From 9dcdff5c8492c6b679fbcfc18ec808eaf637c80c Mon Sep 17 00:00:00 2001 From: Pacort Date: Thu, 13 Jul 2017 22:56:38 +0000 Subject: [PATCH 01/13] Initialize open publishing repository: https://github.com/MicrosoftDocs/sysinternals of branch live --- .openpublishing.publish.config.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 1a54b337..38d55a85 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -22,7 +22,7 @@ "notification_subscribers": [], "branches_to_filter": [], "skip_source_output_uploading": false, - "need_preview_pull_request": false, + "need_preview_pull_request": true, "dependent_repositories": [ { "path_to_root": "_themes", @@ -31,5 +31,11 @@ "branch_mapping": {} } ], - "need_generate_pdf_url_template": false + "branch_target_mapping": { + "live": [ + "Publish", + "Pdf" + ] + }, + "need_generate_pdf_url_template": true } \ No newline at end of file From 5d51eb9f2d49744bcb7e985e63a633c45bfdc670 Mon Sep 17 00:00:00 2001 From: wesdawg Date: Tue, 8 Aug 2017 22:35:36 -0400 Subject: [PATCH 02/13] Update sigcheck.md HTTPS links --- sysinternals/downloads/sigcheck.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sysinternals/downloads/sigcheck.md b/sysinternals/downloads/sigcheck.md index 6d2fbc55..b1e924d6 100644 --- a/sysinternals/downloads/sigcheck.md +++ b/sysinternals/downloads/sigcheck.md @@ -22,7 +22,7 @@ Published: May 22, 2017 Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status -on [VirusTotal](http://www.virustotal.com/), a site that performs +on [VirusTotal](https://www.virustotal.com/), a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning. @@ -56,7 +56,7 @@ name|\*>** | **-s** | Recurse subdirectories| | **-t\[u\]\[v\]** | Dump contents of specified certificate store ('\*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present.| | **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.| -| **-v\[rs\]**| Query VirusTotal ([www.virustotal.com](http://www.virustotal.com/)) for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files  reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.| +| **-v\[rs\]**| Query VirusTotal ([www.virustotal.com](https://www.virustotal.com/)) for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files  reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.| | **-vt** | Before using VirusTotal features, you must accept VirusTotal terms of service. See: If you haven't accepted the terms and you omit this option, you will be interactively prompted.| One way to use the tool is to check for unsigned files in your @@ -77,7 +77,7 @@ You should investigate the purpose of any files that are not signed. ## Learn More - [Malware Hunting with the Sysinternals - Tools](http://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj) + Tools](https://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj) In this presentation, Mark shows how to use the Sysinternals tools to identify, analyze and clean malware. From 600341644b38c4f21df416ff5705f97aa8b675ad Mon Sep 17 00:00:00 2001 From: wesdawg Date: Tue, 8 Aug 2017 22:45:53 -0400 Subject: [PATCH 03/13] Update autoruns.md --- sysinternals/downloads/autoruns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index 1aa1f19b..ff0bfcfb 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -119,8 +119,8 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is: | **-t** | Show timestamps in normalized UTC (YYYYMMDD-hhmmss).| | **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.| | **-x** | Print output as XML.| -| **-v\[rs\]**| Query VirusTotal (www.virustotal.com) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.| -| **-vt** | Before using VirusTotal features, you must accept VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted the terms and you omit this option, you will be interactively prompted.| +| **-v\[rs\]**| Query [VirusTotal](https://www.virustotal.com/) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.| +| **-vt** | Before using VirusTotal features, you must accept VirusTotal [terms of service](https://www.virustotal.com/en/about/terms-of-service/). If you haven't accepted the terms and you omit this option, you will be interactively prompted.| | **-z** | Specifies the offline Windows system to scan.| | **user** | Specifies the name of the user account for which autorun items will be shown. Specify '\*' to scan all user profiles. | From 67224d5a7ee277f866e2d22a29eb2f2b38822096 Mon Sep 17 00:00:00 2001 From: wesdawg Date: Tue, 8 Aug 2017 22:46:24 -0400 Subject: [PATCH 04/13] Update autoruns.md --- sysinternals/downloads/autoruns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index ff0bfcfb..3b2c65c4 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -120,7 +120,7 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is: | **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.| | **-x** | Print output as XML.| | **-v\[rs\]**| Query [VirusTotal](https://www.virustotal.com/) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.| -| **-vt** | Before using VirusTotal features, you must accept VirusTotal [terms of service](https://www.virustotal.com/en/about/terms-of-service/). If you haven't accepted the terms and you omit this option, you will be interactively prompted.| +| **-vt** | Before using VirusTotal features, you must accept the VirusTotal [terms of service](https://www.virustotal.com/en/about/terms-of-service/). If you haven't accepted the terms and you omit this option, you will be interactively prompted.