From a4286a0d569e6310bf4c6bf4f0cc1cf51a8502e8 Mon Sep 17 00:00:00 2001 From: Blake-Madden <66873089+Blake-Madden@users.noreply.github.com> Date: Mon, 5 Feb 2024 06:05:50 -0500 Subject: [PATCH 1/4] Fix a few typos (#758) Co-authored-by: Alex Mihaiuc <69110671+foxmsft@users.noreply.github.com> --- sysinternals/downloads/cacheset.md | 2 +- sysinternals/downloads/pendmoves.md | 2 +- sysinternals/downloads/psfile.md | 2 +- sysinternals/downloads/psinfo.md | 2 +- sysinternals/downloads/rootkit-revealer.md | 4 ++-- sysinternals/resources/archive/v01n02.md | 2 +- sysinternals/resources/archive/v01n05.md | 2 +- sysinternals/resources/archive/v02n01.md | 2 +- sysinternals/resources/archive/v02n02.md | 2 +- sysinternals/resources/archive/v02n03.md | 2 +- sysinternals/resources/archive/v03n01.md | 4 ++-- sysinternals/resources/archive/v03n02.md | 2 +- sysinternals/resources/archive/v04n01.md | 2 +- sysinternals/resources/archive/v04n02.md | 2 +- sysinternals/resources/archive/v05n02.md | 2 +- sysinternals/resources/archive/v07n01.md | 4 ++-- sysinternals/resources/archive/v08n01.md | 2 +- sysinternals/resources/archive/v08n04procmon.md | 2 +- sysinternals/resources/inside-native-applications.md | 4 ++-- 19 files changed, 23 insertions(+), 23 deletions(-) diff --git a/sysinternals/downloads/cacheset.md b/sysinternals/downloads/cacheset.md index 4b30bd94..5038069d 100644 --- a/sysinternals/downloads/cacheset.md +++ b/sysinternals/downloads/cacheset.md @@ -56,7 +56,7 @@ You may notice that the Cache's size changes immediately and then proceeds to shrink or grow quickly. This is because the system automatically trims working sets once a second. The Cache pages that are released are still in memory, but can be relinquished quickly for use by -other programs that need more memory. Similarly, the Cache can eaily +other programs that need more memory. Similarly, the Cache can easily regain pages as applications access file system data. **Resetting Previous Values** diff --git a/sysinternals/downloads/pendmoves.md b/sysinternals/downloads/pendmoves.md index f95102d6..3cc4e8ab 100644 --- a/sysinternals/downloads/pendmoves.md +++ b/sysinternals/downloads/pendmoves.md @@ -37,7 +37,7 @@ Target: DELETE ## MoveFile usage -The included MoveFile utililty allows you to schedule move and delete commands for the next reboot: +The included MoveFile utility allows you to schedule move and delete commands for the next reboot: **usage: movefile [source] [dest]** Specifying an empty destination ("") deletes the source at boot. An example that deletes test.exe is: diff --git a/sysinternals/downloads/psfile.md b/sysinternals/downloads/psfile.md index ce9d25d8..d9609c2e 100644 --- a/sysinternals/downloads/psfile.md +++ b/sysinternals/downloads/psfile.md @@ -44,7 +44,7 @@ system that are open by remote systems. Typing a command followed by "- | **-p** | Specifies password for user name. If this is omitted, you will be prompted to enter the password without it being echoed to the screen.| | **Id** | Identifier (as assigned by PsFile) of the file for which to display information or to close.| | **Path** | Full or partial path of files to match for information display or close.| -| **-c** | Closes the files identifed by ID or path.| +| **-c** | Closes the files identified by ID or path.| ## How it Works diff --git a/sysinternals/downloads/psinfo.md b/sysinternals/downloads/psinfo.md index 22f541ab..4fd81efb 100644 --- a/sysinternals/downloads/psinfo.md +++ b/sysinternals/downloads/psinfo.md @@ -21,7 +21,7 @@ Published: March 30, 2023 local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date -of the system, and if its a trial version, the expiration date. +of the system, and if it's a trial version, the expiration date. ## Installation diff --git a/sysinternals/downloads/rootkit-revealer.md b/sysinternals/downloads/rootkit-revealer.md index e916eae1..9eee8f0f 100644 --- a/sysinternals/downloads/rootkit-revealer.md +++ b/sysinternals/downloads/rootkit-revealer.md @@ -116,7 +116,7 @@ control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment -such as a boot into an CD-based operating system installation is more +such as a boot into a CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them. @@ -288,7 +288,7 @@ This discrepancy will occur if a Registry value is updated while the Registry scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value, shown below, and virus scanner "last scan" values. You should investigate any -reported value to ensure that its a valid application or system Registry +reported value to ensure that it's a valid application or system Registry value. HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL diff --git a/sysinternals/resources/archive/v01n02.md b/sysinternals/resources/archive/v01n02.md index 9397beb2..0dd58a3e 100644 --- a/sysinternals/resources/archive/v01n02.md +++ b/sysinternals/resources/archive/v01n02.md @@ -151,7 +151,7 @@ Windows 2000 uses a new type of spinlock called a "queued spinlock" for its glob - `CcMasterSpinLock`: the