Sysinternals Freeware - Utilities for Windows NT and Windows 2000

Copyright © 1997-2004 Mark Russinovich
Last Updated: March 8, 2004

Table of Content

This page presents a continuously growing collection of applets that fill holes in the functionality that NT comes with out of the box.

	AdRestore v1.0	Restore tombstoned Active Directory objects in Server 2003 domains
	Autologon v1.0	Configure WinNT/2K auto-logon properties
	AutoRuns v2.03	Easily view autostart and startup programs configured on your system
	ClockRes v1.0	View the resolution of the system clock, which is also the maximum timer resolution
	DiskExt v1.0	See where volumes are located on hard disks
	DiskView v2.0	See a graphical map of your disk volumes
	EFSDump v1.02	Dump information about Win2K encrypted files
	Hostname	Convert IP addresses to host names and vice versa
	IsTrial v1.0	IsTrial's functionality has been integrated into PsInfo
	Junction 1.02	Create NTFS directory junctions
	LoadOrder v1.0	See the order in which devices are loaded on your WinNT/2K system
	PsTools	A collection of command-line tools including PsUptime, PsLoggedOn, and more.
	Streams v1.5	View NTFS file stream information
	Strings v2.1	Search files for ASCII or UNICODE strings
	Sync v2.2	Flush the WinNT/2K file system cache to disk
	VolumeId v2.0	Change the volume IDs of hard drives and floppy disks

AdRestore v1.0

Server 2003 introduces the ability to restore deleted ("tombstoned") objects. This simple command-line utility enumerates the deleted objects in a domain and gives you the option of restoring each one. Source code, which is included, is based on sample code in the Microsoft Platform SDK.

Download AdRestore (15 KB)

Download AdRestore Source (32 KB)

Autologon

Windows NT/2K provides Registry settings that can be set so that a user is automatically logged in the next time the system would otherwise put up the logon dialog box. However, the Registry values are hidden very deep, and are a pain to configure. This program, Autologon, will do the Registry configuration for you, and allow you to enable and disable auto-logon when you want.

Autologon is easy enough to use. Just run autolog.exe, fill in the dialog, and hit Enable. To turn off auto-logon, hit Disable. If the DefaultPassword is NULL, autologon will only occur once and then be disabled. Also, if the shift key is held down before the system performs an autologon, the autologon will be disabled for that logon.

Download Autologon (8 KB)

Download Autologon Source (2 1KB)

AutoRuns

This applet shows you what programs are configured to run during system bootup or login. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You'll probably be surprised at how many executables are launched automatically. AutoRuns works on Windows 9x and Windows NT/2K. (The complete list of auto-run locations was obtained from David Solomon's "Windows 2000 Internals" seminar)

Download AutoRuns (32 KB)

ClockRes

Ever wondered what the resolution of the system clock was, or perhaps the maximum timer resolution that your application could obtain? The answer lies in a simple function named GetSystemTimeAdjustment, and the ClockRes applet performs the function and shows you the result. See "Inside Windows NT High Resolution Timers" for information on increasing the resolution. ClockRes works on Windows NT/2K only, and does not take any command-line arguments.

Download ClockRes (12 KB)

DiskExt

DiskExt demonstrates the use of the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS command that returns information about what disks the partitions of a volume are located on (multipartition disks can reside on multiple disks) and where on the disk the partitions are located.

Download DiskExt plus Source (20 KB)

DiskView

DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated.

Diskview works on Windows NT 4, 2000, XP and Server 2003.

Download DiskView (61 KB)

EFSDump

Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including one - QueryUsersOnEncryptedFile - that lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files. Full source code is included.

Usage: efsdump [-s] <file or directory>

-s	Recurse subdirectories.

EFSDump takes wildcards e.g. 'efsdump *.txt'.

Download EFSDump (23 KB)

Hostname

Hostname is a very simply utility that takes either an IP address (e.g. 123.456.7.8), or a host name (e.g. ftp.ntinternals.com), and performs a translation into its inverse form. For example, if you pass Hostname an IP address, you'll get back a host name, and if you pass it a host name it will give you the corresponding IP address. It runs under Windows 95/98 and Windows NT/2K.

Usage: hostname [IP address, hostname]

Download hostname (11 KB)

Junction

Win2K's version of NTFS supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes the linkd program for creating junctions. I therefore decided to write my own junction-creating tool: Junction. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Win2K's Remote Storage Service (RSS), as well as volume mount points.

If you want to view reparse information, the usage for Junction is the following:

Usage: junction [-s] <directory or file name>

-s	Recurse subdirectories.

If you want to create or delete a junction, use Junction like this:

Usage: junction [-d] <junction directory> [<junction target>]

To delete a junction specify the -d switch and the junction name.

Download Junction (16KB)

Download Junction Source (22 KB)

LoadOrder

This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration.

Download LoadOrder (16 KB)

Streams

The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax "file:stream", you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type "echo hello > test:stream". You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter "more < test:stream" (the type command doesn't accept stream syntax so you have to use more).

NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.

Usage: streams [-s] [-d] <file or directory>

-s	Recurse subdirectories.

-d Delete streams.

Streams takes wildcards e.g. 'streams *.txt'.

Download Streams (19 KB)

Strings

Working on NT and Win2K means that executables and object files will many times have embedded UNICODE strings that you cannot easily see with a standard ASCII strings or grep programs. So we decided to roll our own. Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. Note that it works under Windows 95 as well.

Usage: strings [-s] [-a] [-u] [-n X] <file or directory>

Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:

-s	Recurse subdirectories.

-a	Scan for ASCII only

-u	Scan for UNICODE only

-n X  Strings must be a minimum of X characters in length.

To search one or more files for the presence of a particular string using strings use a command like this:

strings * | findstr /i TextToSearchFor

Download strings (14 KB)

Sync

UNIX provides a standard utility called Sync, which can be used to direct the operating system to flush all file system data to disk in order to insure that it is stable and won't be lost in case of a system failure. Otherwise, any modified data present in the cache would be lost. Here is a an equivalent that I wrote, called Sync, that works on both Windows NT/2K and Windows 95/98. Use it whenever you want to know that modified file data is safely stored on your hard drives. Unfortunately, Sync requires administrative privileges to run. This version also lets you flush removable drives such as ZIP drives.

Usage: sync [-r] [-e] [drive letter list]

-r	Flush removable drives.

-e	Ejects removable drives.

Specifying specific drives (e.g. "c e") will result in Sync only flushing those drives.

Download Sync (18 KB)

Download Sync for Compaq Alpha (39 KB)

VolumeID

While WinNT/2K and Windows 9x's built-in Label utility lets you change the labels of disk volumes, it does not provide any means for changing volume ids. This utiltity, VolumeID, allows you to change the ids of FAT and NTFS disks (floppies or hard drives) on both Windows NT/2K and Windows 9x.

Usage: volumeid <driveletter:> xxxx-xxxx

This is a command-line program that you must run from a command-prompt window.

Note that changes on NTFS volumes won't be visible until the next reboot. In addition, you should shut down any applications you have running before changing a volume id. NT may become confused and think that the media (disk) has changed after a FAT volume id has changed and pop up messages indicating that you should reinsert the original disk (!). It may then fail the disk requests of applications using those drives.

Download VolumeID (15 KB)

Back to Top