| | **-z** | Specifies the offline Windows system to scan.| | **user** | Specifies the name of the user account for which autorun items will be shown. Specify '\*' to scan all user profiles. | From 7e243aef3f8060c8c855f325413503d6cb416eca Mon Sep 17 00:00:00 2001 From: Pavel Yosifovich Date: Thu, 7 Sep 2017 12:23:26 +0300 Subject: [PATCH 05/13] 7th edition update --- sysinternals/learn/windows-internals.md | 169 +++++++----------------- 1 file changed, 45 insertions(+), 124 deletions(-) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 5ac08fcf..474c8655 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -1,124 +1,45 @@ ---- -TOCTitle: Windows Internals Book -title: Windows Internals Book -ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' -ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' -ms.date: 02/07/2017 ---- - -Windows Internals Book -====================== - -***Windows Internals, 6th edition*** covers the internals of the core -kernel components of the Windows 7 and Windows Server 2008 R2 operating -systems. This classic book will help you: -- Understand how the core system and management mechanisms work—from - the object manager to services to the registry -- Explore internal system data structures using tools like the kernel - debugger -- Grasp the scheduler’s priority and CPU placement algorithms -- Go inside the Windows security model to see how it authorizes access - to data -- Understand how Windows manages physical and virtual memory -- Tour the Windows networking stack from top to bottom—including APIs, - protocol drivers, and network adapter drivers -- Troubleshoot file-system access problems and system boot problems -- Learn how to analyze crashes - -Sixth in the series, this edition was again written by Mark Russinovich, -a Technical Fellow in Microsoft’s Azure Group, [David -Solomon](http://www.solsem.com/), an operating systems expert and -Windows internals teacher, and Alex Ionescu, Chief Architect at -CrowdStrike and specializing in OS internals and security. Besides -updates for changes in Windows, there are many new experiments and -examples that highlight the use of both existing and new Sysinternals -tools. - -## Table of Contents - -**Part 1:** -**Chapter 1** Concepts and Tools  -**Chapter 2** System Architecture  -**Chapter 3** System Mechanisms  -**Chapter 4** Management Mechanisms  -**Chapter 5** Processes, Threads, and Jobs  -**Chapter 6** Security  -**Chapter 7** Networking -**Part 2:** -**Chapter 8** I/O System -**Chapter 9** Storage Management -**Chapter 10** Memory Management -**Chapter 11** Cache Manager -**Chapter 12** File Systems -**Chapter 13** Startup and Shutdown -**Chapter 14** Crash Dump Analysis - -## Sample Chapter - -You can download a PDF that includes the full table of contents, Chapter 5 (Processes, Threads, and Jobs), and Chapter 6 (Security) -[here](https://download.microsoft.com/download/1/4/0/14045a9e-c978-47d1-954b-92b9fd877995/97807356648739_samplechapters.pdf). - -## Ordering the Book - -The book is available for purchase on the Microsoft Press site ([6th Edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739); -[6th Edition Part 2](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873), -or the [5th Edition](https://www.microsoftpressstore.com/store/windows-internals-9780735630277)). - -## History of the Book  - -This is the sixth edition of a book that was originally called *Inside -Windows NT* (Microsoft Press, 1992), written by Helen Custer (prior to -the initial release of Microsoft Windows NT 3.1). *Inside Windows -NT* was the first book ever published about Windows NT and provided key -insights into the architecture and design of the system. *Inside Windows -NT, Second Edition* (Microsoft Press, 1998) was written by David -Solomon. It updated the original book to cover Windows NT 4.0 and had a -greatly increased level of technical depth. - -*Inside Windows 2000, Third Edition* (Microsoft Press, 2000) was -authored by David Solomon and Mark Russinovich. It added many new -topics, such as startup and shutdown, service internals, registry -internals, file-system drivers, and networking. It also covered kernel -changes in Windows 2000, such as the Windows Driver Model (WDM), Plug -and Play, power management, Windows Management Instrumentation (WMI), -encryption, the job object, and Terminal Services. *Windows Internals, -Fourth Edition* was the Windows XP and Windows Server 2003 update and -added more content focused on helping IT professionals make use of their -knowledge of Windows internals, such as using key tools from ([Windows -Sysinternals](~/index.md)) -and analyzing crash dumps. *Windows Internals, Fifth Edition* was the -update for Windows Vista and Windows Server 2008. New content included -the image loader, user-mode debugging facility, and Hyper-V. - -## Book Tools - -Tools referenced in the book and hosted but not referenced on -Sysinternals include: - -- [Cpustres](https://download.sysinternals.com/files/CPUSTRES.zip): - This tool is used in the Processes, Threads and Jobs chapter to - demonstrate relative thread priorities and priority boosting. It has - a UI thread and you can direct it to create up to four worker - threads at a specified priority and activity level. -- [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip): - Use this executable and driver to crash your system in several - different ways. Chapter 7 uses Notmyfault to demonstrate pool leak - troubleshooting and Chapter 14 uses it for crash analysis examples. - The download includes x86 (in the exe\\release directory) and x64 - versions (in the exe\\relamd directory) as well as full source. -- [Testlimit](https://download.sysinternals.com/files/TestLimit.zip): - Chapter 3 uses Testlimit to demonstrate the operating system's - per-process limit on the number of concurrently opened handles, but - the tool's command-line options also let you test limits of process - and thread creation. -- [Accvio](https://download.sysinternals.com/files/AccVio.zip): This - executable generates a user mode access violation by trying to - reference virtual address zero, which by default, is marked no - access. Chapter 3 uses it to demonstrate the behavior of Windows - when an application triggers an unhandled exception. -- [Iopriority](https://download.sysinternals.com/files/iopriority.zip): - This tool is used in Chapter 7 to demonstrate the preference the - system gives to high priority I/O over low priority I/O. It does so - by creating two threads and having one issue high and the other low - priority I/O's. It was written by Jeffrey Richter - of [Wintellect](http://wintellect.com/). \ No newline at end of file +---- +-TOCTitle: Windows Internals Book +-title: Windows Internals Book +-ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' +-ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' +-ms.date: 02/07/2017 +---- +**Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you: + +* Understand the Windows system architecture and its general components +* Explore internal data structures using tools like the kernel debugger +* Understand how Windows uses processes for management and isolation +* Understand and view thread scheduling and how CPU resources are managed +* Dig into the Windows security model including recent advances in security mitigations +* Understand how Windows manages virtual and physical memory +* Understand how the I/O system manages physical devices and device drivers + + +The 7th edition was written by Pavel Yosifovich, Alex Ionescu, Mark Russinovich and David Solomon. New material has been added since the 6th edition (which covered Windows 7 and Windows Server 2008 R2). +Since the 7th edition’s part 2 is not yet available, the Windows Internals 6th edition (written by Mark Russinovich, David Solomon and Alex Ionescu) is an invaluable resource on missing topics from the first part of the 7th edition. These include system mechanisms, management mechanisms, networking, file systems, cache management and troubleshooting system crashes. + +### Table of contents of the 7th edition, part 1: +* Chapter 1: Concepts and Tools +* Chapter 2: System Architecture +* Chapter 3: Processes and Jobs +* Chapter 4: Threads +* Chapter 5: Memory Management +* Chapter 6: I/O System +* Chapter 7: Security + +The book is available for purchase on the Microsoft Press site (7th edition Part 1; 6th Edition Part 1; 6th Edition Part 2). + +### History of the Book +This is the seventh edition of a book that was originally called Inside Windows NT (Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft Windows NT 3.1). Inside Windows NT was the first book ever published about Windows NT and provided key insights into the architecture and design of the system. Inside Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It updated the original book to cover Windows NT 4.0 and had a greatly increased level of technical depth. +Inside Windows 2000, Third Edition (Microsoft Press, 2000) was authored by David Solomon and Mark Russinovich. It added many new topics, such as startup and shutdown, service internals, registry internals, file-system drivers, and networking. It also covered kernel changes in Windows 2000, such as the Windows Driver Model (WDM), Plug and Play, power management, Windows Management Instrumentation (WMI), encryption, the job object, and Terminal Services. Windows Internals, Fourth Edition was the Windows XP and Windows Server 2003 update and added more content focused on helping IT professionals make use of their knowledge of Windows internals, such as using key tools from Windows Sysinternals (www.microsoft.com/technet/sysinternals) and analyzing crash dumps. + +Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content included the image loader, user-mode debugging facility, Advanced Local Procedure Call (ALPC), and Hyper-V. The last release, Windows Internals, Sixth Edition, was fully updated to address the many kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on experiments to reflect changes in the tools as well. + +### Seventh Edition Changes +Since this series’ last update, Windows has gone through several releases, coming up to Windows 10 and Windows Server 2016. Windows 10 itself, being the current going-forward name for Windows, has had several releases since its initial Release-to-Manufacturing, or RTM, each labeled with a 4-digit version number indicating year and month of release, such as Windows 10, version 1703 that was completed in March 2017. The above implies that Windows has gone through at least 6 versions since Windows 7. +Starting with Windows 8, Microsoft began a process of OS convergence, which is beneficial from a development perspective as well as for the Windows engineering team itself. Windows 8 and Windows