Cache Manager's global spinlock - `CcVacbSpinLock`: the Cache Manager's mapping-array lock -On a uniprocessor queued spinlocks work exactly like normal spinlocks. On the multiprocessor build of NT, however, queued spinlocks are significantly different. Like standard spinlocks, queued spinlocks are implemented in the HAL. Tthe kernel calls the HAL function `KeAcquireQueuedSpinlock` to acquire a queued spinlock, and it invokes `KeReleaseQueuedSpinlock` to release a queued spinlock. `KeAcquireSpinlock` and `KeReleaseSpinlock`, the HAL functions the kernel uses to acquire and release standard spinlocks, require the address of the specified spinlock as a parameter. By contrast, the queued spinlock functions take the index number of a global spinlock. The kernel initializes the global spinlocks in an array, where each spinlock has a predefined index number that the kernel uses to identify them to the HAL. Thus, queued spinlocks cannot be defined and used by device drivers, since there is no way of augmenting the global queued spinlock array. +On a uniprocessor queued spinlocks work exactly like normal spinlocks. On the multiprocessor build of NT, however, queued spinlocks are significantly different. Like standard spinlocks, queued spinlocks are implemented in the HAL. The kernel calls the HAL function `KeAcquireQueuedSpinlock` to acquire a queued spinlock, and it invokes `KeReleaseQueuedSpinlock` to release a queued spinlock. `KeAcquireSpinlock` and `KeReleaseSpinlock`, the HAL functions the kernel uses to acquire and release standard spinlocks, require the address of the specified spinlock as a parameter. By contrast, the queued spinlock functions take the index number of a global spinlock. The kernel initializes the global spinlocks in an array, where each spinlock has a predefined index number that the kernel uses to identify them to the HAL. Thus, queued spinlocks cannot be defined and used by device drivers, since there is no way of augmenting the global queued spinlock array. In Windows 2000, each processor control region (PCR) in an SMP (there is one PCR for each processor) has an array with as many entries in it as there are queued spinlocks. Each array entry contains two fields: a pointer to the queued spinlock it corresponds to (the "spinlock" field), and "queue" field. In the following description, when I refer to the spinlock and queue fields, I'm talking about the fields associated with the array entry for the spinlock that is being acquired or released. diff --git a/sysinternals/resources/archive/v01n05.md b/sysinternals/resources/archive/v01n05.md index e1bccd96..9a24aafb 100644 --- a/sysinternals/resources/archive/v01n05.md +++ b/sysinternals/resources/archive/v01n05.md @@ -140,7 +140,7 @@ As of the beginning of August, on-line versions of Windows NT Magazine articles WinObj is a powerful tool for exploring the Windows NT/2K Object namespace. The Object namespace is one of three namespaces in NT/2K: the Object namespace, the Registry namespace, and the filesystem namespace. You get to the Registry and filesystem namespaces via objects in the Object namespace. For example, when a Win32 program opens the Registry key `HKEY_LOCAL_MACHINE\Software\Microsoft` the ADVAPI32.DLL library transforms the name to `\Registry\Machine\Software\Microsoft` before calling the kernel service `NtCreateKey`. If you look at the root of the Object namespace in WinObj you'll see an object of type "key" named Registry. The Registry name matches the first component of the key name and so the NT/2K Object Manager passes the rest of the name, `\Machine\Software\Microsoft`, to the subsystem that defines the key object. The Configuration Manager kernel subsystem maintains the Registry and key objects, so it parses the rest of the name to locate the desired key. -You can explore the Object namespace and view or set object security properties using WinObj. Download Winobj at http://www.sysinternals.com/winobj.htm. I discuss the Object Manager namespace and WinObj in my October 1997 NT Internals column, "Inside the Object Manager". Follow a link to the on-line version of the colum at http://www.sysinternals.com/publ.htm. +You can explore the Object namespace and view or set object security properties using WinObj. Download Winobj at http://www.sysinternals.com/winobj.htm. I discuss the Object Manager namespace and WinObj in my October 1997 NT Internals column, "Inside the Object Manager". Follow a link to the on-line version of the column at http://www.sysinternals.com/publ.htm. ## INTERNALS NEWS diff --git a/sysinternals/resources/archive/v02n01.md b/sysinternals/resources/archive/v02n01.md index 34ce1952..383b129a 100644 --- a/sysinternals/resources/archive/v02n01.md +++ b/sysinternals/resources/archive/v02n01.md @@ -136,7 +136,7 @@ Filemon passed all the stress tests without incident except one. Since Filemon Fortunately, Filemon's crash occurred in the last session of the plugfest so I had minimal embarrassment, and since the testing found at least one serious bug