Sysinternals Primer: Gems

Aaron MargosisPrincipal ConsultantMicrosoft Corporation

SIA311

Sysinternals Primer: GemsSession Objectives and Takeaways

Advanced tips for popular Sysinternals utilitiesLearn about some of the least known Sysinternals utilitiesBecome a bigger Windows internals nerdBecome better able to bore my non-nerd friends to deathGet my copy of the Sysinternals book signed by one of the authors

The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals tools

Covers every tool, every feature, with tipsWritten by Mark Russinovich andAaron Margosis

Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns

Other chapters by tool groupSecurity, process, AD, desktop, …

Book signings with Mark and Aaron

Wed. and Thurs., 11:30amTechEd bookstore

Mark will also be signing Zero Day and Windows Internals 6th

Ed Pt. 1

topic

Procmon filtering tips…

Combining “Include” rules

Within a column: combined with “OR”

Between columns: combined with “AND”

“Include” filter rules - Example

PID is 1512PID is 2408Path contains HKLMPath contains Zones

((PID is 1512) OR (PID is 2408)) AND((Path contains HKLM) OR (Path contains Zones))

Mixing “Process Name” and “PID” – FAIL

Process Name is cmd.exePID is 1512PID is 2408

(Process Name is cmd.exe)AND((PID is 1512) OR (PID is 2408))

Combining “Include” rules

Within a column: combined with “OR”

Between columns: combined with “AND”

Q: What if you want to limit within a column?

(Path Contains HKLM) AND (Path Contains Zones)

A: Exclude the events you don’t want

demo

Simulating "AND" within a column filter

topic

[TS] Sessions, Window Stations, Desktops, …

Before Terminal Services…

With Terminal Services…

demo

Working with interactive and non-interactive desktops

demo

Exploring LSA Logon Sessions

demo

DU (Disk Usage)and Streams and FindLinks

SigCheck

usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory> -a Show extended version information -c Look for signature in the specified catalog file -e Scan executable images only (regardless of their extension) -h Show file hashes -i Show catalog name and image signers -m Dump manifest -n Only show file version number -q Quiet (no banner) -r Check for certificate revocation -s Recurse subdirectories -u Show unsigned files only -v Csv output

demo

A little LiveKd…

Sysinternals Resources

http://www.Sysinternals.comRedirects to technet.microsoft.com

Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich

Blog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosishttp://blogs.technet.com/fdcc

Related Content

More about Pass the Hash and defending against itSIA200 - Cyber Security Defenses: What Works TodaySIA303 - Advanced Persistent Threats (APT): Understanding the New Era of Attacks!

Mark Russinovich’s TechEd sessionsAZR209 - Windows Azure Applications and WorkloadsAZR302 - Windows Azure InternalsSIA302 - Malware Hunting with the Sysinternals ToolsWCL301 - Case of the Unexplained 2012: Windows Troubleshooting with Mark Russinovich

Aaron Margosis’ other TechEd sessionSIA324 - Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You

Track Resources

www.microsoft.com/twc

www.microsoft.com/security

www.microsoft.com/privacy

www.microsoft.com/reliability

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.