Phone 8 had converged kernels, with modern app convergence arriving in Windows 8.1 and Windows Phone 8.1. The convergence story was complete with Windows 10, which runs on desktops/laptops, servers, XBOX One, phones (Windows Mobile 10), HoloLens, and various Internet of Things (IoT) devices. +With this grand unification completed, the time was right for a new edition of the series, which could now finally catch up with almost half a decade of changes, in what will now be a more stabilized kernel architecture going forward. As such, this latest book covers aspects of Windows from Windows 8 to Windows 10, version 1703. Additionally, this edition welcomes Pavel Yosifovich as its new co-author. + +### Book tools +Several tools have been specifically written for the book, and they are available with full source code at http://github.com/zodiacon/WindowsInternals. From 24161518e406962f997b570451d4ca252a39fec9 Mon Sep 17 00:00:00 2001 From: Mark Russinovich Date: Sun, 10 Sep 2017 13:06:10 -0700 Subject: [PATCH 06/13] Fixed TOC header. --- sysinternals/learn/windows-internals.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 474c8655..201e4235 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -1,10 +1,10 @@ ----- --TOCTitle: Windows Internals Book --title: Windows Internals Book --ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' --ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' --ms.date: 02/07/2017 ----- +--- +TOCTitle: Windows Internals Book +title: Windows Internals Book +ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' +ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' +ms.date: 02/07/2017 +--- **Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you: * Understand the Windows system architecture and its general components From 7e83164fe31e312a91c28179574b8644f00f46cf Mon Sep 17 00:00:00 2001 From: Mark Russinovich Date: Sun, 10 Sep 2017 13:06:51 -0700 Subject: [PATCH 07/13] Updated to reflect the commit to live. --- sysinternals/learn/windows-internals.md | 155 ++++++------------------ 1 file changed, 38 insertions(+), 117 deletions(-) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 5ac08fcf..201e4235 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -5,120 +5,41 @@ ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' ms.date: 02/07/2017 --- - -Windows Internals Book -====================== - -***Windows Internals, 6th edition*** covers the internals of the core -kernel components of the Windows 7 and Windows Server 2008 R2 operating -systems. This classic book will help you: -- Understand how the core system and management mechanisms work—from - the object manager to services to the registry -- Explore internal system data structures using tools like the kernel - debugger -- Grasp the scheduler’s priority and CPU placement algorithms -- Go inside the Windows security model to see how it authorizes access - to data -- Understand how Windows manages physical and virtual memory -- Tour the Windows networking stack from top to bottom—including APIs, - protocol drivers, and network adapter drivers -- Troubleshoot file-system access problems and system boot problems -- Learn how to analyze crashes - -Sixth in the series, this edition was again written by Mark Russinovich, -a Technical Fellow in Microsoft’s Azure Group, [David -Solomon](http://www.solsem.com/), an operating systems expert and -Windows internals teacher, and Alex Ionescu, Chief Architect at -CrowdStrike and specializing in OS internals and security. Besides -updates for changes in Windows, there are many new experiments and -examples that highlight the use of both existing and new Sysinternals -tools. - -## Table of Contents - -**Part 1:** -**Chapter 1** Concepts and Tools  -**Chapter 2** System Architecture  -**Chapter 3** System Mechanisms  -**Chapter 4** Management Mechanisms  -**Chapter 5** Processes, Threads, and Jobs  -**Chapter 6** Security  -**Chapter 7** Networking -**Part 2:** -**Chapter 8** I/O System -**Chapter 9** Storage Management -**Chapter 10** Memory Management -**Chapter 11** Cache Manager -**Chapter 12** File Systems -**Chapter 13** Startup and Shutdown -**Chapter 14** Crash Dump Analysis - -## Sample Chapter - -You can download a PDF that includes the full table of contents, Chapter 5 (Processes, Threads, and Jobs), and Chapter 6 (Security) -[here](https://download.microsoft.com/download/1/4/0/14045a9e-c978-47d1-954b-92b9fd877995/97807356648739_samplechapters.pdf). - -## Ordering the Book - -The book is available for purchase on the Microsoft Press site ([6th Edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739); -[6th Edition Part 2](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873), -or the [5th Edition](https://www.microsoftpressstore.com/store/windows-internals-9780735630277)). - -## History of the Book  - -This is the sixth edition of a book that was originally called *Inside -Windows NT* (Microsoft Press, 1992), written by Helen Custer (prior to -the initial release of Microsoft Windows NT 3.1). *Inside Windows -NT* was the first book ever published about Windows NT and provided key -insights into the architecture and design of the system. *Inside Windows -NT, Second Edition* (Microsoft Press, 1998) was written by David -Solomon. It updated the original book to cover Windows NT 4.0 and had a -greatly increased level of technical depth. - -*Inside Windows 2000, Third Edition* (Microsoft