets you blow ISO images onto any bootable medium such as a USB stick. This permits you to take an ISO image of, for example, Windows 7 and write it to a suitably large USB stick, which you’ll need to do if you want to install it onto a laptop or netbook that has no local CD/DVD drive.
Jon writes: "it was soon obvious which application was chewing away at the disk". Not being Jon it isn't abvious to me at all: the utility doesn't show which process or app is initiating the read/write so how can you tell?
By RBHannam on 9 Feb 2010
Re: RBHannam / DiskMon
I suspect he's confusing DiskMon and FileMon. FileMon shows you the read/writes as well as the application doing the talking with a sophisticated filtering system to narrow down activity.
By eos367 on 9 Feb 2010
I'm with RBHannam, I tried out Diskmon as well, and the only columns of data we have to work with is #, Time, Duration, Disk, Request, Sector, and Length. None of this information really leads to a solution.
By mcdonamw on 9 Feb 2010
Unless they updated the "Windows 7 USB/DVD Download Tool", it only works with Windows 7 ISOs. You can't use any random ISO.
By StealthyC on 9 Feb 2010
You gotta be kidding me
Diskmon has not been updated since November 2006 and is useless. Most of the apps are years old and have *long* been replaced by far better tools.
Bloody clownshoes investigative reporting.
By Cyclic on 10 Feb 2010
Diskmon has LONG been sent to sleep in favour of ProcMon
Process Monitor has been the replacement for Diskmon for ages now (and it is way more powerful and captures file access, registry access, network stuff etc. etc.)
Where did they dig out this article, 1996?
By ripclaw666 on 10 Feb 2010
Tools are Tools
yes they are old and yes they are limited. But I have them none the less and have used them many times here and there.
No different in the special wrench I have in my tool chest, when I need it, its handy to have
By ridn4free on 10 Feb 2010
I would use go for ProcessExplorer. If the application that's chewing away happen to be hidden within generic host process (svchost.exe), you can kill its services one by one until – in accordance to your computer knowledge - either you crash your computer or solve your problem.
By stasi47 on 10 Feb 2010
Links would be nice.
Searching these applications reveals that they have been superseded by more sophisticated software:
By urbanaught on 11 Feb 2010
PMLogAnalyzer Provides many new Functions for ProcMon
see www.winok-msixray.com/procmon.html for full details
a) Automates Capture (can be run directly from PMLogAnalyzer's copy of the PCs StartMenu)
b) Extended Reports Listing Files/Registry Entries read/written by Application
c) CrossReference Report Files/Registry Entries - Event Log Records
Plus many reports on MSIs
a) Listing Files/registry against ProcMon and PC entries
b) Scanning all Installed MSIs to see which MSIs install a particular File/registry entry
By PMLogAnalyzer on 4 Mar 2010
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- 1.6TB SSD: why would you need one?
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication