Microsoft should bundle Sysinternals tools into Windows -- or should they?
If you administer Windows systems you must know about Microsoft's Sysinternals tools. If you don't, get started. They're a collection of tools which make administration and troubleshooting considerably easier. They're available on all my Windows systems, and I carry a USB key with the latest version.
Improving Windows Insight
This is a pretty old collection, too. They were written by Mark Russinovich and Bryce Cogswell who were famous Windows consultants and trainers long before they were bought out by Microsoft where they work today. Russinovich still works on the tools, but officially works in the Azure group.
So many of the tools are so well-known and so useful that I finally asked around why they're not just included with Windows. The likely reasons are disappointing.
For me, the best case for inclusion can be made for what are probably the two best-known tools, Process Explorer and Autoruns. Remember, these are just 2 two the tools.
Think of Process Explorer mostly as a super-duper version of Task Manager. In fact, Process Explorer can be set to replace Task Manager on Windows. It shows a far more detailed account of what is running in Windows. You can even drill down into services.exe instances to see which actual services are running in them. You can search the names of running processes for the one you're looking for. You can drill down in a process and see, suspend and even kill, individual threads.
Perhaps even more generally useful is Autoruns, which shows you everything set to run in Windows automatically from any source.
Autoruns is a life saver for administrators to find out what nonsense a user loaded (and denies they loaded). Note the menu options to eliminate the large number of Windows and other Microsoft entries, as determined by code signatures, in order to make it easier to pick out the interesting third-party ones.
Below is a video of a presentation from TechEd of a primer on several Sysinternals tools, including Autoruns.
Why Not?
So why wouldn't you want to include these great tools? To understand you have to consider what a big deal it is to include a program in Windows. It has to go through complex development processes and testing as opposed to being done by Mark in his spare time. It has to be internationalized in dozens of languages. It has to have a support system built. Currently they can add a new feature to the tools when they want to, but Microsoft doesn't just add new features to Windows components whenever. Bottom line is that adding the Sysinternals tools to Windows would be a major drag on them.
There are other legit reasons Microsoft wouldn't want to give these tools to everyone automatically. Consider Autoruns: It's very easy to screw your system up if you make the wrong decision. Many of the tools are like this. Yes, there are already tools in Windows that you can use to bork your system, but that's not a reason in and of itself to add more.
There was a time when Microsoft built up features in Windows to make it more useful and attractive, but Windows is so big that individual programs can easily get lost. At the same time, obtaining and installing a set of tools is pretty easy to do. All things considered, the convenience to users and admins of bundling the tools in Windows is minimal.
Incidentally, one of the main ideas I had for why it would be good to bundle them was that they could be updated automatically via Windows Update and WSUS, but that's not necessary at all. Microsoft keeps current versions of each individual tool at http://live.sysinternals.com/. Using the Robocopy tool, which is bundled with Windows since Vista (or you can download the XP versions here), you can update the tools with a single command:
- robocopy.exe \\live.sysinternals.com\tools C:\SysInternals
Where "C:\SysInternals" is whatever directory you keep the tools in. You can make a task in Task Scheduler or with the AT command to run this periodically.
Using Robocopy in this way requires that the WebDAV client be running, which it doesn't by default on Vista and Windows 7. You can put the robocopy command in a script like this to remedy that.
- net start webclient
robocopy.exe \\live.sysinternals.com\tools C:\SysInternals
net stop webclient
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.