Press, 2000) was -authored by David Solomon and Mark Russinovich. It added many new -topics, such as startup and shutdown, service internals, registry -internals, file-system drivers, and networking. It also covered kernel -changes in Windows 2000, such as the Windows Driver Model (WDM), Plug -and Play, power management, Windows Management Instrumentation (WMI), -encryption, the job object, and Terminal Services. *Windows Internals, -Fourth Edition* was the Windows XP and Windows Server 2003 update and -added more content focused on helping IT professionals make use of their -knowledge of Windows internals, such as using key tools from ([Windows -Sysinternals](~/index.md)) -and analyzing crash dumps. *Windows Internals, Fifth Edition* was the -update for Windows Vista and Windows Server 2008. New content included -the image loader, user-mode debugging facility, and Hyper-V. - -## Book Tools - -Tools referenced in the book and hosted but not referenced on -Sysinternals include: - -- [Cpustres](https://download.sysinternals.com/files/CPUSTRES.zip): - This tool is used in the Processes, Threads and Jobs chapter to - demonstrate relative thread priorities and priority boosting. It has - a UI thread and you can direct it to create up to four worker - threads at a specified priority and activity level. -- [NotMyFault](https://download.sysinternals.com/files/NotMyFault.zip): - Use this executable and driver to crash your system in several - different ways. Chapter 7 uses Notmyfault to demonstrate pool leak - troubleshooting and Chapter 14 uses it for crash analysis examples. - The download includes x86 (in the exe\\release directory) and x64 - versions (in the exe\\relamd directory) as well as full source. -- [Testlimit](https://download.sysinternals.com/files/TestLimit.zip): - Chapter 3 uses Testlimit to demonstrate the operating system's - per-process limit on the number of concurrently opened handles, but - the tool's command-line options also let you test limits of process - and thread creation. -- [Accvio](https://download.sysinternals.com/files/AccVio.zip): This - executable generates a user mode access violation by trying to - reference virtual address zero, which by default, is marked no - access. Chapter 3 uses it to demonstrate the behavior of Windows - when an application triggers an unhandled exception. -- [Iopriority](https://download.sysinternals.com/files/iopriority.zip): - This tool is used in Chapter 7 to demonstrate the preference the - system gives to high priority I/O over low priority I/O. It does so - by creating two threads and having one issue high and the other low - priority I/O's. It was written by Jeffrey Richter - of [Wintellect](http://wintellect.com/). \ No newline at end of file +**Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you: + +* Understand the Windows system architecture and its general components +* Explore internal data structures using tools like the kernel debugger +* Understand how Windows uses processes for management and isolation +* Understand and view thread scheduling and how CPU resources are managed +* Dig into the Windows security model including recent advances in security mitigations +* Understand how Windows manages virtual and physical memory +* Understand how the I/O system manages physical devices and device drivers + + +The 7th edition was written by Pavel Yosifovich, Alex Ionescu, Mark Russinovich and David Solomon. New material has been added since the 6th edition (which covered Windows 7 and Windows Server 2008 R2). +Since the 7th edition’s part 2 is not yet available, the Windows Internals 6th edition (written by Mark Russinovich, David Solomon and Alex Ionescu) is an invaluable resource on missing topics from the first part of the 7th edition. These include system mechanisms, management mechanisms, networking, file systems, cache management and troubleshooting system crashes. + +### Table of contents of the 7th edition, part 1: +* Chapter 1: Concepts and Tools +* Chapter 2: System Architecture +* Chapter 3: Processes and Jobs +* Chapter 4: Threads +* Chapter 5: Memory Management +* Chapter 6: I/O System +* Chapter 7: Security + +The book is available for purchase on the Microsoft Press site (7th edition Part 1; 6th Edition Part 1; 6th Edition Part 2). + +### History of the Book +This is the seventh edition of a book that was originally called Inside Windows NT (Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft Windows NT 3.1). Inside Windows NT was the first book ever published about Windows NT and provided key insights into the architecture and design of the system. Inside Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It updated the original book to cover Windows NT 4.0 and had a greatly increased level of technical depth. +Inside Windows 2000, Third Edition (Microsoft Press, 2000) was authored by David Solomon and Mark Russinovich. It added many new topics, such as startup and shutdown, service internals, registry internals, file-system drivers, and networking. It also covered kernel changes in Windows 2000, such as the Windows Driver Model (WDM), Plug and Play, power management, Windows Management Instrumentation (WMI), encryption, the job object, and Terminal Services. Windows Internals, Fourth Edition was the Windows XP and Windows Server 2003 update and added more content focused on helping IT professionals make use of their knowledge