How to Use Sysinternals Suite for Advanced Diagnostics on Windows Server 2025

How to Use Sysinternals Suite for Advanced Diagnostics on Windows Server 2025

The Sysinternals Suite is a collection of over 70 advanced diagnostic and administrative utilities for Windows, originally developed by Mark Russinovich and Bryce Cogswell and now maintained by Microsoft. On Windows Server 2025, these tools fill critical gaps left by built-in management interfaces — providing unparalleled visibility into running processes, file system and registry activity, network connections, startup programs, security permissions, and more. Unlike many third-party tools, Sysinternals utilities require no installation, carry Microsoft’s digital signatures, and can even be run directly from a network share or the live internet path \live.sysinternals.comtools. This guide covers how to access the suite, and provides practical usage guidance for the most valuable tools in a Windows Server 2025 environment.

Prerequisites

• Windows Server 2025 with Administrator or appropriate privileges
• Internet access for live.sysinternals.com, or local copy of Sysinternals Suite downloaded from Microsoft
• WebClient service running (required for live.sysinternals.com UNC access)
• Basic familiarity with Windows process and service management concepts
• WinRM or RDP access to remote servers for remote diagnostics with PsExec

Step 1: Download and Access Sysinternals

Sysinternals can be accessed in three ways on Windows Server 2025: downloading the complete suite as a ZIP from Microsoft, accessing individual tools directly over the internet via UNC path, or running from a local network share — the latter being ideal for air-gapped or bandwidth-constrained environments.

# Method 1: Download the full Sysinternals Suite via PowerShell
$url = "https://download.sysinternals.com/files/SysinternalsSuite.zip"
$dest = "C:ToolsSysinternalsSuite.zip"
New-Item -Path "C:Tools" -ItemType Directory -Force | Out-Null
Invoke-WebRequest -Uri $url -OutFile $dest
Expand-Archive -Path $dest -DestinationPath "C:ToolsSysinternals" -Force
Write-Host "Sysinternals extracted to C:ToolsSysinternals"

# Method 2: Run directly from Microsoft's live UNC path
# Enable WebClient service (required for live.sysinternals.com access)
Start-Service -Name WebClient
Set-Service -Name WebClient -StartupType Automatic

# Access tools live (no download required)
# \live.sysinternals.comtoolsprocmon.exe
# \live.sysinternals.comtoolsprocexp.exe

# Method 3: Host on an internal file share for air-gapped environments
# Copy extracted tools to a share and map to all servers via GPO startup script
$sharePath = "\fileserverSysinternals"
# Copy-Item -Path "C:ToolsSysinternals*" -Destination $sharePath -Recurse

# Accept EULA silently via registry (required before first run)
$toolNames = @("ProcMon","ProcExp","Autoruns","PsExec","TCPView","Sigcheck","AccessChk")
foreach ($tool in $toolNames) {
    $regPath = "HKCU:SoftwareSysinternals$tool"
    if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
    Set-ItemProperty -Path $regPath -Name "EulaAccepted" -Value 1 -Type DWord
}
Write-Host "Sysinternals EULA accepted for common tools."

Step 2: Process Explorer — Advanced Process Inspection

Process Explorer is a vastly more capable replacement for Windows Task Manager. It shows the full process tree with parent-child relationships, DLL and handle details, CPU/memory history graphs per process, process security tokens, and can verify whether processes are signed by trusted publishers — making it invaluable for spotting malicious or misbehaving processes on a server.

# Launch Process Explorer (GUI tool — requires desktop session or RDP)
Start-Process "C:ToolsSysinternalsprocexp64.exe"

# Key Process Explorer features for server diagnostics:
# - View > Show Lower Pane > DLL View: see all loaded DLLs for selected process
# - View > Show Lower Pane > Handles: see all open file/registry/object handles
# - Options > VirusTotal.com: check process hashes against VirusTotal
# - Process > Properties > Threads tab: see all threads with call stacks
# - Color coding: Purple = packed image, Red = exiting, Green = new process
# - Right-click > Suspend: freeze a misbehaving process without killing it
# - Right-click > Properties > Performance Graph: CPU/memory/I-O history

# Run Process Explorer as a console (headless — output process list to file)
# procexp.exe /accepteula /a /p:C:Toolsprocesslist.txt

# Find what process has a file locked (handles view)
# procexp64.exe /accepteula
# Use Find > Find Handle or DLL: enter the filename to find who holds the lock
# This solves "file is in use" errors that Task Manager cannot diagnose

Step 3: Process Monitor — Real-Time File, Registry, and Network Tracing

Process Monitor (ProcMon) is the single most powerful diagnostic tool in the Sysinternals suite for Windows Server 2025. It captures every file system operation, registry read/write, network event, and process/thread activity in real time with full call stack information — making it indispensable for diagnosing application failures, permission errors, missing files, and configuration issues.