or interoperability issue in every product present I was not alone. Filemon v4.26 is the version that corrects the bug discovered at the plugfest. -Even before I attended the plugfest I found a bug in Filemon that might of interest to NT device and file system driver developers. I recently modified Filemon to use the poorly documented Executive Resource (E-Resource) synchronization mechanism. Microsoft's file system drivers use E-Resources extensively so I thought that it would be educational to include their use in Filemon's source code. E-Resources must be acquired by threads that have APCs (Asynchronous Procedure Calls) disabled. You just have to "know" this because the DDK docs don't tell you. Unfortunately, in the haste of implementation I omitted required calls to functions that disable and re-enable APCs around Filemon's E-Resource acquisitions. This bug only causes problems in very rare circumstances so I didn't detect it until Win2K's Driver Verifier caught it for me. To fix the problem I added a call to KeEnterCriticalSection before acquiring an E-Resource and KeLeaveCriticalSection after releasing an E-Resource. +Even before I attended the plugfest, I found a bug in Filemon that might be of interest to NT device and file system driver developers. I recently modified Filemon to use the poorly documented Executive Resource (E-Resource) synchronization mechanism. Microsoft's file system drivers use E-Resources extensively so I thought that it would be educational to include their use in Filemon's source code. E-Resources must be acquired by threads that have APCs (Asynchronous Procedure Calls) disabled. You just have to "know" this because the DDK docs don't tell you. Unfortunately, in the haste of implementation I omitted required calls to functions that disable and re-enable APCs around Filemon's E-Resource acquisitions. This bug only causes problems in very rare circumstances so I didn't detect it until Win2K's Driver Verifier caught it for me. To fix the problem I added a call to KeEnterCriticalSection before acquiring an E-Resource and KeLeaveCriticalSection after releasing an E-Resource. Download Filemon v4.26 at http://www.sysinternals.com/filemon.htm. diff --git a/sysinternals/resources/archive/v02n02.md b/sysinternals/resources/archive/v02n02.md index fdcf2e76..47bb2926 100644 --- a/sysinternals/resources/archive/v02n02.md +++ b/sysinternals/resources/archive/v02n02.md @@ -112,7 +112,7 @@ Learn about the duplicate SID problem at http://www.sysinternals.com/new In addition to displaying the names of processes performing file or Registry activity, these updates to Regmon and Filemon show you process identifiers as well. This enhancement helps you to distinguish file and Registry accesses between multiple processes having the same name. -Another enhancement present in these versions enables you to run Regmon and Filemon from remote Win2K terminal services sessions (as opposed to the console). The applications achieve this support because their GUIs check the operating system version number, and if running on Win2K, specify the "`\\.\Global\`" prefix to the name they use in their call to CreateFile when they open the device object of their driver component. In a terminal services environment the names device drivers assign to their objects are stored in the global (console) namespace, a namepsace that is by default not visible in remote sessions. Remote sessions each have a local namespace. The "Global" prefix indicates to the Win2K object manager that the object manager should perform name lookups in the global namespace, rather than the namespace of the session where the lookup originates. +Another enhancement present in these versions enables you to run Regmon and Filemon from remote Win2K terminal services sessions (as opposed to the console). The applications achieve this support because their GUIs check the operating system version number, and if running on Win2K, specify the "`\\.\Global\`" prefix to the name they use in their call to CreateFile when they open the device object of their driver component. In a terminal services environment the names device drivers assign to their objects are stored in the global (console) namespace, a namespace that is by default not visible in remote sessions. Remote sessions each have a local namespace. The "Global" prefix indicates to the Win2K object manager that the object manager should perform name lookups in the global namespace, rather than the namespace of the session where the lookup originates. Download Regmon v4.24 at http://www.sysinternals.com/regmon.htm. Download Filemon v4.28 at http://www.sysinternals.com/filemon.htm. diff --git a/sysinternals/resources/archive/v02n03.md b/sysinternals/resources/archive/v02n03.md index 827f160d..82971935 100644 --- a/sysinternals/resources/archive/v02n03.md +++ b/sysinternals/resources/archive/v02n03.md @@ -169,7 +169,7 @@ Windows 2000 introduces a new DDK function, `ExSetTimerResolution`, that drivers ### SAFE SYSTEM MEMORY MAPPING -While