of Windows internals, such as using key tools from Windows Sysinternals (www.microsoft.com/technet/sysinternals) and analyzing crash dumps. + +Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content included the image loader, user-mode debugging facility, Advanced Local Procedure Call (ALPC), and Hyper-V. The last release, Windows Internals, Sixth Edition, was fully updated to address the many kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on experiments to reflect changes in the tools as well. + +### Seventh Edition Changes +Since this series’ last update, Windows has gone through several releases, coming up to Windows 10 and Windows Server 2016. Windows 10 itself, being the current going-forward name for Windows, has had several releases since its initial Release-to-Manufacturing, or RTM, each labeled with a 4-digit version number indicating year and month of release, such as Windows 10, version 1703 that was completed in March 2017. The above implies that Windows has gone through at least 6 versions since Windows 7. +Starting with Windows 8, Microsoft began a process of OS convergence, which is beneficial from a development perspective as well as for the Windows engineering team itself. Windows 8 and Windows Phone 8 had converged kernels, with modern app convergence arriving in Windows 8.1 and Windows Phone 8.1. The convergence story was complete with Windows 10, which runs on desktops/laptops, servers, XBOX One, phones (Windows Mobile 10), HoloLens, and various Internet of Things (IoT) devices. +With this grand unification completed, the time was right for a new edition of the series, which could now finally catch up with almost half a decade of changes, in what will now be a more stabilized kernel architecture going forward. As such, this latest book covers aspects of Windows from Windows 8 to Windows 10, version 1703. Additionally, this edition welcomes Pavel Yosifovich as its new co-author. + +### Book tools +Several tools have been specifically written for the book, and they are available with full source code at http://github.com/zodiacon/WindowsInternals. From e57b8e687ee71f1fddbb2b4dc49e8c1385a23f10 Mon Sep 17 00:00:00 2001 From: Mark Russinovich Date: Sun, 10 Sep 2017 13:14:29 -0700 Subject: [PATCH 08/13] Fixed title. --- sysinternals/learn/windows-internals.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 201e4235..185f996c 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -5,6 +5,9 @@ ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' ms.date: 02/07/2017 --- +Windows Internals Book +====================== + **Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you: * Understand the Windows system architecture and its general components From 634cee5cfd3e3cd0b59d9172a92843834b73f443 Mon Sep 17 00:00:00 2001 From: Mark Russinovich Date: Sun, 10 Sep 2017 13:18:12 -0700 Subject: [PATCH 09/13] Fixed title. --- sysinternals/learn/windows-internals.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 201e4235..185f996c 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -5,6 +5,9 @@ ms:assetid: '11dfe484-4785-45a8-9b2f-863cdbd83be6' ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963901(v=MSDN.10)' ms.date: 02/07/2017 --- +Windows Internals Book +====================== + **Windows Internals 7th edition (Part 1)** covers the architecture and core internals of Windows 10 and Windows Sever 2016. This book helps you: * Understand the Windows system architecture and its general components From 7a49bca8c4de509b66a0cdbd8bf8ac2c9e90b786 Mon Sep 17 00:00:00 2001 From: Mark Russinovich Date: Sun, 10 Sep 2017 21:00:07 -0700 Subject: [PATCH 10/13] Updates to Sysmon, Accesschk, and Autoruns --- sysinternals/downloads/accesschk.md | 6 +++--- sysinternals/downloads/autoruns.md | 6 +++--- sysinternals/downloads/sysmon.md | 29 ++++++++++++++++++++++++++--- sysinternals/index.md | 8 ++++++++ 4 files changed, 40 insertions(+), 9 deletions(-) diff --git a/sysinternals/downloads/accesschk.md b/sysinternals/downloads/accesschk.md index 13774c2a..cb7853b8 100644 --- a/sysinternals/downloads/accesschk.md +++ b/sysinternals/downloads/accesschk.md @@ -7,12 +7,12 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb664922(v=MSDN.10)' ms.date: 02/17/2017 --- -AccessChk v6.1 -============== +AccessChk v6.11 +=============== **By Mark Russinovich** -Published: February 17, 2017 +Published: September 11, 2017 [![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index 1aa1f19b..cdf3a142 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -7,12 +7,12 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963902(v=MSDN.10)' ms.date: 05/16/2017 --- -Autoruns for Windows v13.71 -=========================== +Autoruns for Windows v13.8 +========================== **By Mark Russinovich** -Published: May 16, 2017 +Published: September 11, 2017 [![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). diff --git a/sysinternals/downloads/sysmon.md b/sysinternals/downloads/sysmon.md index db4084ab..106306ec 100644 --- a/sysinternals/downloads/sysmon.md +++ b/sysinternals/downloads/sysmon.md @@ -7,12 +7,12 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dn798348(v=MSDN.10)' ms.date: 05/22/2017 --- -Sysmon v6.02 -============ +Sysmon v6.1 +=========== **By Mark Russinovich and Thomas Garnier** -Published: May 22, 2017 +Published: September 11, 2017 [![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)** @@ -292,6 +292,29 @@ configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream. +### Event ID 17: PipeEvent (Pipe Created) + +This event generates when a named pipe is created. Malware often uses named +pipes for interprocess communication. + +### Event ID 18: PipeEvent (Pipe Connected) + +This event logs when a named pipe connection is made between a client and a +server. + +### Event ID 19: WmiEvent (WmiEventFilter activity detected) + +When a WMI event filter is registered, which is a method used by malware to +execute, this event logs the WMI namespace, filter name and filter expression. + +### Event ID 20: WmiEvent (WmiEventConsumer activity detected) + +This event logs the registration of WMI consumers, recording the consumer name, +log, and destination. + +### Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected) +When a consumer binds to a filter, this event logs the consumer name and filter path. + ### Event ID 255: Error This event is generated when an error occurred within Sysmon. They can diff --git a/sysinternals/index.md b/sysinternals/index.md index 367159cf..423d800f 100644 --- a/sysinternals/index.md +++ b/sysinternals/index.md @@ -23,6 +23,14 @@ You can view the entire Sysinternals Live tools directory in a browser at [https ## What's New [![RSS](/media/landing/sysinternals/rss.gif)](https://blogs.technet.microsoft.com/sysinternals/feed/) ## +### What's New (September 11, 2017) ### + - [Sysmon v6.1](~/downloads/sysmon.md) + This update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, adds monitoring of WMI filters and consumers, an autostart mechanism commonly used by malware, and fixes a bug in image load filtering. + - [Process Monitor v3.4](~/downloads/procmon.md) + Process Monitor, a file system registry, process and network real-time monitor, now includes a /runtime switch for terminating monitoring after a specified amount of time, when in hexadecimal mode shows process tree process IDs in hexadecimal, and fixes a bug in automated boot log conversion. + - [Autoruns v13.8](~/downloads/autoruns.md) + This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning. + ### What's New (May 16, 2017) ### - [ProcDump v9.0](~/downloads/procdump.md) This major update to ProcDump, a utility that enables process dump capture based on a variety of triggers, introduces the ability to take capture multiple dumps sizes. This is particularly useful when capturing crash dumps of applications susceptible to termination due to unresponsiveness (e.g. IIS Ping killing w3wp.exe). This release also adds support for an associated Kernel Dump of the process that includes the kernel stacks of the process. From 9d1b8cbdb62658352aab4684a285dd1c209cb20d Mon Sep 17 00:00:00 2001 From: Pavel Yosifovich Date: Mon, 11 Sep 2017 16:12:46 +0300 Subject: [PATCH 11/13] Fix book links --- sysinternals/learn/windows-internals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 185f996c..00a883ab 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -31,13 +31,13 @@ Since the 7th edition’s part 2 is not yet available, the Windows Internals 6th * Chapter 6: I/O System * Chapter 7: Security -The book is available for purchase on the Microsoft Press site (7th edition Part 1; 6th Edition Part 1; 6th Edition Part 2). +The book is available for purchase on the Microsoft Press site ([https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188](7th edition Part 1); (https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739)[6th Edition Part 1]; (https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873)[6th Edition Part 2]). ### History of the Book This is the seventh edition of a book that was originally called Inside Windows NT (Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft Windows NT 3.1). Inside Windows NT was the first book ever published about Windows NT and provided key insights into the architecture and design of the system. Inside Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It updated the original book to cover Windows NT 4.0 and had a greatly increased level of technical depth. Inside Windows 2000, Third Edition (Microsoft Press, 2000) was authored by David Solomon and Mark Russinovich. It added many new topics, such as startup and shutdown, service internals, registry internals, file-system drivers, and networking. It also covered kernel changes in Windows 2000, such as the Windows Driver Model (WDM), Plug and Play, power management, Windows Management Instrumentation (WMI), encryption, the job object, and Terminal Services. Windows Internals, Fourth Edition was the Windows XP and Windows Server 2003 update and added more content focused on helping IT professionals make use of their knowledge of Windows internals, such as using key tools from Windows Sysinternals (www.microsoft.com/technet/sysinternals) and analyzing crash dumps. -Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content included the image loader, user-mode debugging facility, Advanced Local Procedure Call (ALPC), and Hyper-V. The last release, Windows Internals, Sixth Edition, was fully updated to address the many kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on experiments to reflect changes in the tools as well. +Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server 2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content included the image loader, user-mode debugging facility, Advanced Local Procedure Call (ALPC), and Hyper-V. The next release, Windows Internals, Sixth Edition, was fully updated to address the many kernel changes in Windows 7 and Windows Server 2008 R2, with many new hands-on experiments to reflect changes in the tools as well. ### Seventh Edition Changes Since this series’ last update, Windows has gone through several releases, coming up to Windows 10 and Windows Server 2016. Windows 10 itself, being the current going-forward name for Windows, has had several releases since its initial Release-to-Manufacturing, or RTM, each labeled with a 4-digit version number indicating year and month of release, such as Windows 10, version 1703 that was completed in March 2017. The above implies that Windows has gone through at least 6 versions since Windows 7. From 2847b59fc3d0eedffe6279d01fb8c884f315a2aa Mon Sep 17 00:00:00 2001 From: Pavel Yosifovich Date: Mon, 11 Sep 2017 16:18:04 +0300 Subject: [PATCH 12/13] Update windows-internals.md --- sysinternals/learn/windows-internals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysinternals/learn/windows-internals.md b/sysinternals/learn/windows-internals.md index 00a883ab..0541522f 100644 --- a/sysinternals/learn/windows-internals.md +++ b/sysinternals/learn/windows-internals.md @@ -31,7 +31,7 @@ Since the 7th edition’s part 2 is not yet available, the Windows Internals 6th * Chapter 6: I/O System * Chapter 7: Security -The book is available for purchase on the Microsoft Press site ([https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188](7th edition Part 1); (https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739)[6th Edition Part 1]; (https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873)[6th Edition Part 2]). +The book is available for purchase on the Microsoft Press site ([7th edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188); [6th Edition Part 1](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739); [6th Edition Part 2](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873)). ### History of the Book This is the seventh edition of a book that was originally called Inside Windows NT (Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft Windows NT 3.1). Inside Windows NT was the first book ever published about Windows NT and provided key insights into the architecture and design of the system. Inside Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It updated the original book to cover Windows NT 4.0 and had a greatly increased level of technical depth. From 589dcbc9cd079128de388006bb304047479ecef8 Mon Sep 17 00:00:00 2001 From: Luke Kim Date: Mon, 11 Sep 2017 15:40:06 -0700 Subject: [PATCH 13/13] Update file sizes --- sysinternals/downloads/accesschk.md | 4 ++-- sysinternals/downloads/autoruns.md | 4 ++-- sysinternals/downloads/sysinternals-suite.md | 8 ++++---- sysinternals/downloads/sysmon.md | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sysinternals/downloads/accesschk.md b/sysinternals/downloads/accesschk.md index cb7853b8..2d49cea4 100644 --- a/sysinternals/downloads/accesschk.md +++ b/sysinternals/downloads/accesschk.md @@ -14,7 +14,7 @@ AccessChk v6.11 Published: September 11, 2017 -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). ## Introduction @@ -103,5 +103,5 @@ To see all global objects that Everyone can modify: **accesschk -wuo everyone \\basednamedobjects** -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). \ No newline at end of file diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index cdf3a142..97116999 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -14,7 +14,7 @@ Autoruns for Windows v13.8 Published: September 11, 2017 -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). ## Introduction @@ -136,6 +136,6 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is: ## Download -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/). diff --git a/sysinternals/downloads/sysinternals-suite.md b/sysinternals/downloads/sysinternals-suite.md index 033276eb..d991c277 100644 --- a/sysinternals/downloads/sysinternals-suite.md +++ b/sysinternals/downloads/sysinternals-suite.md @@ -13,8 +13,8 @@ Sysinternals Suite **By Mark Russinovich** Updated: June 14, 2017 -[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB) -[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB) +[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB) +[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB) ## Introduction The Sysinternals Troubleshooting Utilities have been rolled up into a @@ -44,6 +44,6 @@ Utilities: | [VolumeID](volumeid.md) | [WhoIs](whois.md) | [WinObj](winobj.md) | [ZoomIt](zoomit.md) | | -[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB) -[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB) +[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB) +[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB) diff --git a/sysinternals/downloads/sysmon.md b/sysinternals/downloads/sysmon.md index 106306ec..9394cff1 100644 --- a/sysinternals/downloads/sysmon.md +++ b/sysinternals/downloads/sysmon.md @@ -14,7 +14,7 @@ Sysmon v6.1 Published: September 11, 2017 -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)** ## Introduction @@ -443,7 +443,7 @@ activity to port 80 and 443 by all processes except those that have iexplore.exe in their name. -[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)** +[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)** **Runs on:**