diff --git a/sysinternals/downloads/accesschk.md b/sysinternals/downloads/accesschk.md
index 13774c2a..2d49cea4 100644
--- a/sysinternals/downloads/accesschk.md
+++ b/sysinternals/downloads/accesschk.md
@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb664922(v=MSDN.10)'
ms.date: 02/17/2017
---
-AccessChk v6.1
-==============
+AccessChk v6.11
+===============
**By Mark Russinovich**
-Published: February 17, 2017
+Published: September 11, 2017
-[](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)**
+[](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**
**Run now** from [Sysinternals Live](https://live.sysinternals.com/).
## Introduction
@@ -103,5 +103,5 @@ To see all global objects that Everyone can modify:
**accesschk -wuo everyone \\basednamedobjects**
-[](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)**
+[](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**
**Run now** from [Sysinternals Live](https://live.sysinternals.com/).
\ No newline at end of file
diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md
index 1aa1f19b..278ad675 100644
--- a/sysinternals/downloads/autoruns.md
+++ b/sysinternals/downloads/autoruns.md
@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963902(v=MSDN.10)'
ms.date: 05/16/2017
---
-Autoruns for Windows v13.71
-===========================
+Autoruns for Windows v13.8
+==========================
**By Mark Russinovich**
-Published: May 16, 2017
+Published: September 11, 2017
-[](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)**
+[](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)**
**Run now** from [Sysinternals Live](https://live.sysinternals.com/).
## Introduction
@@ -119,8 +119,8 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is:
| **-t** | Show timestamps in normalized UTC (YYYYMMDD-hhmmss).|
| **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.|
| **-x** | Print output as XML.|
-| **-v\[rs\]**| Query VirusTotal (www.virustotal.com) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
-| **-vt** | Before using VirusTotal features, you must accept VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
+| **-v\[rs\]**| Query [VirusTotal](https://www.virustotal.com/) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
+| **-vt** | Before using VirusTotal features, you must accept the VirusTotal [terms of service](https://www.virustotal.com/en/about/terms-of-service/). If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
| **-z** | Specifies the offline Windows system to scan.|
| **user** | Specifies the name of the user account for which autorun items will be shown. Specify '\*' to scan all user profiles. |
@@ -136,6 +136,6 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is:
## Download
-[](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)**
+[](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)**
**Run now** from [Sysinternals Live](https://live.sysinternals.com/).
diff --git a/sysinternals/downloads/sigcheck.md b/sysinternals/downloads/sigcheck.md
index 6d2fbc55..b1e924d6 100644
--- a/sysinternals/downloads/sigcheck.md
+++ b/sysinternals/downloads/sigcheck.md
@@ -22,7 +22,7 @@ Published: May 22, 2017
Sigcheck is a command-line utility that shows file version number,
timestamp information, and digital signature details, including
certificate chains. It also includes an option to check a file’s status
-on [VirusTotal](http://www.virustotal.com/), a site that performs
+on [VirusTotal](https://www.virustotal.com/), a site that performs
automated file scanning against over 40 antivirus engines, and an option
to upload a file for scanning.
@@ -56,7 +56,7 @@ name|\*>**
| **-s** | Recurse subdirectories|
| **-t\[u\]\[v\]** | Dump contents of specified certificate store ('\*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present.|
| **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.|
-| **-v\[rs\]**| Query VirusTotal ([www.virustotal.com](http://www.virustotal.com/)) for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
+| **-v\[rs\]**| Query VirusTotal ([www.virustotal.com](https://www.virustotal.com/)) for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
| **-vt** | Before using VirusTotal features, you must accept VirusTotal terms of service. See: If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
One way to use the tool is to check for unsigned files in your
@@ -77,7 +77,7 @@ You should investigate the purpose of any files that are not signed.
## Learn More
- [Malware Hunting with the Sysinternals
- Tools](http://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj)
+ Tools](https://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj)
In this presentation, Mark shows how to use the Sysinternals tools
to identify, analyze and clean malware.