we're on the topic of new Windows 2000 kernel functions for driver developers, it's worth mentioning `MmGetSystemAddressForMdlSafe`. In previous versions of Windows NT a driver developer that wanted to obtain an system address space pointer for a user's buffer or piece of physical memory had to pass an MDL (Memory Descriptor List) that described the physical buffer to `MmGetSystemAddressForMdl`. +While we're on the topic of new Windows 2000 kernel functions for driver developers, it's worth mentioning `MmGetSystemAddressForMdlSafe`. In previous versions of Windows NT a driver developer that wanted to obtain a system address space pointer for a user's buffer or piece of physical memory had to pass an MDL (Memory Descriptor List) that described the physical buffer to `MmGetSystemAddressForMdl`. Creating a virtual mapping in the system's address space uses resource called a System Page Table Entries (System PTEs), where one System PTE is required for every physical page that is mapped. Unfortunately, System PTEs are limited resources and can run out if drivers are mapping large amounts of memory. What happens when `MmGetSystemAddressForMdl` can't get the System PTEs it requires? You'd think it would do something helpful like return a `NULL` as the mapped virtual address. But nooooo, it gives up and blue screens the system. Behavior like that reflects badly on the driver making the request. diff --git a/sysinternals/resources/archive/v03n01.md b/sysinternals/resources/archive/v03n01.md index 27c16b75..26e8ff2a 100644 --- a/sysinternals/resources/archive/v03n01.md +++ b/sysinternals/resources/archive/v03n01.md @@ -111,7 +111,7 @@ If you've been following Sysinternals updates, then you'll note that HandleEx ha Perhaps the most useful features for developers, however, are "refresh highlighting" and relocated-DLL highlighting. Refresh highlighting refers to HandleEx's behavior when you refresh the view. New items, including processes, handles, or loaded DLLs, that weren't present before the refresh are highlighted in green, whereas items that no longer exist are highlighted in red. Besides visually tipping you off to changes, this lets you vividly see handle leaks in progress, where newly opened handles show up in green after a refresh. -HandleEx relocated-DLL highlighting is related to DLL relocation, a the term that describes the behavior of the module loader in Windows where it can't honor the preferred "base address" developers specify when they build a DLL. The code that a linker (the tool used for the final phase of DLL or EXE building) produces for a DLL has intra-DLL memory references set with the assumption that the loader will honor the DLL's base address. The range of memory in the process loading a DLL that starts at the base address and accommodates the size of the loaded DLL image must be free for the DLL to load at its preferred base address. When the base address is honored for several processes, memory-usage efficiency is achieved because all the processes share the same DLL code memory. +HandleEx relocated-DLL highlighting is related to DLL relocation, the term that describes the behavior of the module loader in Windows where it can't honor the preferred "base address" developers specify when they build a DLL. The code that a linker (the tool used for the final phase of DLL or EXE building) produces for a DLL has intra-DLL memory references set with the assumption that the loader will honor the DLL's base address. The range of memory in the process loading a DLL that starts at the base address and accommodates the size of the loaded DLL image must be free for the DLL to load at its preferred base address. When the base address is honored for several processes, memory-usage efficiency is achieved because all the processes share the same DLL code memory. When the loader cannot honor a DLL's base address, for instance when another is already using the desired address range, the loader must perform "relocation", which involves updating all the intra-DLL memory references to reflect the DLL's actual load address. Besides slowing the load time of the process (usually imperceptibly), the relocated DLL image cannot be shared with other processes that have the DLL loaded at the preferred base address. This means that you effectively get a second copy of the DLL consuming memory. @@ -224,7 +224,7 @@ IopCallDriverAddDevice: Routine returned 00000000 Those of you that have followed Sysinternals know that I don't have access to any Windows source code (other than for the driver sources that ship in the DDK), and that I learn the intricacies of its implementation through laborious use of SoftICE and my own custom disassembler. -I've come across a an article, "Reverse Engineering: Necessary Function or Illegal Activity?" (http://www.planetit.com/techcenters/docs/security/news/PIT20010123S0001), that describes a January ruling by the 9th U.S. Circuit Court of Appeals in a case between Sony and Connectix that will interest those of you that do likewise. Sony