What Is the Sysinternals Suite?

The Sysinternals Suite is a collection of advanced diagnostic and troubleshooting utilities for Windows developed originally by Mark Russinovich and Bryce Cogswell, and now maintained by Microsoft. The tools provide deep visibility into the Windows operating system that Task Manager, Event Viewer, and other built-in tools simply cannot match. For Windows Server 2022 administrators, Sysinternals tools are indispensable for diagnosing process issues, tracking file and registry access, auditing startup programs, analyzing network connections, and remotely executing commands on other servers.

Sysinternals tools are portable executables that require no installation. They can be run from a USB drive, a local folder, or even directly from a live web share without copying files to the server — a significant advantage when you need to diagnose a production server without modifying its state.

Downloading Sysinternals

Download the entire Sysinternals Suite as a ZIP archive from the official Microsoft page:

Invoke-WebRequest -Uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -OutFile "C:ToolsSysinternalsSuite.zip"
Expand-Archive -Path "C:ToolsSysinternalsSuite.zip" -DestinationPath "C:ToolsSysinternals"

Add the tools directory to the system PATH for convenient command-line access:

$env:PATH += ";C:ToolsSysinternals"
[Environment]::SetEnvironmentVariable("PATH", $env:PATH, "Machine")

Alternatively, run Sysinternals tools directly from the live UNC path without downloading them — Windows accesses the tools from Microsoft’s web server on demand:

\live.sysinternals.comtoolsprocexp.exe
\live.sysinternals.comtoolsprocmon.exe
\live.sysinternals.comtoolsautoruns.exe

The UNC path method requires WebDAV client support (WebClient service must be running) and internet access. It is particularly useful for quick one-off diagnostics without leaving artifacts on the server.

Process Explorer: The Better Task Manager

Process Explorer (procexp.exe / procexp64.exe) is a comprehensive replacement for Windows Task Manager. It shows a hierarchical view of all running processes and their parent-child relationships, making it immediately clear which processes spawned which other processes — critical for detecting injected processes or malware that hides behind legitimate parent processes.

Launch Process Explorer on a remote server via PsExec (covered below):

psexec \server02 -i C:ToolsSysinternalsprocexp64.exe

Key capabilities of Process Explorer beyond Task Manager:

DLL view — Switch to the lower pane’s DLL mode (View > Lower Pane View > DLLs) to see every DLL loaded into a selected process. This is essential for detecting DLL hijacking — where a malicious DLL is loaded instead of a legitimate system DLL because it appears earlier in the search path.

Handle view — View > Lower Pane View > Handles shows all file handles, registry key handles, named pipe handles, and mutex handles held by a process. Use this to find which process has a file locked, preventing deletion or rename operations.

VirusTotal integration — Options > VirusTotal.com > Check VirusTotal.com submits hashes of all loaded binaries to VirusTotal for malware detection without uploading the binaries themselves.

Process properties — Double-clicking a process shows its full image path, command line, environment variables, security tokens (including privilege levels), TCP/IP connections, loaded services, and performance graphs.

Replace Task Manager system-wide with Process Explorer:

procexp /t

Or from the menu: Options > Replace Task Manager.

Process Monitor: Tracing I/O, Registry, and Network Activity

Process Monitor (procmon.exe) captures real-time filesystem, registry, network, and process/thread activity from all processes on the system. It is the most powerful diagnostic tool in the Sysinternals suite for root-causing application failures, permission errors, missing file issues, and slow I/O.

Run Process Monitor in capture mode, then save a log for later analysis:

procmon /Quiet /Minimized /BackingFile C:Logsprocmon_capture.pml

Stop capture and close Process Monitor:

procmon /Terminate

Key techniques for effective Process Monitor use:

Filters — Process Monitor captures millions of events per minute on a busy server. Use filters (Ctrl+L) to narrow by process name, path, operation type, or result. Example: filter by Process Name = iisw3adm.exe and Result = ACCESS DENIED to find IIS permission errors instantly.

Highlight rules — Highlight events matching specific criteria in different colors for quick visual identification without filtering out other events.

Operation filters — Use the toolbar buttons to toggle visibility of FileSystem, Registry, Network, and Process/Thread events independently. Disabling Registry and Process events reduces noise when debugging file access issues.

Stack traces — Double-click any event to see the full user-mode and kernel-mode call stack at the time of the operation. This shows exactly which function in which DLL made the file or registry access — invaluable for debugging third-party application failures.

Autoruns: Auditing Startup and Persistence Locations

Autoruns (autoruns.exe / autorunsc.exe) provides the most comprehensive view of all programs and drivers configured to run automatically at boot or user logon. It scans dozens of persistence locations that other tools miss: Run keys, RunOnce, Services, Drivers, Scheduled Tasks, Browser Helper Objects, Explorer extensions, Sidebar gadgets, Winlogon entries, LSA providers, Print monitors, and many more.

