Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.
Aaron Margosis and I are thrilled to announce that the long awaited, and some say long overdue, official guide to the Sysinternals tools is now available! I’ve always had the idea of writing a book on the tools in the back of my mind, but it wasn’t until a couple of years ago that Dave Solomon, my coauthor on Windows Internals, convinced me to pursue it. After a few false starts, I decided that a coauthor would help get the book done more quickly, and turned to Aaron, a good friend of mine who’s also a long-time user and expert on the tools at his day job in the Federal Division of Microsoft Consulting Services. It was a great choice and I’m proud to put the Sysinternals brand on the book.
Whether you’re new to the tools or have been using them since Bryce Cogswell (my Sysinternals and Winternals Software cofounder, now retired) and I released NTFSDOS in 1996, you’re sure to take away new insights that will give you the edge when tackling tough problems and managing your Windows systems.
The book covers all 70+ tools, with chapters dedicated to the major tools like Process Explorer, Process Monitor, and Autoruns. For each we provide a thorough tour of all of the tool’s features, how to use the tool, and include our favorite tips and techniques. There’s no better way to learn than by example, though. The last section of the book will be familiar to anyone that’s read this blog or watched my Case of the Unexplained conference sessions, because it presents 17 real-world cases that show how Windows power users and administrators like you solved otherwise impossible-to-solve problems by using the tools.
The book is available for purchase on Amazon.com and available from O'Reilly in 4 ebook formats, or you can read it online through Safari.
The eBook has only been out for a couple of weeks and we’ve already heard from someone who bought the book and immediately used what he learned to solve a case that was literally ruining his sleep. I thought it only appropriate to include it here in the blog post announcing the book.
Let us know what you think of the book by dropping us an email, and as I say my dedication to you - my fellow Windows troubleshooters - at the front of the book, never give up, never surrender!
The case opened several weeks ago when a user started hearing sounds from the computer in his bedroom. The sound, a simple short tone, came randomly, sometimes only once per day, other times a few times in an hour. Every time he heard it, he’d jump to the computer, open Process Explorer, and look for clues as to what might be responsible, but the sounds persisted even when he had no applications open. On a few occasions he was woken from sleep and learned to mute the speaker before heading to bed. His life began to unravel from his lack of sleep and growing frustration. Work suffered, he was short with his friends, and he started to wonder if he had a ghost.
Then last week he saw the announcement that the Sysinternals book was available. He had been a casual user of the tools and thought that getting a deeper understanding might help his IT management responsibilities at work. When he reached the chapter on Process Monitor, he read that many years ago Dave Solomon found Process Monitor so useful at uncovering root causes to such a wide array of problems, that he coined the phrase “when in doubt, run Process Monitor.” With little to lose, he decided to give the advice a try on his haunted home system.
He configured a filter for files ending in .WAV, hypothesizing that the sound was stored in that common format. Since he didn’t know how long it would take for a sound to reoccur, he needed to leave Process Monitor running for many hours. So that it wouldn’t exhaust the system’s virtual memory or fill up the disk, he used its “drop filtered events” feature to only record events matching the active filter. He left Process Monitor running and went to work. When he arrived home, he eagerly went to the computer to see if the culprit had been caught. Almost collapsing with relief, he saw eight operations had matched the filter:
The tooltip clearly revealed that the wireless adapter’s applet had played a sound. Then it all clicked: the computer was just in range of the wireless base station, so while it had a decent connection most of the time, occasionally the connection would drop. He suspected that the applet chimed to announce when the connection was restored. Expecting that it would offer an option to disable the notification, he right-clicked on the tray icon. Sure enough, “Enable Internet Connected Notification” was checked:
Since he unchecked it, the computer hasn’t made any unexpected noises and the case was closed. As a result, his sleep has returned to normal, he’s getting along with his friends, and his use of what he’s learned from the Sysinternals Administrator’s Reference has made him a star at work.
Mark Russinovich is a Technical Fellow on the Windows Azure team at Microsoft and is author of Windows Internals, The Windows Sysinternals Administrator’s Reference, and the cyberthriller Zero Day: A Novel. You can contact him at email@example.com.
Nice case. It's always the little things :)
For instance, I just learned about the "drop filtered events" option. That's going to come in handy. I wish I'd known about it before.
Wow! Nice to hear about the book. I am ordering it now.
However, Mark, I am a bit irritated that you didn't announce it in advance. How comes you did announce that novel of yours in advance but not this one?
Just bought it. Really pleased this has been released.
Thanks for the hard work.
Mark, congrats on releasing this long anticipated book. It will help IT Pros all over the world. My copy just arrived yesterday and it's hard to put it down. Lots of juicy stuff. Just when I though I know some of the tools really well. I was still able to pick up new features I wasn't clear about. I thank you for all your great work and helping us maneuver in a Windows world.
This case along with the announcement of the book was great. Another feature I haven't used before "drop filtered events" knowing how it works.. I will now.
@KandyKane Thanks for the feedback!