Process Explorer – The Scalable Task Manager
Process Explorer replaces the blunt butter‑knife of Task Manager with a surgical scalpel. It shows the full parent‑child tree of every running process, letting you spot impostors such as a svchost.exe launched from explorer.exe instead of services.exe.
Key features:
- Live process hierarchy view.
- Integrated VirusTotal hash lookup.
- Detailed DLL and handle information.
TCPView – Real‑Time Network Connections
TCPView turns the cryptic output of netstat into a clean, updating list of all TCP/UDP endpoints. Sort by the “State” column to bring active connections to the top and right‑click for a WHOIS lookup.
- Live view of remote IPs, ports, and process owners.
- One‑click connection termination.
- Color‑coded state indicators.
Autoruns – Startup Persistence Detective
Autoruns enumerates every auto‑run location in Windows—Registry, Task Scheduler, WMI, Services, and more. Items highlighted in pink are unsigned and merit closer inspection.
- Comprehensive list of all startup entries.
- Filter and disable unwanted items.
- Export to CSV for further analysis.
Process Monitor – Granular Activity Capture
Process Monitor (ProcMon) records file‑system, Registry, and process activity in real time. Pause the capture, drag a target window onto the toolbar, and instantly filter the log to that process.
- High‑resolution event tracing.
- Powerful include/exclude filters.
- Exportable logs for forensic review.
Sysmon – Persistent System‑wide Logging
Sysmon runs as a background service and writes detailed events to the Windows Event Log. Event ID 1 (process creation) provides a digital paper trail that lets you rewind the system’s state after a suspicious file appears.
- Hashes for every executable load.
- Network connection logging.
- Configurable filtering rules.
By combining these five Sysinternals utilities you can catch malicious behavior in real time, uncover hidden persistence mechanisms, and maintain a clean, secure Windows environment.