So as you probably have guessed I’m a big fan of the Windows Internals Series, with versions 4 & 5 having had serious workouts. So with still no Windows Internals 6 on the horizon had to get this as an interim fix. I downloaded the PDF version late last night from http://oreilly.com/catalog/0790145316974 and at 462 pages it was a nice light read (relative to Mark’s usual). Authored by Mark Russinovich and Aaron Margosis this reference book takes a much more high-level approach than the Windows Internals Series and focuses solely on the SysInternals tool suite with examples of using the tools to resolve real world problems. If you are expecting juicy in-depth internals details you will not find it here…
The book is divided into 3 sections
- Getting Started
- Usage Guide
- Troubleshooting – “The case of the unexplained”
The getting started section covers basics such as
- Summary table of all SysInternals Tools
- How to download them
- Windows Core Concepts
- Administrative Rights
- Processes, Threads and Jobs
- User Mode and Kernel Mode
- Call Stacks and Symbols
- Sessions, Window Stations, Desktops and Window Messages
For people who are new to world Windows Internals and are keen to understand Windows Core Concepts in a few hours without the hassle of going through a 1,500+ page Windows Internals book this section is excellent – and if you are an IT Pro and thinking “what i a job?” “what is process vs thread?” “what is kernel mode?” Please get this book now. In addition to the core concepts this section advises which tools use/interact with these various components of Windows. For myself I was hoping for a bit more depth here and would have liked to see memory management as a minimum addition included here, but I will give the authors credit for greatly simplifying this topics in a more accessible way to many more people.
The usage guide is broken into 12 chapters, covering the entire SysInternals suite. We have about 62 pages dedicated to Process Explorer, 44 pages on Process Monitor, etc.
This covers topics, that if you have read/watched a lot of Mark Russinovich you will already be familiar with. However it is important to know. Questions are answered such as:
- Why task manager’s CPU measurement isn’t up to scratch for performance diagnostics
- Why ProcExp has high accuracy of CPU consumption measurement in Windows 7
- What is the System Idle Process
- What is context switching
- What is the System Process
Then it mostly documents all the functionality of Process Explorer. I would have liked to see some additional usage examples on top of this here i.e. as feature of Process Explorer described some common diagnostic scenarios when it might be used. However I expect for simplicity all examples have been put in their own section.
The ProcMon section has a table of all result codes and their explanation, which is useful as a reference. In addition result codes that are typically unimportant are pointed out. We also see a table of all the file attribute codes that are used in the details column. We also see (is this for the first time from Mark?) a PowerShell command to process the Procmon XML export. The example script outputs all unique module paths loaded outside Windows folder (and is 2 lines of PowerShell)
In addition details on running ProcMon after logoff are provided, importing and exporting configuration options, some example batch files putting together smart use of the ProcMon command line options.
Again I would have liked more “tips” here as they are always great and I spend so much time with ProcMon I didn’t pick up much new here. However for people who have not explored the full functionality of ProcMon this is a must read.
After ProcMon section we have section on AutoRuns. Mostly this just documents the usage of the tool, but one useful addition is it documents every registry key section that AutoRuns uses to retrieve the information it does. This is a great reference, there were a few here I hadn’t thought of
In addition we see some tips here on using AutoRuns to identify Malware.
The section then continues on covering every SysInternals tools. All are useful to the IT Pro, if you don’t know them, try them!
Another useful section of this book is a table that demonstrates all the requirements for the various PsTools suite, tools that support finding info on machines remotely. i.e. Requires Administrative Rights Locally, Requires Admin$ share, Requires Remote Registry Service, supports specification of multiple computer names.
Now onto the final section “Case of the Unexplained” This is split into 3 sections
- Error Messages – seven “cases”
- Hangs and Sluggish Performance – five “cases”
- Malware – four “cases”
As always these case of the unexplained are useful, and although having watched enough Mark Russinovich to be pretty familiar with these techniques it’s still nice to read about these interesting cases he’s come across. Of course I would have liked a lot more though in this section. Like about 500-1,000 pages more. Maybe a sequel?
All in all the SysInternals Administrators Reference is an excellent guide, especially to those unfamiliar with SysInternals suite, and for those who believe they have yet to fully exploit the toolset. If you are expecting advanced windows internals details you will be disappointed. I will admitted I wanted a bit more of this, but I think this is due more to the target audience, it needed to be more high-level. I just hope we see Windows Internals 6. Please!
I will definitely keep this book on my bookshelf but for me my primary use will be whenever I hear an IT support person say “Proc what?” I will shove this book over to them.