Merge from 'master' to 'luke'

sysinternals/downloads/accesschk.md

@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb664922(v=MSDN.10)'
 ms.date: 02/17/2017
 ---
 
-AccessChk v6.1
-==============
+AccessChk v6.11
+===============
 
 **By Mark Russinovich**
 
-Published: February 17, 2017
+Published: September 11, 2017
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip)  [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)**  
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip)  [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**  
 **Run now** from [Sysinternals Live](https://live.sysinternals.com/).
 
 ## Introduction
@@ -103,5 +103,5 @@ To see all global objects that Everyone can modify:
 **accesschk -wuo everyone \\basednamedobjects**
 
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip)  [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(359 KB)**  
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/AccessChk.zip)  [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**  
 **Run now** from [Sysinternals Live](https://live.sysinternals.com/).

sysinternals/downloads/autoruns.md

@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963902(v=MSDN.10)'
 ms.date: 05/16/2017
 ---
 
-Autoruns for Windows v13.71
-===========================
+Autoruns for Windows v13.8
+==========================
 
 **By Mark Russinovich**
 
-Published: May 16, 2017
+Published: September 11, 2017
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)**  
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)**  
 **Run now** from [Sysinternals Live](https://live.sysinternals.com/).
 
 ## Introduction
@@ -119,8 +119,8 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is:
 |  **-t**      |   Show timestamps in normalized UTC (YYYYMMDD-hhmmss).|
 |  **-u**      |   If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.|
 |  **-x**      |   Print output as XML.|
-|  **-v\[rs\]**|   Query VirusTotal (www.virustotal.com) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
-|  **-vt**     |   Before using VirusTotal features, you must accept VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
+|  **-v\[rs\]**|   Query [VirusTotal](https://www.virustotal.com/) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
+|  **-vt**     |   Before using VirusTotal features, you must accept the VirusTotal [terms of service](https://www.virustotal.com/en/about/terms-of-service/). If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
 |  **-z**      |   Specifies the offline Windows system to scan.|
 |  **user**    |   Specifies the name of the user account for which autorun items will be shown. Specify '\*' to scan all user profiles. |
 
@@ -136,6 +136,6 @@ Autorunsc is the command-line version of Autoruns. Its usage syntax is:
 
 ## Download
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.21 MB)**  
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(1.2 MB)**  
 **Run now** from [Sysinternals Live](https://live.sysinternals.com/).
 

sysinternals/downloads/sigcheck.md

@@ -22,7 +22,7 @@ Published: May 22, 2017
 Sigcheck is a command-line utility that shows file version number,
 timestamp information, and digital signature details, including
 certificate chains. It also includes an option to check a file’s status
-on [VirusTotal](http://www.virustotal.com/), a site that performs
+on [VirusTotal](https://www.virustotal.com/), a site that performs
 automated file scanning against over 40 antivirus engines, and an option
 to upload a file for scanning.
 
@@ -56,7 +56,7 @@ name|\*>**
 |  **-s**      |       Recurse subdirectories|
 |  **-t\[u\]\[v\]** |  Dump contents of specified certificate store ('\*' for all stores).<br />Specify -tu to query the user store (machine store is the default).<br />Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present.|
 |  **-u**      |       If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.|
-|  **-v\[rs\]**|       Query VirusTotal ([www.virustotal.com](http://www.virustotal.com/)) for malware based on file hash.<br />Add 'r' to open reports for files with non-zero detection.<br />Files  reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
+|  **-v\[rs\]**|       Query VirusTotal ([www.virustotal.com](https://www.virustotal.com/)) for malware based on file hash.<br />Add 'r' to open reports for files with non-zero detection.<br />Files  reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
 |  **-vt**     |       Before using VirusTotal features, you must accept VirusTotal terms of service. See: <https://www.virustotal.com/en/about/terms-of-service/> If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
 
 One way to use the tool is to check for unsigned files in your
@@ -77,7 +77,7 @@ You should investigate the purpose of any files that are not signed.
 ## Learn More
 
 -   [Malware Hunting with the Sysinternals
-    Tools](http://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj)  
+    Tools](https://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj)  
     In this presentation, Mark shows how to use the Sysinternals tools
     to identify, analyze and clean malware.
 