brought the case against Connectix after Connectix developed its "Virtual Game Station", a program that lets you run Sony PlayStation games on a PC, and the court ruled that Connectix was within the law when it reverse engineered the PlayStation (through disassembly) so as to allow them to develop their emulator. +I've come across an article, "Reverse Engineering: Necessary Function or Illegal Activity?" (http://www.planetit.com/techcenters/docs/security/news/PIT20010123S0001), that describes a January ruling by the 9th U.S. Circuit Court of Appeals in a case between Sony and Connectix that will interest those of you that do likewise. Sony brought the case against Connectix after Connectix developed its "Virtual Game Station", a program that lets you run Sony PlayStation games on a PC, and the court ruled that Connectix was within the law when it reverse engineered the PlayStation (through disassembly) so as to allow them to develop their emulator. While the scope of the legality of reverse engineering, especially considering shrink-wrap licenses that prohibit it, is still vague, this case comes down on the side of reverse engineering. diff --git a/sysinternals/resources/archive/v03n02.md b/sysinternals/resources/archive/v03n02.md index 83c2f33b..2b9bc71a 100644 --- a/sysinternals/resources/archive/v03n02.md +++ b/sysinternals/resources/archive/v03n02.md @@ -195,7 +195,7 @@ Bowing to pressure from systems administrators, Microsoft has finally released a If you missed Microsoft's annual Windows Hardware Engineering Conference (WINHEC) you can still view the slides from many of the presentations. Visit http://www.microsoft.com/winhec/sessions/driver.htm for a list of sessions, descriptions and accompanying links to Power Point decks. Presentations of general interest are ones on driver debugging techniques, filter drivers, and NDIS miniport and intermediate drivers. -### NEW FILE SYTEM FILTER DRIVER INTERFACES IN XP +### NEW FILE SYSTEM FILTER DRIVER INTERFACES IN XP If you have a real-time file mirroring, on-access virus checking, or hierarchical storage management product that's based on a file system filter driver then you'll want to make sure that your abreast of the changes Microsoft has introduced in Windows XP that affect you. diff --git a/sysinternals/resources/archive/v04n01.md b/sysinternals/resources/archive/v04n01.md index 6b70c89f..7eb323ab 100644 --- a/sysinternals/resources/archive/v04n01.md +++ b/sysinternals/resources/archive/v04n01.md @@ -322,7 +322,7 @@ particular file opened. Past versions of Process Explorer has worked on both Windows 9x and NT/2K/XP systems, but only with version 5.2 does Process Explorer show process CPU usage information for Windows 9x systems. Another -enhancement enhancement for v5.2 helps track down leaks on Windows XP +enhancement for v5.2 helps track down leaks on Windows XP and 2000 systems by reporting the number of GDI and USER handles (handles to Win32 GUI resources) that a process has opened in the process properties dialog. Contrary to popular belief, even on Windows diff --git a/sysinternals/resources/archive/v04n02.md b/sysinternals/resources/archive/v04n02.md index 6e020ef6..322192b4 100644 --- a/sysinternals/resources/archive/v04n02.md +++ b/sysinternals/resources/archive/v04n02.md @@ -275,7 +275,7 @@ component must at least have the driver ported to 64-bits. The first utility I ported was Filemon. Filemon's port was relatively simple because all it required was changing the driver and GUI source to -conform to 64-bit data type rules and then recompiling. I decribed the +conform to 64-bit data type rules and then recompiling. I described the porting process in the last newsletter. Regmon's port included the same data type issues, but included other issues that made it much more difficult to port. diff --git a/sysinternals/resources/archive/v05n02.md b/sysinternals/resources/archive/v05n02.md index 282c6bab..a900c841 100644 --- a/sysinternals/resources/archive/v05n02.md +++ b/sysinternals/resources/archive/v05n02.md @@ -398,7 +398,7 @@ change in future versions of Windows, use the alternate functions listed below." In fact, some of the uses show in the documentation are totally useless. For -instance, the desription of the API's `SYSTEM_PERFORMANCE_INFORMATION` variant +instance, the description of the API's `SYSTEM_PERFORMANCE_INFORMATION` variant states that you get back a data structure that, instead of being able use the same way Windows uses it, you should treat as a random layout of bytes and that you might use as a random number. It then goes on to say that you diff --git a/sysinternals/resources/archive/v07n01.md b/sysinternals/resources/archive/v07n01.md index 4bc5ea4f..c62d05b2 100644 --- a/sysinternals/resources/archive/v07n01.md +++ b/sysinternals/resources/archive/v07n01.md @@ -260,9 +260,9 @@ PsExec: http://www.winnetmag.com/Windows/Issues/IssueID/714/Index.html ### MARK IS A MICROSOFT MVP -The Platform SDK Microsoft Most Valuable Professional (MVP) lead has named me a +The