Sysinternals

Install SysInternals tools with Chocolatey

choco install -y sysinternals

Access newest executable with WebDAV

The newest sysinternal executables are hosted on live.sysinternals.com/Tools which can be accessed via WebDAV.

Thus, in PowerShell, it's possible to map a file system drive to that location:

new-psDrive -name S -psProvider fileSystem -root   '\\live.sysinternals.com\Tools'

After this mapping, the executables are found under the s: drive.

Download some interesting Sysinternal executables

The tools are downloaded into the $binPath directory (thus the variable must point to a valid directory, such as %UserProfile\bin.

In order to prevent Exception calling "DownloadFile" with "2" argument(s): "The underlying connection was closed: An unexpected error occurred on a send.", TLS1.2(?) needs to be enabled:

net.servicePointManager::securityProtocol = [net.securityProtocolType]::Tls12

Create a web client…

$ua = new-object system.net.webClient

… and download the files:

# $binPath = "$env:userprofile\bin"
$binPath = "$($env:homedrive)$($env:homepath)\bin" # Two backslashes?
$binPath = "$($env:homedrive)$($env:homepath)bin"

$ua.downloadFile("https://live.sysinternals.com/accesschk64.exe"     , "$binPath\accesschk64.exe"     )
$ua.downloadFile("https://live.sysinternals.com/AccessEnum.exe"      , "$binPath\AccessEnum.exe"      )
$ua.downloadFile("https://live.sysinternals.com/Autoruns64.exe"      , "$binPath\Autoruns64.exe"      )
$ua.downloadFile("https://live.sysinternals.com/Autoruns64.dll"      , "$binPath\Autoruns64.dll"      )
$ua.downloadFile("https://live.sysinternals.com/Bginfo64.exe"        , "$binPath\Bginfo64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/Coreinfo.exe"        , "$binPath\Coreinfo.exe"        )
$ua.downloadFile("https://live.sysinternals.com/Diskmon.exe"         , "$binPath\Diskmon.exe"         )
$ua.downloadFile("https://live.sysinternals.com/handle64.exe"        , "$binPath\handle64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/hex2dec64.exe"       , "$binPath\hex2dec64.exe"       )
$ua.downloadFile("https://live.sysinternals.com/Listdlls.exe"        , "$binPath\Listdlls.exe"        )
$ua.downloadFile("https://live.sysinternals.com/logonsessions64.exe" , "$binPath\logonsessions64.exe" )
$ua.downloadFile("https://live.sysinternals.com/ntfsinfo64.exe"      , "$binPath\ntfsinfo64.exe"      )
$ua.downloadFile("https://live.sysinternals.com/procexp64.exe"       , "$binPath\procexp64.exe"       )
$ua.downloadFile("https://live.sysinternals.com/Procmon64.exe"       , "$binPath\Procmon64.exe"       )
$ua.downloadFile("https://live.sysinternals.com/PsExec64.exe"        , "$binPath\PsExec64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/PsGetsid64.exe"      , "$binPath\PsGetsid64.exe"      )
$ua.downloadFile("https://live.sysinternals.com/PsInfo64.exe"        , "$binPath\PsInfo64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/pskill64.exe"        , "$binPath\pskill64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/pslist64.exe"        , "$binPath\pslist64.exe"        )
$ua.downloadFile("https://live.sysinternals.com/pspasswd64.exe"      , "$binPath\pspasswd64.exe"      )
$ua.downloadFile("https://live.sysinternals.com/PsService64.exe"     , "$binPath\PsService64.exe"     )
$ua.downloadFile("https://live.sysinternals.com/RAMMap.exe"          , "$binPath\RAMMap.exe"          )
$ua.downloadFile("https://live.sysinternals.com/regjump.exe"         , "$binPath\regjump.exe"         )
$ua.downloadFile("https://live.sysinternals.com/RootkitRevealer.exe" , "$binPath\RootkitRevealer.exe" )
$ua.downloadFile("https://live.sysinternals.com/ShellRunas.exe"      , "$binPath\ShellRunas.exe"      )
$ua.downloadFile("https://live.sysinternals.com/strings.exe"         , "$binPath\strings.exe"         )
$ua.downloadFile("https://live.sysinternals.com/Tcpview.exe"         , "$binPath\Tcpview.exe"         )
$ua.downloadFile("https://live.sysinternals.com/Vmmap.exe"           , "$binPath\Vmmap.exe"           )
$ua.downloadFile("https://live.sysinternals.com/whois64.exe"         , "$binPath\whois64.exe"         )
$ua.downloadFile("https://live.sysinternals.com/Winobj.exe"          , "$binPath\Winobj.exe"          )
$ua.downloadFile("https://live.sysinternals.com/ZoomIt.exe"          , "$binPath\ZoomIt.exe"          )

Accept EULA

function accept-Sysinternals-eula {

    param (
      [string] $utilName
    )

    $regKey = "HKCU:\Software\Sysinternals\" + $utilName

    new-item         -path $regKey -force
    new-itemProperty -path $regKey -name "EulaAccepted" -propertyType DWord -value 1

}

TODO: The function accept-Sysinternals-eula is rather verbose when run.

accept-Sysinternals-eula 'AccessChk'
accept-Sysinternals-eula 'AutoRuns'
accept-Sysinternals-eula 'BGInfo'
accept-Sysinternals-eula 'Coreinfo'
accept-Sysinternals-eula 'Handle'
accept-Sysinternals-eula 'Hex2Dec'
accept-Sysinternals-eula 'ListDLLs'
accept-Sysinternals-eula 'LogonSessions'
accept-Sysinternals-eula 'NTFSInfo'
accept-Sysinternals-eula 'Process Explorer'
accept-Sysinternals-eula 'Process Monitor'
accept-Sysinternals-eula 'PsExec'
accept-Sysinternals-eula 'PsGetSid'
accept-Sysinternals-eula 'PsInfo'
accept-Sysinternals-eula 'PsKill'
accept-Sysinternals-eula 'PsList'
accept-Sysinternals-eula 'PsPasswd'
accept-Sysinternals-eula 'PsService'
accept-Sysinternals-eula 'Regjump'
accept-Sysinternals-eula 'RootkitRevealer'
accept-Sysinternals-eula 'Share Enum'
accept-Sysinternals-eula 'ShellRunas - Sysinternals:'
accept-Sysinternals-eula 'Strings'
accept-Sysinternals-eula 'VMMap'
accept-Sysinternals-eula 'Whois'
accept-Sysinternals-eula 'Winobj'
accept-Sysinternals-eula 'ZoomIt'

Source Code

The source code for the Sysinternals Tools used to be available, but is not anymore. There is a github repository that stored the source code before it was taken down: xcud/sysinternals-source.

That said, Microsoft provides the source code for Linux Ports of ProcDump and ProcMon.

TODO

AccessEnum, DiskMon, Process Monitor, Process Explorer, Handle …