sysinternals::suite

tool sysinternals windows · triage
Tool map Autoruns Procmon Procexp / TCPView PsTools
01High-Value Sysinternals Tools
What to open first
ToolUseTypical CTF / DFIR value
AutorunsPersistence reviewRun keys, services, tasks, browser helpers, WMI
ProcmonFilesystem / registry / process traceSee what malware touches on execution
Process ExplorerLive process tree + handles + DLLsParent/child tree, suspicious threads, command line
PsExecRemote executionLateral movement understanding / testing
TCPViewNetwork connectionsBeaconing and ephemeral ports
SigcheckSignature / hash / VT lookupFast triage of dropped executables
StringsUnicode + ASCII stringsRicher than bare strings.exe output in Windows workflows
HandleOpen file / object handlesWho locks a file? who opened artifact X?
PsList / PsKillCLI process toolsLow-friction shell triage
02Autoruns
GUI triage ideas
- hide Microsoft / Windows entries first
- sort by Publisher, then Image Path
- inspect Logon, Services, Scheduled Tasks, AppInit, WMI
- unsigned + odd temp path = immediate pivot
- compare command line with parent folder contents
Autorunsc CLI
autorunsc64.exe -a * -c -h -m > autoruns.csv
autorunsc64.exe -a ltsv -c -m > focused.csv

# flags
-a  categories
-c  CSV
-h  hashes
-m  hide Microsoft entries
03Procmon
Filter recipes
Process Name is malware.exe        include
Operation is RegSetValue           include
Operation is CreateFile            include
Path contains \Run                include
Path begins with C:\Users\Public include
Result is NAME NOT FOUND           include

# malware loves repeated NAME NOT FOUND probes
Common uses
- find dropped files and mutex names
- identify registry persistence keys
- recover config paths and staging folders
- see DLL search order hijacks
- capture child processes + command lines
04Process Explorer / TCPView / Sigcheck
Process Explorer quick wins
- verify parent / child tree
- inspect command line column
- check image path, signer, VirusTotal score
- lower pane: DLLs or handles
- view threads for unusual start addresses
Useful CLI snippets
sigcheck64.exe -h -q sample.exe
sigcheck64.exe -u -e C:\Windows\System32
strings64.exe -n 6 sample.exe
handle64.exe suspicious.txt
tcpview.exe   # GUI; sort by state / remote address
05PsTools
PsExec / PsList / PsKill
psexec.exe \\host -u user -p pass cmd.exe
pslist.exe \\host
pskill.exe -t PID

# forensic note
PsExec itself leaves traces:
- service creation
- event logs
- ADMIN$ / IPC$ usage
- dropped PSEXESVC service binary
Good CTF pivots
- identify persistence with Autoruns
- execute sample in VM, trace with Procmon
- inspect process tree in Process Explorer
- confirm network with TCPView
- hash/signature with Sigcheck
- export observations into timeline notes