Platform SDK Microsoft Most Valuable Professional (MVP) lead has named me an MVP for 2005. I'm grateful to him and Microsoft for -this official acknowledgement of the contributions I've made to Microsoft +this official acknowledgment of the contributions I've made to Microsoft customers with Sysinternals. ### NOVEMBER STATISTICS diff --git a/sysinternals/resources/archive/v08n01.md b/sysinternals/resources/archive/v08n01.md index b3254b48..399993b8 100644 --- a/sysinternals/resources/archive/v08n01.md +++ b/sysinternals/resources/archive/v08n01.md @@ -197,7 +197,7 @@ single binary. ## LICENSING UPDATE We get asked often what the rules are for our freeware tools. We've -started to put a End User License Agreement popup that is displayed +started to put an End User License Agreement popup that is displayed the first time you run a tool - the text reads as follows: "You are allowed to use software published on this Web site at home diff --git a/sysinternals/resources/archive/v08n04procmon.md b/sysinternals/resources/archive/v08n04procmon.md index f2652873..2da57ee7 100644 --- a/sysinternals/resources/archive/v08n04procmon.md +++ b/sysinternals/resources/archive/v08n04procmon.md @@ -46,7 +46,7 @@ Thanks for all the feedback and help finding issues with this new site! Here's w - Add a link to the Sysinternals home from the home page logo - Fix invalid reference on 'Information' page - Fix invalid reference in Networking Utilities page -- Make 'Download....' links more noticable +- Make 'Download....' links more noticeable - Stop links on the left nav bar from creating a new browser window Published Wednesday, November 08, 2006 3:28 PM by ottoh diff --git a/sysinternals/resources/inside-native-applications.md b/sysinternals/resources/inside-native-applications.md index 3fd5c3e3..26d6c417 100644 --- a/sysinternals/resources/inside-native-applications.md +++ b/sysinternals/resources/inside-native-applications.md @@ -13,7 +13,7 @@ Published: November 1, 2006 If you have some familiarity with NT's architecture you are probably aware that the API that Win32 applications use isn't the "real" NT API. NT's operating environments, which include POSIX, OS/2 and Win32, talk to their client applications via their own APIs, but talk to NT using the NT "native" API. The native API is mostly undocumented, with only about 25 of its 250 functions described in the Windows NT Device Driver Kit. -What most people don't know, however, is that "native" applications exist on NT that are not clients of any of the operating environments. These programs speak the native NT API and can't use operating environment APIs like Win32. Why would such programs be needed" Any program that must run before the Win32 subsystem is started (around the time the logon box appears) must be a native application. The most visible example of a native application is the "autochk" program that runs chkdsk during the initialization Blue Screen (its the program that prints the "."'s on the screen). Naturally, the Win32 operating environment server, CSRSS.EXE (Client-Server Runtime Subsystem), must also be a native application. +What most people don't know, however, is that "native" applications exist on NT that are not clients of any of the operating environments. These programs speak the native NT API and can't use operating environment APIs like Win32. Why would such programs be needed" Any program that must run before the Win32 subsystem is started (around the time the logon box appears) must be a native application. The most visible example of a native application is the "autochk" program that runs chkdsk during the initialization Blue Screen (it's the program that prints the "."'s on the screen). Naturally, the Win32 operating environment server, CSRSS.EXE (Client-Server Runtime Subsystem), must also be a native application. In this article I'm going to describe how native applications are built and how they work. @@ -29,7 +29,7 @@ Autocheck Autochk * ## Building Native Applications -Microsoft doesn't document it, but the NT DDK Build utility knows how to make native applications (and its probably used to compile *Autochk*). You specify information in a SOURCES file that defines the application, the same as would be done for device drivers. However, instead of indicating to Build that you want a driver, you tell it you want a native applicationin the SOURCES file like this: +Microsoft doesn't document it, but the NT DDK Build utility knows how to make native applications (and its probably used to compile *Autochk*). You specify information in a SOURCES file that defines the application, the same as would be done for device drivers. However, instead of indicating to Build that you want a driver, you tell it you want a native application in the SOURCES file like this: ```Shell TARGETTYPE=PROGRAM From 97e31f44dcffc4f32fd955c6bf138fdbca737402 Mon Sep 17 00:00:00 2001 From: Wes <5124946+wesinator@users.noreply.github.com> Date: Mon, 5 Feb 2024 06:08:24 -0500 Subject: [PATCH 2/4] tcpview - remove old info (#771) Co-authored-by: Alex Mihaiuc <69110671+foxmsft@users.noreply.github.com> --- sysinternals/downloads/tcpview.