The creator of these tools used to give those really cool "The case of the unexplained" presentations where he used the tools to diagnose and fix real-life Windows problems.
I‘m on Mac and Linux since 10 years now, but Sysinternals is the one thing that kept me on Windows for the 10 years before as a hacker. It was the first thing that landed on any new machine and let me learn and debug so many things about my computer.
Microsoft did the right thing to assimilate them, the guy behind was top notch and I remember them fondly.
Don‘t know how they evolved the last decade though.
My understanding is that RootkitRevealer is no longer being maintained since it was being used by malware authors to evade detections. The age old cat and mouse game.
Process Monitor (ProcMon) is one of the best diagnostic tools on the planet. I’ve used it to find why my machine booted slowly (encrypted font?!), what sort of network activity is holding up an app, why my USB device was sucking at wake-from-sleep, etc.
Process Explorer (ProcExp) is amazing at inspecting processes, eg to see their environment variables, see what process integrity levels look like, find out what process has what path open (eg since Windows won’t let you delete open files), etc. It’s a good complement to Task Manager.
TCPView is great for some weird cases. I used it once to find a bad web server as I could see my http requests were failing when the load balancer sent me to a specific IP. This impressed my web developer friends who weren’t used to seeing really accessible but low level diagnostic tools.
Is there an alternative to Everything [1](file search with immediate results) and Ditto [2](clipboard manager) among those you've listed ? I can't live without them on Windows to be honest.
Though my db syncing doesn't always work like a charm, it still gets the job done. Use the freeware version which should be super sufficient for most of the users.
Checkout other tools which are good such as Flashnote.
A proper Sysinternals equivalent set of tools is sorely missed on macOS. Trying to do DFIR on them mostly sucks compared to whats available on Windows. (Open to hearing anyone who has particular favorites or recommendations)
Thirded, because at some point, ProcessExplorer started recording the resource usage history of a process (CPU usage, memory, I/O) only the moment you explicitly opened that particular process's properties window for the first time.
Because the last version of ProcessExplorer that didn't exhibit that behaviour no longer works on current Windows versions (certainly not 10, and I'm no longer sure whether 7 wasn't already problematic, too), ProcessHacker instead it is then.
My guess is that they're not included due to internal politics. They were developed by Russinovich before he joined of Microsoft. I believe he mentioned in an interview that he used some undocumented windows APIs and that some Microsoft engineers were not happy about that.
BTW another great diagnostics tools for Windows that I've come across is the Windows Performance Analyzer. One needed to install it separately before, not sure about that nowadays.
On the contrary: adding psexec.exe to our EDR's blocklist has had tangible positive impacts.
Legitimate remote execution in 2021 can be achieved using a range of supported options, and when I see this alert trigger in a monitored environment there's nearly always something malicious going on. The catch of course, is that you explain this to everyone and get them on board, as opposed to just doing it.
https://docs.microsoft.com/en-us/sysinternals/resources/webc...