If you are a security professional or a software developer then there are times that you are going to have to go underneath the hood of the code or program that you are working on and see how everything works. We are so used to simply hitting a button after we finish developing that we forget about the other layers that are underneath the code that we just wrote. Sometimes to get a program to run at 100% efficiency we need to know how the next layer below works. Or, if we have a security problem, we again need to be able to see several layers deep so that we can figure out the problem better. And this is what the SysInternals suite of tools helps you do. It allows you to see how the code underneath interacts with the rest of the computing environment.
What are Sysinternals tools exactly?
The computer that you work on has several different layers. Most people work in the user land space. Even developers work in that space most of the time when they are writing code. When they create code to make applications that code is usually written in a language that humans can understand. It is then compiled down to another layer called Assembly and then once again to opcode. There are a certain set of tools that you can use to examine all three layers. Of course you can use a text editor to examine normal source code. It is nothing more than a text file that is easily readable. After the code is compiled it becomes something else. That is when you use a decompiler or debugger to read the assembly code that is being fed into the computer. This way you can examine how the program flows into the computer. There are tools that allow you to focus in the in between levels. They allow you to not only examine how your program flows within the computer but they also show you the resources that are being used by your operating system when the program runs. For the Windows operating system most people use a set of tools that is known as Windows Sysinternals.
As I said earlier, Sysinternals will allow you to dig into the deep recesses of the operating system or the program that is running so that you can see what the problem might be if any at all. It is more of a diagnostic tool than anything else. To make it easier, put it in terms of a mechanic at an auto garage. If decompiling the operating system or a program is the equivalent of a mechanic taking the car apart then using Sysinternal tools is the same as hooking the car up to the diagnostic machine. You are still checking the internals just without ripping everything apart.
Popular software in the Sysinternals Suite
You must remember that the Sysinternal tools are not just one program. They are a whole suite of programs that are able to analyze different parts of the computer. One of the most popular programs in the suite is one that is called Process Explorer. Process Explorer allows you to see in detail all of the processes and dll files that are open at any moment. Just think of it as the Windows task manager on steroids. If you have a problem finding a program on the system that is running slow then you can use Process Explorer to find it. Or if you have a application that you just created and you want to see all of the parts of the operating system that it hooks to then this is a great program for that as well.
The RootkitReveler software is also another piece of excellent software for obvious reasons. If you suspect that you have a rootkit on your system then this is a great tool to find out if it is true or not.
Another tool in the suite that is extremely useful is the Process Monitor tool. It allows you to see all of the open file handles as well as registry activity. This again is a great tool for checking the health of any program that you have open in the Windows operating system.
Using Sysinternal tools for security purposes
If you do any type of security work with the Windows operating system then this is a great set of tools to have. The worst part of some malware is that you never know what part of the operating system that is infecting. These tools will help you figure that out. Malware is just like any other software program and these tools are able to see what is being processed and what is not just like any other program. I would advise that if you are going to do that you should try it in a virtual machine instance first and not your actual running computer. But if your main computer becomes infected and you are still able to use the machine then running these tools will be a great aid in helping to track down the infected parts of the operating system.
If you are looking for a set of diagnostic tools for the Windows operating system then look no further than Sysinternal tools.