diff --git a/sysinternals/downloads/sysinternals-suite.md b/sysinternals/downloads/sysinternals-suite.md
index 033276eb..d991c277 100644
--- a/sysinternals/downloads/sysinternals-suite.md
+++ b/sysinternals/downloads/sysinternals-suite.md
@@ -13,8 +13,8 @@ Sysinternals Suite
**By Mark Russinovich**
Updated: June 14, 2017
-[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB)
-[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB)
+[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB)
+[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB)
## Introduction
The Sysinternals Troubleshooting Utilities have been rolled up into a
@@ -44,6 +44,6 @@ Utilities:
| [VolumeID](volumeid.md) | [WhoIs](whois.md) | [WinObj](winobj.md) | [ZoomIt](zoomit.md) | |
-[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB)
-[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB)
+[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB)
+[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB)
diff --git a/sysinternals/downloads/sysmon.md b/sysinternals/downloads/sysmon.md
index db4084ab..9394cff1 100644
--- a/sysinternals/downloads/sysmon.md
+++ b/sysinternals/downloads/sysmon.md
@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dn798348(v=MSDN.10)'
ms.date: 05/22/2017
---
-Sysmon v6.02
-============
+Sysmon v6.1
+===========
**By Mark Russinovich and Thomas Garnier**
-Published: May 22, 2017
+Published: September 11, 2017
-[](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)**
+[](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)**
## Introduction
@@ -292,6 +292,29 @@ configuration settings via browser downloads, and this event is aimed at
capturing that based on the browser attaching a Zone.Identifier “mark of
the web” stream.
+### Event ID 17: PipeEvent (Pipe Created)
+
+This event generates when a named pipe is created. Malware often uses named
+pipes for interprocess communication.
+
+### Event ID 18: PipeEvent (Pipe Connected)
+
+This event logs when a named pipe connection is made between a client and a
+server.
+
+### Event ID 19: WmiEvent (WmiEventFilter activity detected)
+
+When a WMI event filter is registered, which is a method used by malware to
+execute, this event logs the WMI namespace, filter name and filter expression.
+
+### Event ID 20: WmiEvent (WmiEventConsumer activity detected)
+
+This event logs the registration of WMI consumers, recording the consumer name,
+log, and destination.
+
+### Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
+When a consumer binds to a filter, this event logs the consumer name and filter path.
+
### Event ID 255: Error
This event is generated when an error occurred within Sysmon. They can
@@ -420,7 +443,7 @@ activity to port 80 and 443 by all processes except those that have
iexplore.exe in their name.
-[](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)**
+[](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)**
**Runs on:**
diff --git a/sysinternals/index.md b/sysinternals/index.md
index 367159cf..423d800f 100644
--- a/sysinternals/index.md
+++ b/sysinternals/index.md
@@ -23,6 +23,14 @@ You can view the entire Sysinternals Live tools directory in a browser at [https
## What's New [](https://blogs.technet.microsoft.com/sysinternals/feed/) ##
+### What's New (September 11, 2017) ###
+ - [Sysmon v6.1](~/downloads/sysmon.md)
+ This update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, adds monitoring of WMI filters and consumers, an autostart mechanism commonly used by malware, and fixes a bug in image load filtering.
+ - [Process Monitor v3.4](~/downloads/procmon.md)
+ Process Monitor, a file system registry, process and network real-time monitor, now includes a /runtime switch for terminating monitoring after a specified amount of time, when in hexadecimal mode shows process tree process IDs in hexadecimal, and fixes a bug in automated boot log conversion.
+ - [Autoruns v13.8](~/downloads/autoruns.md)
+ This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning.
+
### What's New (May 16, 2017) ###
- [ProcDump v9.0](~/downloads/procdump.md)
This major update to ProcDump, a utility that enables process dump capture based on a variety of triggers, introduces the ability to take capture multiple dumps sizes. This is particularly useful when capturing crash dumps of applications susceptible to termination due to unresponsiveness (e.g. IIS Ping killing w3wp.exe). This release also adds support for an associated Kernel Dump of the process that includes the kernel stacks of the process.
diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md
index 5ac08fcf..0541522f 100644
--- a/sysinternals/learn/windows-internals.md
+++ b/sysinternals/learn/windows-internals.md
@@ -5,120 +5,44 @@ ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6'
ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)'
ms.date: 02/07/2017
---
-
Windows Internals Book
======================
-
-***Windows Internals, 6th edition*** covers the internals of the core
-kernel components of the Windows 7 and Windows Server 2008 R2 operating
-systems. This classic book will help you:
-- Understand how the core system and management mechanisms work—from
- the object manager to services to the registry
-- Explore internal system data structures using tools like the kernel
- debugger
-- Grasp the scheduler’s priority and CPU placement algorithms
-- Go inside the Windows security model to see how it authorizes access
- to data
-- Understand how Windows manages physical and virtual memory
-- Tour the Windows networking stack from top to bottom—including APIs,
- protocol drivers, and network adapter drivers
-- Troubleshoot file-system access problems and system boot problems
-- Learn how to analyze crashes
-
-Sixth in the series, this edition was again written by Mark Russinovich,
-a Technical Fellow in Microsoft’s Azure Group, [David
-Solomon](http://www.solsem.com/), an operating systems expert and
-Windows internals teacher, and Alex Ionescu, Chief Architect at
-CrowdStrike and specializing in OS internals and security. Besides
-updates for changes in Windows, there are many new experiments and
-examples that highlight the use of both existing and new Sysinternals
-tools.