# Launch Process Monitor with auto-scroll and capture active
Start-Process "C:ToolsSysinternalsProcmon64.exe" -ArgumentList "/accepteula /minimized /backingfile C:Logsprocmon-capture.pml"

# Process Monitor command-line options:
# /accepteula       -- accept license agreement silently
# /minimized        -- start minimized (useful for server captures)
# /backingfile   -- save events to a backing file (prevents memory exhaustion)
# /quiet            -- no GUI (capture only, load in GUI later)
# /terminate        -- stop capturing and exit

# Capture for 60 seconds then stop
Start-Process "C:ToolsSysinternalsProcmon64.exe" -ArgumentList "/accepteula /quiet /minimized /backingfile C:Logsprocmon-capture.pml"
Start-Sleep -Seconds 60
Stop-Process -Name "Procmon64" -Force

# Useful ProcMon filter patterns for server troubleshooting:
# Filter: Path contains C:inetpub AND Result is ACCESS DENIED
#   → Find IIS permission problems
# Filter: Process Name is w3wp.exe AND Operation is RegQueryValue
#   → Trace registry reads by IIS worker processes
# Filter: Result is NAME NOT FOUND AND Path contains .dll
#   → Find missing DLL dependencies for failing applications
# Filter: Operation is TCP Connect AND Result is CONNECTION REFUSED
#   → Find failed outbound connections from a service

Step 4: Autoruns — Audit All Startup Locations

Autoruns is the most comprehensive startup auditor available for Windows. It checks over 40 different startup locations including Run keys, scheduled tasks, services, drivers, browser extensions, Winlogon notifications, AppInit DLLs, and more. On Windows Server 2025 it is essential for identifying persistence mechanisms, unnecessary startup items, and unauthorized changes to boot configuration.

# Launch Autoruns GUI
Start-Process "C:ToolsSysinternalsAutoruns64.exe" -ArgumentList "/accepteula"

# Autoruns command-line version (autorunsc.exe) — output to CSV for scripted auditing
# Export all autostart entries to CSV
C:ToolsSysinternalsautorunsc64.exe -accepteula -a * -c -o C:Auditautoruns-$(hostname).csv

# Export only services and drivers (useful for service audit)
C:ToolsSysinternalsautorunsc64.exe -accepteula -a sd -c -o C:Auditservices-$(hostname).csv

# Export and check against VirusTotal (requires internet)
C:ToolsSysinternalsautorunsc64.exe -accepteula -a * -vt -c -o C:Auditautoruns-vt-$(hostname).csv

# Compare autoruns output between two dates to detect changes
$baseline = Import-Csv "C:Auditautoruns-baseline.csv"
$current  = Import-Csv "C:Auditautoruns-current.csv"
Compare-Object $baseline $current -Property "Image Path" |
    Where-Object { $_.SideIndicator -eq "=>" } |
    Select-Object "Image Path" |
    Format-Table -AutoSize

Step 5: PsExec — Remote Command Execution

PsExec enables running processes on remote computers using Windows credentials without needing to install client software. On Windows Server 2025, it is useful for running diagnostics on servers that can only be reached via network (no RDP, no WinRM configured), or for running processes in the SYSTEM account context for testing purposes.

# Run a command on a remote server
C:ToolsSysinternalsPsExec64.exe \SERVER01 -accepteula cmd /c "ipconfig /all"

# Run an interactive PowerShell session on a remote server
C:ToolsSysinternalsPsExec64.exe \SERVER01 -accepteula -i -s powershell.exe

# Run a command as SYSTEM (most powerful local account — use carefully)
C:ToolsSysinternalsPsExec64.exe -accepteula -s powershell.exe -Command "whoami"

# Copy a file to a remote server and execute it
C:ToolsSysinternalsPsExec64.exe \SERVER01 -accepteula -c C:Toolsdiagnostic.ps1 powershell.exe -File diagnostic.ps1

# Run on multiple servers simultaneously
$servers = "\SERVER01 \SERVER02 \SERVER03"
C:ToolsSysinternalsPsExec64.exe $servers -accepteula cmd /c "systeminfo | findstr /B /C:'OS Name' /C:'Total Physical Memory'"

# Manage services remotely with PsService
C:ToolsSysinternalsPsService64.exe \SERVER01 query Spooler
C:ToolsSysinternalsPsService64.exe \SERVER01 start Spooler
C:ToolsSysinternalsPsService64.exe \SERVER01 stop Spooler

Step 6: TCPView, Sigcheck, and AccessChk

Three additional Sysinternals tools provide targeted capabilities that complement the diagnostic toolkit: TCPView shows all active TCP/UDP connections mapped to their owning processes; Sigcheck verifies digital signatures and checks file metadata; and AccessChk audits security permissions on files, directories, registry keys, services, and more.