Run Autoruns in command-line mode and export all startup entries to a CSV for review:

autorunsc.exe -accepteula -a * -h -c > C:Reportsautoruns_server01.csv

The -a * flag scans all autorun locations. -h includes file hashes. -c outputs CSV format. Review the output for unsigned binaries, unexpected paths, or entries from suspicious locations.

Compare autoruns output between a known-good baseline and the current state to detect newly added persistence mechanisms:

autorunsc.exe -accepteula -a * -h -c > C:Reportsautoruns_current.csv
Compare-Object (Import-Csv C:Reportsautoruns_baseline.csv) (Import-Csv C:Reportsautoruns_current.csv) -Property "Image Path"

TCPView: Real-Time Network Connection Monitoring

TCPView (tcpview.exe) displays all active TCP and UDP endpoints on the system, showing local and remote addresses, port numbers, connection state, and the owning process. Unlike netstat, TCPView updates in real time and provides process name and PID alongside connection details.

For command-line or scripting use, TCPView includes tcpvcon.exe:

tcpvcon.exe -accepteula -a -c > C:Reportsconnections.csv

The output shows ProcessName, PID, Protocol, LocalAddress, LocalPort, RemoteAddress, RemotePort, and State for every active connection. Filter for established connections on unexpected ports to identify unauthorized outbound connections or lateral movement.

PsExec: Remote Command Execution

PsExec (psexec.exe) executes processes on remote Windows computers using the admin share and a service installation mechanism — no pre-installed agent required. It is the standard tool for running commands on remote servers without enabling PowerShell Remoting or RDP.

Run a command on a remote server and return output locally:

psexec \server02 -accepteula cmd /c ipconfig /all

Open an interactive command prompt on a remote server:

psexec \server02 -accepteula -i cmd

Run a command on multiple servers listed in a text file:

psexec @C:serverlist.txt -accepteula -u DOMAINadmin -p password cmd /c "net stop spooler && net start spooler"

Run a process as SYSTEM (the highest-privilege local account):

psexec -accepteula -s cmd

PsExec requires File and Printer Sharing (SMB port 445) to be accessible and admin credentials. The -s flag elevates to the SYSTEM account, useful for accessing resources that require SYSTEM-level permissions.

PsInfo: Remote Server Inventory

PsInfo (psinfo.exe) gathers system information from local or remote computers including OS version, build number, uptime, install date, RAM, CPU, and installed hotfixes:

psinfo \server02 -accepteula -s -h

The -s flag lists installed software. The -h flag lists installed hotfixes. This provides a quick inventory without needing to RDP into the server.

Sigcheck: Binary Verification and Signature Checking

Sigcheck (sigcheck.exe) verifies digital signatures on binaries and can check file hashes against VirusTotal. Use it to verify that system binaries have not been tampered with and that all executables in a directory are properly signed:

Check all unsigned files in the System32 directory:

sigcheck.exe -accepteula -u -e C:WindowsSystem32 > C:Reportsunsigned_binaries.txt

The -u flag shows only unsigned files. The -e flag scans executable files only (skipping non-PE files). Any results in System32 that are unsigned and not expected (e.g., legitimate third-party drivers sometimes land here) warrant investigation.

Check a specific file’s signature and VirusTotal status:

sigcheck.exe -accepteula -v C:WindowsSystem32svchost.exe

DebugView: Capturing Debug Output

DebugView (dbgview.exe) captures OutputDebugString() calls and kernel-mode DbgPrint() output in real time — debug messages that are invisible without a debugger attached. Many Windows services, drivers, and applications emit detailed diagnostic information through these debug channels that never appears in event logs.

Run DebugView capturing both user-mode and kernel-mode debug output:

dbgview.exe /accepteula /k /l C:Logsdebugview.log

The /k flag enables kernel capture. The /l flag logs to a file. DebugView requires local administrator privileges and for kernel-mode capture it requires that the Debug Print Filter registry value allows output from the relevant kernel component.

Strings: Extracting Text from Binaries

Strings (strings.exe) extracts printable string sequences from binary files — executables, DLLs, data files. This is useful for reverse-engineering unknown binaries, checking for hardcoded credentials, identifying C2 server addresses in suspicious files, or understanding what an executable references without running it:

strings.exe -accepteula -n 8 C:Suspiciousunknown.exe > C:Reportsstrings_output.txt

The -n 8 flag sets the minimum string length to 8 characters, filtering out noise. Review the output for IP addresses, URLs, registry paths, file paths, SQL queries, or API keys that reveal the binary’s capabilities and intentions.

Search strings output for URL patterns:

strings.exe -accepteula C:Suspiciousunknown.exe | Select-String -Pattern "https?://"

The Sysinternals Suite, used systematically, gives Windows Server 2022 administrators visibility that no other set of built-in tools can match. Incorporating these tools into standard operating procedures for incident response, performance troubleshooting, and security auditing dramatically reduces the mean time to resolution for production server issues.