-
-## Table of Contents
-
-**Part 1:**
-**Chapter 1** Concepts and Tools
-**Chapter 2** System Architecture
-**Chapter 3** System Mechanisms
-**Chapter 4** Management Mechanisms
-**Chapter 5** Processes, Threads, and Jobs
-**Chapter 6** Security
-**Chapter 7** Networking
-**Part 2:**
-**Chapter 8** I/O System
-**Chapter 9** Storage Management
-**Chapter 10** Memory Management
-**Chapter 11** Cache Manager
-**Chapter 12** File Systems
-**Chapter 13** Startup and Shutdown
-**Chapter 14** Crash Dump Analysis
-
-## Sample Chapter
-
-You can download a PDF that includes the full table of contents, Chapter 5 (Processes, Threads, and Jobs), and Chapter 6 (Security)
-[here](https://download.microsoft.com/download/1/4/0/14045a9e-c978-47d1-954b-92b9fd877995/97807356648739_samplechapters.pdf).
-
-## Ordering the Book
-
-The book is available for purchase on the Microsoft Press site ([6th Edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739);
-[6th Edition Part 2](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873),
-or the [5th Edition](https://www.microsoftpressstore.com/store/windows-internals-9780735630277)).
-
-## History of the Book
-
-This is the sixth edition of a book that was originally called *Inside
-Windows NT* (Microsoft Press, 1992), written by Helen Custer (prior to
-the initial release of Microsoft Windows NT 3.1). *Inside Windows
-NT* was the first book ever published about Windows NT and provided key
-insights into the architecture and design of the system. *Inside Windows
-NT, Second Edition* (Microsoft Press, 1998) was written by David
-Solomon. It updated the original book to cover Windows NT 4.0 and had a
-greatly increased level of technical depth.
-
-*Inside Windows 2000, Third Edition* (Microsoft Press, 2000) was
-authored by David Solomon and Mark Russinovich. It added many new
-topics, such as startup and shutdown, service internals, registry
-internals, file-system drivers, and networking. It also covered kernel
-changes in Windows 2000, such as the Windows Driver Model (WDM), Plug
-and Play, power management, Windows Management Instrumentation (WMI),
-encryption, the job object, and Terminal Services. *Windows Internals,
-Fourth Edition* was the Windows XP and Windows Server 2003 update and
-added more content focused on helping IT professionals make use of their
-knowledge of Windows internals, such as using key tools from ([Windows
-Sysinternals](~/index.md))
-and analyzing crash dumps. *Windows Internals, Fifth Edition* was the
-update for Windows Vista and Windows Server 2008. New content included
-the image loader, user-mode debugging facility, and Hyper-V.
-
-## Book Tools
-
-Tools referenced in the book and hosted but not referenced on
-Sysinternals include:
-
-- [Cpustres](https://download.sysinternals.com/files/CPUSTRES.zip):
- This tool is used in the Processes, Threads and Jobs chapter to
- demonstrate relative thread priorities and priority boosting. It has
- a UI thread and you can direct it to create up to four worker
- threads at a specified priority and activity level.
-- [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip):
- Use this executable and driver to crash your system in several
- different ways. Chapter 7 uses Notmyfault to demonstrate pool leak
- troubleshooting and Chapter 14 uses it for crash analysis examples.
- The download includes x86 (in the exe\\release directory) and x64
- versions (in the exe\\relamd directory) as well as full source.
-- [Testlimit](https://download.sysinternals.com/files/TestLimit.zip):
- Chapter 3 uses Testlimit to demonstrate the operating system's
- per-process limit on the number of concurrently opened handles, but
- the tool's command-line options also let you test limits of process
- and thread creation.
-- [Accvio](https://download.sysinternals.com/files/AccVio.zip): This
- executable generates a user mode access violation by trying to
- reference virtual address zero, which by default, is marked no
- access. Chapter 3 uses it to demonstrate the behavior of Windows
- when an application triggers an unhandled exception.
