Category Archives: Autoruns

Autoruns v11.70, Bginfo v4.20, Disk2vhd v1.64, Process Explorer v15.40

Autoruns v11.70: This release of Autoruns, a powerful utility for scanning and disabling autostart code, adds a new option to have it show only per-user locations, something that is useful when analyzing the autostarts of different accounts than the one that
Autoruns is running under.

Bginfo v4.20: BgInfo, a utility that creates custom desktop backgrounds that display system information, now correctly reports version information for Windows 8.1 and Windows Server 2012 R2.

Disk2vhd v1.64: This update to Disk2Vhd, a tool for converting physical system disks to VHDs for use by virtual machines, now supports disk sizes of up to 2 TB.

Process Explorer v15.40: Process Explorer, a Task Manager replacement, now shows WMI providers hosted in Wmiprvse processes (thanks to Mohamed Elghetany for contributions); includes an option that configures it to automatically run when you logon; and introduces a
process view column that shows process DPI awareness support on Windows 8.1 systems.


Updates: Mark’s TechEd Sessions, Autoruns v11.61, Strings v2.52, ZoomIt v4.5

Mark’s TechEd Sessions Available On-Demand:  Mark delivered four top-rated sessions at Microsoft’s TechEd US conference two weeks ago, and the recordings are available now for on-demand viewing. In Windows Azure Infrastructure Services, he gives an overview of the deployment and operation of Virtual Machines and Virtual Networks; in Windows Azure Internals Mark goes under the hood of Windows Azure to show its physical and logical datacenter architecture and operation; in Case of the Unexplained you’ll see how to use the Sysinternals tools to solve impossible problems; and in Malware Hunting with the Sysinternals Tools you’ll learn how to use Sysinternals tools to identify and clean malware infestations.

Autoruns v11.61:  Autoruns is a utility for managing autostarting applications, DLLs and services.  This update adds more autostart locations, fixes a bug that could cause a crash when Autorunsc is directed to calculate file hashes, and fixes a bug in Autoruns’ jump-to-image functionality on 64-bit Windows.

Strings v2.52:  This release fixes a bug that prevented the previous one from running on Windows XP.

Zoomit v4.5:  Zoomit is a screen zooming and annotation tool for technical presentations. This release introduces better support for zooming in on Windows 8 Windows Store applications.


Updates: Autoruns v11.6, Procexp v15.31, Procmon v3.05, Sigcheck v1.92

Autoruns v11.6: Autoruns is a utility for enumerating and disabling executables and DLLs configured to activate in dozens of autostart registration points.  This update fixes some minor bugs and adds Authenticode SHA1 and SHA256 hash reporting to Autorunsc output.

Sigcheck v1.92: Sigcheck is a command-line utility for reporting image version and signature information.  With this update, it now includes support for Authenticode SHA256 hashes, which is the same hash type used to identify images by AppLocker.

Process Explorer v15.31: Process Explorer is a powerful process management utility. This update fixes a bug with copying text from the process properties dialog and adds an option to disable the heatmap display in the process view.

Process Monitor v3.05: Process Monitor is a powerful file, registry, process, thread and network monitoring tool.  This update adds a context-menu entry that opens the filter edit dialog with contents prepopulated with the specified row and column value.

Updates: Autoruns v11.5, Du (Disk Usage) v1.5, Procdump v5.14, Procmon v3.04, Ru (Registry Usage) v1.0

Autoruns v11.5: This update to Autoruns, a utility for managing autostarting applications and components, now reports the image timestamp of executables and the last-modified timestamp of other file types and autostart locations to help with forensic analysis. The jump-to-entry feature is also improved to navigate directly to files rather than their parent directory.

Disk Usage (Du) v1.5: Du, a command-line utility for reporting the disk space consumed by directories and their files, has expanded CSV output that includes file and directory counts, as well as an option for tab-delimiting, which is a format more convenient for import into Excel than comma-delimited.

ProcDump v5.14: This release of Procdump, a command-line utility that enables the capture of process dumps based on numerous trigger types including on-demand, doesn’t report process exceptions unless the exception trigger is specified.

Process Monitor v3.04: Procmon, a power system activity monitor, now includes support for new Windows 8 file information query types and fixes a bug in the tooltip handling.

Registry Usage (RU) v1.0: Ru (Registry Usage) is a new command-line utility that reports the size, value and subkey counts of registry keys. Like its Sysinternals Du (Disk Usage) counterpart, Ru can help you find the keys that contribute to registry bloat.

Updates: Autoruns v11.41, Handle v3.51, Movefile v1.01, Procdump v5.13, Sigcheck v1.9

Autoruns v11.41: This Autoruns update reports the hosting image target of link shortcut references.

Handle v3.51: This minor update to Handle, a command-line utility that dumps process handle tables, fixes a bug in its file share drive letter formatting.

Movefile v1.01: Movefile, a utility for scheduling file delete and rename operations for when the system reboots, now correctly handles 64-bit system paths.

Procdump v5.13: This update to Procdump, a command-line utility that generates on-demand and trigger-based process crash dump files, now supports triggers for when process CPU usage, memory consumption or arbitrary performance counters fall below a specified value.

Sigcheck v1.9: Sigcheck, a command-line file-version and signature verification tool, now reports certificate publisher names, capitalizes hash values, and fixes a certificate chain validation bug.

Updates: Autoruns v11.4, ProcDump v5.12, SDelete v1.61

Autoruns v11.4: Autoruns v11.4 adds additional startup locations, fixes several bugs related to image path parsing, adds better support for browsing folders on WinPE, and fixes a Wow64 redirection bug.

Procdump v5.12: This Procdump update fixes a bug introduced in v5.11 where it doesn’t save information required by the !runaway debugger command.

SDelete v1.61: SDelete v1.61 fixes drive letter syntax consistency in its parsing of command line arguments.

Updates: Autoruns v11.34, ProcDump v5.0, Sigcheck v1.8, VMMap v3.11

Autoruns v11.34: This release of Autoruns fixes a bug that caused it to not show some Internet Explorer extensions.

ProcDump v5.0: Procdump is an advanced utility for capturing process memory dumps based on a variety of triggers including CPU usage, memory usage, performance counter values, and exceptions. Version 5.0 is a major upgrade that adds the ability to configure exception filters based on managed and native exception types, extends support to Windows 8 modern applications, and integrates with Process Monitor’s debug output logging.

Sigcheck v1.8: This update to Sigcheck, a command-line file version and digital signature verification utility, shows detailed certificate information such as certificate usage, validity dates, and thumbprints, and also shows a file’s counter-signing chain if it has one.

VMMap v3.11: VMMap, a utility that shows detailed information about a process’ virtual and physical memory usage, now reports commit usage instead of working set in its timeline view and fixes a bug that enables export of captures of 32-bit processes.

Updates: AccessChk v5.1, Autoruns v.11.33, Coreinfo v3.05, Whois v1.1

AccessChk v5.1: This update to AccessChk, a command-line utility that shows the security settings and effective access on many object types, including registry keys and files, now reports Windows 8 claims and capabilities, shows the token of processes running as local system, lists security descriptor flags, and checks for remote interactive logon rights.

Autoruns v11.33: This fixes a bug that caused the run as administrator elevation to fail if Autoruns was started from a path with spaces.

Coreinfo v3.05: Coreinfo, a tool that shows CPU features, cache sizes, and topology, now correctly shows hyperthreading support on AMD multicore systems and lists processor features on Windows XP.

Whois v1.1: Whois is a command-line utility that looks up domain name registration information. This release fixes a bug that could cause an infinite loop and a command-line option, -v, that prints verbose information about domain registration referrals.