Sysinternals utilities help manage, troubleshoot and diagnose Windows systems and applications.
- Official Documentation (Microsoft)
- Sysinternals Utilities Index
Distribute Sysinternals from Kali
Download Sysinternals
Use Impacket. See File Transfer.
wget -O ./impacket-share/SysinternalsSuite.zip https://download.sysinternals.com/files/SysinternalsSuite.zipunzip SysinternalsSuite.zip -d ./SysinternalsSuiteUpload
copy \\x.x.x.x\myshare\SysinternalsSuite.zip c:\<some path>\SysinternalsSuite.zippowershell -c "Expand-Archive SysinternalsSuite.zip ."AccessChk
- Official Documentation (Microsoft)
accesschk.exe -accepteula -uws "Everyone" "C:\Program Files"Process Monitor
- Official Documentation (Microsoft)
Advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and includes rich and non-destructive filtering, event properties such as session IDs and user names, process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and more. Helps understand how a process interacts with the file system and Windows registry, identify flaws like Registry hijacking and DLL hijacking.
procmon.exe -accepteulaSigcheck
- Official Documentation (Microsoft)
Inspect the application manifest
sigcheck.exe -accepteula -a -m C:\Windows\System32\<filename>.exeTCPView
- Official Documentation (Microsoft)
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
PsExec
- Official Documentation (Microsoft)
On Kali, use command impacket-psexec. See Impacket.
Execute processes on remote systems. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.
Some anti-virus scanners report that one or more of the tools are infected with a “remote admin” virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.
Download PsExec: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c executable [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]psexec.exe -accepteula \\<hostname> cmd.exe