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sysinternals/downloads/tcpview.md b/sysinternals/downloads/tcpview.md index f87bea2e..a31bf62b 100644 --- a/sysinternals/downloads/tcpview.md +++ b/sysinternals/downloads/tcpview.md @@ -21,9 +21,8 @@ Published: April 11, 2023 TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote -addresses and state of TCP connections. On Windows Server 2008, Vista, -and XP, TCPView also reports the name of the process that owns the -endpoint. TCPView provides a more informative and conveniently presented +addresses and state of TCP connections. TCPView also reports the name of the process +that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. From 75b769fcf088316bb4849741413bf708c4912cd5 Mon Sep 17 00:00:00 2001 From: Alex Mihaiuc <69110671+foxmsft@users.noreply.github.com> Date: Tue, 6 Feb 2024 22:03:45 +0100 Subject: [PATCH 3/4] Add content for February 2024 update (#772) --- sysinternals/downloads/autoruns.md | 6 ++--- sysinternals/downloads/index.md | 6 ++--- sysinternals/downloads/microsoft-store.md | 6 ++--- sysinternals/downloads/sysinternals-suite.md | 8 +++---- sysinternals/downloads/zoomit.md | 13 ++++++----- sysinternals/index.md | 23 ++++++++------------ 6 files changed, 30 insertions(+), 32 deletions(-) diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index 2e3375b3..1f057136 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -5,14 +5,14 @@ description: See what programs are configured to startup automatically when your no-loc: [Mark Russinovich, David Solomon, Aaron Margosis] ms:assetid: 'b13af0f4-f0a1-4cc5-b940-20be546c1179' ms:mtpsurl: 'https://technet.microsoft.com/Bb963902(v=MSDN.10)' -ms.date: 02/16/2022 +ms.date: 02/05/2024 --- -# Autoruns for Windows v14.1 +# Autoruns for Windows v14.11 **By Mark Russinovich** -Published: June 27, 2023 +Published: February 5, 2024 [![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(2.8 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/autoruns.exe). diff --git a/sysinternals/downloads/index.md b/sysinternals/downloads/index.md index d13606cd..6589e9e0 100644 --- a/sysinternals/downloads/index.md +++ b/sysinternals/downloads/index.md @@ -4,7 +4,7 @@ title: Sysinternals Utilities description: Evaluate and find out how to install, deploy, and maintain Windows with Sysinternals utilities. ms:assetid: 'aefdbd0d-e21b-45ad-8e2b-b69cb8e04d5f' ms:mtpsurl: 'https://technet.microsoft.com/Bb545027(v=MSDN.10)' -ms.date: 01/09/2024 +ms.date: 02/06/2024 --- # Sysinternals Utilities Index @@ -51,7 +51,7 @@ Undelete Server 2003 Active Directory objects. Bypass password screen during logon. [Autoruns](autoruns.md) -*v14.1 (June 27, 2023)* +*v14.11 (February 6, 2024)* See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start @@ -370,5 +370,5 @@ See who owns an Internet address. The ultimate Object Manager namespace viewer is here. [ZoomIt](zoomit.md) -*v7.2 (November 9, 2023)* +*v8.0 (February 6, 2024)* Presentation utility for zooming and drawing on the screen. diff --git a/sysinternals/downloads/microsoft-store.md b/sysinternals/downloads/microsoft-store.md index 19b13074..d3e6345e 100644 --- a/sysinternals/downloads/microsoft-store.md +++ b/sysinternals/downloads/microsoft-store.md @@ -2,15 +2,15 @@ TOCTitle: Microsoft Store title: Microsoft Store description: Sysinternals Suite is available as an MSIX package from the Microsoft Store. -ms.date: 01/09/2024 +ms.date: 02/06/2024 --- # Microsoft Store ## Sysinternals Suite -Version 2024.1 -January 9, 2024 +Version 2024.2 +February 6, 2024 Sysinternals Suite is installed as an [MSIX bundle](/windows/msix/package/bundling-overview) from the Microsoft Store. diff --git a/sysinternals/downloads/sysinternals-suite.md b/sysinternals/downloads/sysinternals-suite.md index 771df68b..7ccb1f05 100644 --- a/sysinternals/downloads/sysinternals-suite.md +++ b/sysinternals/downloads/sysinternals-suite.md @@ -5,17 +5,17 @@ description: The Windows Sysinternals troubleshooting Utilities have been rolled no-loc: [Mark Russinovich] ms:assetid: '0e18b180-9b7a-4c49-8120-c47c5a693683' ms:mtpsurl: 'https://technet.microsoft.com/Bb842062(v=MSDN.10)' -ms.date: 01/09/2024 +ms.date: 02/06/2024 --- # Sysinternals Suite **By Mark Russinovich** -Updated: January 9, 2024 +Updated: February 6, 2024 -[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (50.6 MB) +[**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (50.8 MB) [**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (9.5 MB) -[**Download Sysinternals Suite for ARM64**](https://download.sysinternals.com/files/SysinternalsSuite-ARM64.zip) (15 MB) +[**Download Sysinternals Suite for ARM64**](https://download.sysinternals.com/files/SysinternalsSuite-ARM64.zip) (15.1 MB) [**Install Sysinternals Suite from the Microsoft Store**](https://www.microsoft.com/store/apps/9p7knl5rwt25) ## Introduction diff --git a/sysinternals/downloads/zoomit.md b/sysinternals/downloads/zoomit.md index a35c43ff..c2eacef3 100644 --- a/sysinternals/downloads/zoomit.md +++ b/sysinternals/downloads/zoomit.md @@ -5,16 +5,16 @@ description: Presentation utility for zooming and drawing on the screen. no-loc: [Mark Russinovich] ms:assetid: '0b6c4abc-9482-4759-a9cd-bf77cb961dd4' ms:mtpsurl: 'https://technet.microsoft.com/Bb897434(v=MSDN.10)' -ms.date: 11/09/2023 +ms.date: 02/06/2024 --- -# ZoomIt v7.2 +# ZoomIt v8.0 **By Mark Russinovich** -Published: November 9, 2023 +Published: February 6, 2024 -[![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(1.2 MB)** +[![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(1.4 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/ZoomIt.exe).

> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE55yQm?autoplay=true&loop=true&controls=false] @@ -95,7 +95,10 @@ ZoomIt offers a number of shortcuts which can extend its usage greatly. | Minimize Timer (Without Pausing It) | Alt + Tab | | Show Timer When Minimized | Left-Click On The ZoomIt Icon | | Live Zoom Mode | Ctrl + 4 | +| Start DemoType | Ctrl + 7 | +| Move back to the previous snippet (DemoType) | Ctrl + Shift + 7 | +| Advance to the next snippet (DemoType User-driven Mode) | Space Bar | | Exit | Esc or Right-Click | -[![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(1.2 MB)** +[![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(1.4 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/ZoomIt.exe). diff --git a/sysinternals/index.md b/sysinternals/index.md index 526edfe5..080b22ae 100644 --- a/sysinternals/index.md +++ b/sysinternals/index.md @@ -5,7 +5,7 @@ description: Library, learning resources, downloads, support, and community. Eva no-loc: [Mark Russinovich] ms:assetid: '2b0d74e3-5962-455a-b35a-248979737b61' ms:mtpsurl: 'https://technet.microsoft.com/Bb545021(v=MSDN.10)' -ms.date: 01/23/2024 +ms.date: 02/06/2024 --- # ![Sysinternals icon](media/index/Sysinternals.png)
Sysinternals @@ -30,6 +30,14 @@ You can view the entire Sysinternals Live tools directory in a browser or Window ## What's New [![RSS icon](media/index/rss.gif)](https://techcommunity.microsoft.com/plugins/custom/microsoft/o365/custom-blog-rss?board=Sysinternals-Blog) +### What's New (February 6, 2024) + +- [ProcDump 3.2 for Linux](https://github.com/Sysinternals/ProcDump-for-Linux/releases/tag/3.2.0) +This update tracks mmap and munmap syscalls as part of resource leak tracking. + +- [ZoomIt v8.0](~/downloads/zoomit.md) +This update to ZoomIt adds a new feature called DemoType that automates typing. + ### What's New (January 23, 2024) - [ProcDump 3.1 for Linux](https://github.com/Sysinternals/ProcDump-for-Linux/releases/tag/3.1.0) @@ -60,16 +68,3 @@ This update to ProcDump for Linux adds support for Azure Linux and fixes a coupl - [Sysmon 1.3 for Linux](https://github.com/Sysinternals/SysmonForLinux/releases/tag/1.3.0.0) This update to Sysmon for Linux fixes a bug with rule case matching. - -### What's New (July 26, 2023) - -- [ZoomIt v7.1](~/downloads/zoomit.md) -This update to ZoomIt adds audio capture to screen recording. - -- [ProcDump 2.0 for Linux](https://github.com/Sysinternals/ProcDump-for-Linux) -ProcDump for Linux, a flexible tool for manual and trigger-based process dump generation, receives two new .NET GC triggers (-gcm and -gcgen) and updates the existing memory trigger to allow for multiple thresholds. - -### What's New (June 27, 2023) - -- [Sysmon v15.0](~/downloads/sysmon.md) -This update to Sysmon, an advanced host security monitoring tool, sets the service to run as a protected process, hardening it against tampering, adds a new event, `FileExecutableDetected`, for when new executable images are saved to files, and fixes a system hang occurring in certain situations due to an interaction between network and file system events. From ba21077f2a473e5d65ad85fbd15dae5bc3d442b1 Mon Sep 17 00:00:00 2001 From: Alex Mihaiuc <69110671+foxmsft@users.noreply.github.com> Date: Tue, 6 Feb 2024 22:24:00 +0100 Subject: [PATCH 4/4] Update Autoruns date (#774) --- sysinternals/downloads/autoruns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sysinternals/downloads/autoruns.md b/sysinternals/downloads/autoruns.md index 1f057136..bbe6ed93 100644 --- a/sysinternals/downloads/autoruns.md +++ b/sysinternals/downloads/autoruns.md @@ -5,14 +5,14 @@ description: See what programs are configured to startup automatically when your no-loc: [Mark Russinovich, David Solomon, Aaron Margosis] ms:assetid: 'b13af0f4-f0a1-4cc5-b940-20be546c1179' ms:mtpsurl: 'https://technet.microsoft.com/Bb963902(v=MSDN.10)' -ms.date: 02/05/2024 +ms.date: 02/06/2024 --- # Autoruns for Windows v14.11 **By Mark Russinovich** -Published: February 5, 2024 +Published: February 6, 2024 [![Download](media/shared/Download_sm.png)](https://download.sysinternals.com/files/Autoruns.zip) [**Download Autoruns and Autorunsc**](https://download.sysinternals.com/files/Autoruns.zip) **(2.8 MB)** **Run now** from [Sysinternals Live](https://live.sysinternals.com/autoruns.exe).