# --- TCPView: Network connection audit ---
# GUI version
Start-Process "C:ToolsSysinternalsTcpview64.exe" -ArgumentList "/accepteula"

# Command-line TCP/UDP connection list
C:ToolsSysinternalsTcpvcon64.exe -accepteula -a -c | ConvertFrom-Csv |
    Where-Object { $_.State -eq "ESTABLISHED" } |
    Select-Object Process, "Remote Address", "Remote Port" |
    Sort-Object Process | Format-Table -AutoSize

# Find what process is listening on a specific port
C:ToolsSysinternalsTcpvcon64.exe -accepteula -a -c | ConvertFrom-Csv |
    Where-Object { $_."Local Port" -eq "443" }

# --- Sigcheck: File signature verification ---
# Verify signature of a single file
C:ToolsSysinternalssigcheck64.exe -accepteula "C:WindowsSystem32cmd.exe"

# Scan a directory for unsigned executables (security audit)
C:ToolsSysinternalssigcheck64.exe -accepteula -u -e "C:inetpubwwwroot" 2>$null

# Check against VirusTotal
C:ToolsSysinternalssigcheck64.exe -accepteula -vt "C:SuspiciousFile.exe"

# --- AccessChk: Permissions audit ---
# Show who has write access to a sensitive directory
C:ToolsSysinternalsaccesschk64.exe -accepteula -wud "C:WindowsSystem32" 2>$null

# Show what a specific user or group can access
C:ToolsSysinternalsaccesschk64.exe -accepteula -l "C:SensitiveData" 2>$null

# Find services that non-admin users can modify (privilege escalation audit)
C:ToolsSysinternalsaccesschk64.exe -accepteula -uwcqv "Authenticated Users" * 2>$null

# Find world-writable directories (security vulnerability audit)
C:ToolsSysinternalsaccesschk64.exe -accepteula -s -w -d "C:Program Files" 2>$null

# Audit registry key permissions
C:ToolsSysinternalsaccesschk64.exe -accepteula -kwus "HKLMSYSTEMCurrentControlSetServices" 2>$null

Step 7: Strings — Extract Text from Binaries

The Strings utility extracts printable ASCII and Unicode strings from binary files — useful for analyzing unknown executables, inspecting DLLs for hardcoded credentials, or identifying what URLs or file paths an application references without decompiling it.

# Extract all strings from an executable (minimum 6 characters)
C:ToolsSysinternalsstrings64.exe -accepteula -n 6 "C:SuspiciousAppapp.exe"

# Search for URL patterns in a binary
C:ToolsSysinternalsstrings64.exe -accepteula "C:SuspiciousAppapp.exe" | Where-Object { $_ -match "http[s]?://" }

# Search for common credential patterns
C:ToolsSysinternalsstrings64.exe -accepteula "C:SuspiciousAppapp.exe" |
    Where-Object { $_ -match "password|passwd|secret|api_key|token" } |
    Select-Object -First 20

# Scan all DLLs in a directory for hardcoded IP addresses
Get-ChildItem "C:Program FilesMyApp" -Filter "*.dll" | ForEach-Object {
    $matches = C:ToolsSysinternalsstrings64.exe -accepteula $_.FullName |
        Where-Object { $_ -match "bd{1,3}.d{1,3}.d{1,3}.d{1,3}b" }
    if ($matches) {
        Write-Host "$($_.Name): $($matches -join ', ')"
    }
}

Conclusion

The Sysinternals Suite remains one of the most valuable diagnostic toolkits available for Windows Server 2025 administrators, decades after its creation. The combination of Process Monitor for real-time activity tracing, Process Explorer for process inspection, Autoruns for startup auditing, PsExec for remote administration, TCPView for network visibility, Sigcheck for binary integrity verification, and AccessChk for permissions auditing covers the vast majority of server diagnostic scenarios you will encounter in production environments. By hosting the suite on an internal file share and pre-accepting the EULA via registry, you can make these tools available across your entire server fleet with zero installation overhead — exactly the kind of lightweight, high-value tooling that separates effective Windows Server administrators from the rest.