sysinternals/downloads/sysinternals-suite.md

@@ -13,8 +13,8 @@ Sysinternals Suite
 
 **By Mark Russinovich**  
 Updated: June 14, 2017  
-[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB)  
-[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB)
+[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB)  
+[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB)
 
 ## Introduction
 The Sysinternals Troubleshooting Utilities have been rolled up into a
@@ -44,6 +44,6 @@ Utilities:
 | [VolumeID](volumeid.md)  | [WhoIs](whois.md)  | [WinObj](winobj.md)  | [ZoomIt](zoomit.md) |  |
 
 
-[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (21.3 MB)  
-[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.6 MB)  
+[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (22.6 MB)  
+[**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (4.7 MB)  
 

sysinternals/downloads/sysmon.md

@@ -7,14 +7,14 @@ ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dn798348(v=MSDN.10)'
 ms.date: 05/22/2017
 ---
 
-Sysmon v6.02
-============
+Sysmon v6.1
+===========
 
 **By Mark Russinovich and Thomas Garnier**
 
-Published: May 22, 2017
+Published: September 11, 2017
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)**
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)**
 
 ## Introduction
 
@@ -292,6 +292,29 @@ configuration settings via browser downloads, and this event is aimed at
 capturing that based on the browser attaching a Zone.Identifier “mark of
 the web” stream.
 
+### Event ID 17: PipeEvent (Pipe Created)
+
+This event generates when a named pipe is created. Malware often uses named 
+pipes for interprocess communication. 
+
+### Event ID 18: PipeEvent (Pipe Connected)
+
+This event logs when a named pipe connection is made between a client and a 
+server.
+
+### Event ID 19: WmiEvent (WmiEventFilter activity detected)
+
+When a WMI event filter is registered, which is a method used by malware to 
+execute, this event logs the WMI namespace, filter name and filter expression. 
+
+### Event ID 20: WmiEvent (WmiEventConsumer activity detected)
+
+This event logs the registration of WMI consumers, recording the consumer name, 
+log, and destination. 
+
+### Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
+When a consumer binds to a filter, this event logs the consumer name and filter path. 
+
 ### Event ID 255: Error
 
 This event is generated when an error occurred within Sysmon. They can
@@ -420,7 +443,7 @@ activity to port 80 and 443 by all processes except those that have
 iexplore.exe in their name.
 
 
-[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1 MB)**
+[![Download](/media/landing/sysinternals/download_sm.png)](https://download.sysinternals.com/files/Sysmon.zip) [**Download Sysmon**](https://download.sysinternals.com/files/Sysmon.zip) **(1.4 MB)**
 
 **Runs on:**
 

sysinternals/index.md

@@ -23,6 +23,14 @@ You can view the entire Sysinternals Live tools directory in a browser at [https
 
 ## What's New [![RSS](/media/landing/sysinternals/rss.gif)](https://blogs.technet.microsoft.com/sysinternals/feed/) ##
 
+### What's New (September 11, 2017) ###
+  - [Sysmon v6.1](~/downloads/sysmon.md)  
+    This update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, adds monitoring of WMI filters and consumers, an autostart mechanism commonly used by malware, and fixes a bug in image load filtering. 
+  - [Process Monitor v3.4](~/downloads/procmon.md)
+    Process Monitor, a file system registry, process and network real-time monitor, now includes a /runtime switch for terminating monitoring after a specified amount of time, when in hexadecimal mode shows process tree process IDs in hexadecimal, and fixes a bug in automated boot log conversion. 
+  - [Autoruns v13.8](~/downloads/autoruns.md) 
+    This release of Autoruns, a utility for viewing and managing autostart execution points (ASEPs), adds additional autostart entry points, has asynchronous file saving, fixes a bug parsing 32-bit paths on 64-bit Windows, shows the display name for drivers and services, and fixes a bug in offline Virus Total scanning. 
+
 ### What's New (May 16, 2017) ###
   - [ProcDump v9.0](~/downloads/procdump.md)  
     This major update to ProcDump, a utility that enables process dump capture based on a variety of triggers, introduces the ability to take capture multiple dumps sizes. This is particularly useful when capturing crash dumps of applications susceptible to termination due to unresponsiveness (e.g. IIS Ping killing w3wp.exe). This release also adds support for an associated Kernel Dump of the process that includes the kernel stacks of the process.</li>