Mark's Blog

Hunting Down and Killing Ransomware

Mark Russinovich — Mon, 07 Jan 2013 16:00:00 GMT

Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more)

The Case of the Unexplained FTP Connections

Mark Russinovich — Tue, 30 Oct 2012 14:00:00 GMT

A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more)

Windows Azure Host Updates: Why, When, and How

Mark Russinovich — Wed, 22 Aug 2012 09:00:00 GMT

Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more)

The Case of the Veeerrry Slow Logons

Mark Russinovich — Mon, 02 Jul 2012 12:00:00 GMT

This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally. The problem at the root of it is also one you might run into, especially if you travel, and demonstrates the use of some Process Monitor...(read more)

Announcing Trojan Horse, the Novel!

Mark Russinovich — Tue, 08 May 2012 10:00:00 GMT

Many of you have read Zero Day , my first novel. It’s a cyberthriller that features Jeff Aiken and the beautiful Daryl Haugen, computer security experts that save the world from a devastating cyberattack. Its reviews and sales exceeded my expectations...(read more)

The Case of My Mom’s Broken Microsoft Security Essentials Installation

Mark Russinovich — Thu, 05 Jan 2012 05:00:00 GMT

As a reader of this blog I suspect that you, like me, are the IT support staff for your family and friends. And I bet many of you performed system maintenance duties when you visited your family and friends during the recent holidays. Every time I’m visiting...(read more)

The Case of the Installer Service Error

Mark Russinovich — Tue, 29 Nov 2011 06:00:00 GMT

This case unfolds with a network administrator charged with the rollout of the Microsoft Windows Intune client software on their network. Windows Intune is a cloud service that manages systems on a corporate network, keeping their software up to date...(read more)

Fixing Disk Signature Collisions

Mark Russinovich — Tue, 08 Nov 2011 09:00:00 GMT

Disk cloning has become common as IT professionals virtualize physical servers using tools like Sysinternals Disk2vhd and use a master virtual hard disk image as the base for copies created for virtual machine clones. In most cases, you can operate with...(read more)

The Case of the Mysterious Reboots

Mark Russinovich — Mon, 03 Oct 2011 08:00:00 GMT

This case opens when a Sysinternals power user, who also works as a system administrator at a large corporation, had a friend report that their laptop had become unusable. Whenever the friend connected it to a network, their laptop would reboot. The power...(read more)

The Case of the Hung Game Launcher

Mark Russinovich — Tue, 02 Aug 2011 08:00:00 GMT

I love the cases people send me where the Sysinternals tools have helped them successfully troubleshoot, but nothing is more satisfying than using them to solve my own cases. This case in particular was fun because, well, solving it helped me get back...(read more)

Troubleshooting with the New Sysinternals Administrator’s Reference

Mark Russinovich — Mon, 18 Jul 2011 11:00:00 GMT

Aaron Margosis and I are thrilled to announce that the long awaited, and some say long overdue, official guide to the Sysinternals tools is now available ! I’ve always had the idea of writing a book on the tools in the back of my mind, but it wasn’t until...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 3

Mark Russinovich — Tue, 10 May 2011 08:00:00 GMT

In the first post of this series , I used Autoruns , Process Explorer and VMMap to statically analyze a Stuxnet infection on Windows XP. That phase of the investigation revealed that Stuxnet infected multiple processes, launched infected processes that...(read more)

The Zero Day Book Trailer

Mark Russinovich — Tue, 03 May 2011 11:00:00 GMT

I just got back the finished version of the video trailer for my new cyber thriller Zero Day , which I think came out awesome! It’s not hard to imagine what a Zero Day movie trailer would look like. Let me know what you think. Zero Day Book Trailer...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 2

Mark Russinovich — Wed, 20 Apr 2011 08:00:00 GMT

In Part 1 I began my investigation of an example infection of the infamous Stuxnet worm with the Sysinternals tools. I used Process Explorer , Autoruns and VMMap for a post-infection survey of the system. Autoruns quickly revealed the heart of Stuxnet...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1

Mark Russinovich — Wed, 30 Mar 2011 08:00:00 GMT

Though I didn’t realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit...(read more)

Zero Day is Here!

Mark Russinovich — Tue, 15 Mar 2011 09:00:00 GMT

I’m excited to announce that my first novel, a cyber thriller entitled Zero Day , is now available at all major book retailers! Zero Day is a book in the style of Crichton and Clancy, weaving technical fact into the story. If you like the Sysinternals...(read more)

The Case of the Unusable System

Mark Russinovich — Mon, 14 Mar 2011 09:00:00 GMT

This post continues in the malware hunting theme of the last couple of posts as Zero Day availability draws near (it’s available tomorrow!). It began when a friend of mine at Microsoft told me that a neighbor of hers had a laptop that malware had rendered...(read more)

The Case of the Sysinternals-Blocking Malware

Mark Russinovich — Tue, 08 Mar 2011 09:36:00 GMT

Continuing the theme of focusing on malware-related cases (last week I posted The Case of the Malicious Autostart ) as a lead up to the publication on March 15 of my novel Zero Day , this post describes one submitted to me by a user that took a unique...(read more)

The Case of the Malicious Autostart

Mark Russinovich — Sun, 27 Feb 2011 00:20:06 GMT

Given that my novel, Zero Day , will be published in a few weeks and is based on malware’s use as a weapon by terrorists, I thought it appropriate to post a case that deals with malware cleanup with the Sysinternals tools. This one starts when Microsoft...(read more)

The Cases of the Blue Screens: Finding Clues in a Crash Dump and on the Web

Mark Russinovich — Sat, 29 Jan 2011 15:00:00 GMT

My last couple of posts have looked at the lighter side of blue screens by showing you how to customize their colors. Windows kernel mode code reliability has gotten better and better every release such that many never experience the infamous BSOD. But...(read more)

Announcing Zero Day, the Novel!

Mark Russinovich — Sun, 23 Jan 2011 12:00:00 GMT

You’ve seen the news if you’re my friend on Facebook , follow me on Twitter , or subscribe to the Sysinternals blog : I’m proud to announce that my first novel, a cyberthriller entitled Zero Day , is due to be published by St. Martin’s Press in mid-March...(read more)

“Blue Screens” in Designer Colors with One Click

Mark Russinovich — Tue, 11 Jan 2011 20:15:00 GMT

My last blog post described how to use local kernel debugging to change the colors of the Windows crash screen, also known as the “blue screen of death”. No doubt many of you thought that showing off a green screen of death or red screen of death to your...(read more)

A Bluescreen By Any Other Color

Mark Russinovich — Tue, 14 Dec 2010 16:00:00 GMT

Note: for an easier way to customize the blue screen’s colors, see my next blog post, “ Blue Screens in Designer Colors with One Click ”. Seeing a bluescreen that’s not blue is disconcerting, even for me, and based on the reaction of the TechEd audiences...(read more)

The Case of the Slow Project File Opens

Mark Russinovich — Tue, 07 Dec 2010 12:00:00 GMT

If you’ve seen one of my Case of the Unexplained presentations (like the one I delivered at TechEd Europe last month that’s posted for on-demand viewing ), you know that I emphasize how thread stacks are a powerful troubleshooting tool for diagnosing...(read more)

LiveKd for Virtual Machine Debugging

Mark Russinovich — Thu, 14 Oct 2010 07:00:00 GMT

When Dave Solomon and I were writing the 3 rd edition of the Windows Internals book series Inside Windows 2000 back in 1999, we pondered if there was a way to enable kernel debuggers like Windbg and Kd (part of the free Debugging Tools for Windows package...(read more)