-- [Iopriority](https://download.sysinternals.com/files/iopriority.zip):
- This tool is used in Chapter 7 to demonstrate the preference the
- system gives to high priority I/O over low priority I/O. It does so
- by creating two threads and having one issue high and the other low
- priority I/O's. It was written by Jeffrey Richter
- of [Wintellect](http://wintellect.com/).
\ No newline at end of file
+
+**Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you:
+
+* Understand the Windows system architecture and its general components
+* Explore internal data structures using tools like the kernel debugger
+* Understand how Windows uses processes for management and isolation
+* Understand and view thread scheduling and how CPU resources are managed
+* Dig into the Windows security model including recent advances in security mitigations
+* Understand how Windows manages virtual and physical memory
+* Understand how the I/O system manages physical devices and device drivers
+
+
+The 7th edition was written by Pavel Yosifovich, Alex Ionescu, Mark Russinovich and David Solomon. New material has been added since the 6th edition (which covered Windows 7 and Windows Server 2008 R2).
+Since the 7th edition’s part 2 is not yet available, the Windows Internals 6th edition (written by Mark Russinovich, David Solomon and Alex Ionescu) is an invaluable resource on missing topics from the first part of the 7th edition. These include system mechanisms, management mechanisms, networking, file systems, cache management and troubleshooting system crashes.
+
+### Table of contents of the 7th edition, part 1:
+* Chapter 1: Concepts and Tools
+* Chapter 2: System Architecture
+* Chapter 3: Processes and Jobs
+* Chapter 4: Threads
+* Chapter 5: Memory Management
+* Chapter 6: I/O System
+* Chapter 7: Security
+
+The book is available for purchase on the Microsoft Press site ([7th edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188); [6th Edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739); [6th Edition Part 2](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873)).
+
+### History of the Book
+This is the seventh edition of a book that was originally called Inside Windows NT (Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft Windows NT 3.1). Inside Windows NT was the first book ever published about Windows NT and provided key insights into the architecture and design of the system. Inside Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It updated the original book to cover Windows NT 4.0 and had a greatly increased level of technical depth.
+Inside Windows 2000, Third Edition (Microsoft Press, 2000) was authored by David Solomon and Mark Russinovich. It added many new topics, such as startup and shutdown, service internals, registry internals, file-system drivers, and networking. It also covered kernel changes in Windows 2000, such as the Windows Driver Model (WDM), Plug and Play, power management, Windows Management Instrumentation (WMI), encryption, the job object, and Terminal Services. Windows Internals, Fourth Edition was the Windows XP and Windows Server 2003 update and added more content focused on helping IT professionals make use of their knowledge of Windows internals, such as using key tools from Windows Sysinternals (www.microsoft.com/technet/sysinternals) and analyzing crash dumps.
+
+Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content included the image loader, user-mode debugging facility, Advanced Local Procedure Call (ALPC), and Hyper-V. The next release, Windows Internals, Sixth Edition, was fully updated to address the many kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on experiments to reflect changes in the tools as well.
+
+### Seventh Edition Changes
+Since this series’ last update, Windows has gone through several releases, coming up to Windows 10 and Windows Server 2016. Windows 10 itself, being the current going-forward name for Windows, has had several releases since its initial Release-to-Manufacturing, or RTM, each labeled with a 4-digit version number indicating year and month of release, such as Windows 10, version 1703 that was completed in March 2017. The above implies that Windows has gone through at least 6 versions since Windows 7.
+Starting with Windows 8, Microsoft began a process of OS convergence, which is beneficial from a development perspective as well as for the Windows engineering team itself. Windows 8 and Windows Phone 8 had converged kernels, with modern app convergence arriving in Windows 8.1 and Windows Phone 8.1. The convergence story was complete with Windows 10, which runs on desktops/laptops, servers, XBOX One, phones (Windows Mobile 10), HoloLens, and various Internet of Things (IoT) devices.
+With this grand unification completed, the time was right for a new edition of the series, which could now finally catch up with almost half a decade of changes, in what will now be a more stabilized kernel architecture going forward. As such, this latest book covers aspects of Windows from Windows 8 to Windows 10, version 1703. Additionally, this edition welcomes Pavel Yosifovich as its new co-author.
+
+### Book tools
+Several tools have been specifically written for the book, and they are available with full source code at http://github.com/zodiacon/WindowsInternals.