Skip to main content

Windows Sysinternals Toolkit Walkthrough

Date: June 12th 2025
Category: Windows 11 Projects

Tools Installed

Installed via Chocolatey:

choco install sysinternals -y --ignore-checksums

Install location:
C:\ProgramData\chocolatey\lib\sysinternals\tools

Command-line access enabled for:

procexp
autoruns
procmon
tcpview

🔗 Official Microsoft page:
https://learn.microsoft.com/sysinternals

1. Process Explorer

  • Launched with procexp

  • Enabled VirusTotal integration:

    • Options > VirusTotal.com > Check VirusTotal.com

  • Investigated:

    • PowerPanel Personal.exe (flagged 1/72 — confirmed false positive)

  • Verified digital signatures via:

    • Right-click process → Properties → Verified: field

  • Used Lower Pane View for:

    • DLLs and Handle usage

2. Autoruns

  • Launched with autoruns

  • Configured:

    • Options > Hide Microsoft Entries

    • Options > Scan Options > Submit Unknown Images

  • Focused on reviewing:

    • Logon, Scheduled Tasks, Drivers, Services

  • Checked VirusTotal flags and verified digital signatures

  • Disabled or marked suspicious unsigned entries

3. Process Monitor (Procmon)

  • Launched with procmon

  • Paused default capture: Ctrl + E

  • Applied filters for:

    • Specific processes (e.g., notepad.exe)

    • Registry and file system operations

  • Resumed capture for real-time inspection

  • Saved capture via File > Save > .PML

4. TCPView – Active Network Monitoring

Tool Summary:

  • Launched with: tcpview

  • Displays:

    • All active TCP/UDP connections

    • Local and remote addresses

    • Process ownership

    • Packet counts and traffic volume

Observations:

Process Remote Host/Service Notes
firefox.exe google.com (via 142.250.x.x) Normal browser activity
steam.exe valve.net, akamai.net, u2-puls.tech Related to Steam/Valve CDN
PowerPanel Internal kubernetes.docker.internal Local/VM bridge — normal
syncthing.exe u2-puls.tech / Docker bridges Syncthing sync traffic — expected

WHOIS Lookup: akamaitechnologies.com

TCPView revealed connections to domains like akamaistream.net, a known CDN subdomain.

WHOIS record for akamaitechnologies.com:

Field Value
Domain akamaitechnologies.com
Registrar MarkMonitor Inc.
Created August 18, 1998
Updated July 16, 2024
Expires August 17, 2025
DNS AX0.AKAMAISTREAM.NET, NS2-32.AKAMAISTREAM.NET, etc.
Status Protected (delete/transfer/update disabled)
Registrar Abuse abusecomplaints@markmonitor.com
Official Whois https://www.icann.org/wicf/

🔗 Akamai Official Site: https://www.akamai.com

Conclusion:

  • Akamai is a globally trusted CDN and security platform used by Steam, Microsoft, Apple, and others.

  • Connections to akamaistream.net and related domains in TCPView are expected and not malicious.

  • WHOIS verified the legitimacy and ownership of the Akamai domains.

5. PowerShell Signature Verification

Command used:

Get-AuthenticodeSignature "C:\Path\To\File.exe"

Example:

Get-AuthenticodeSignature "C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe"

Reviewed:

  • Status field = Valid

  • SignerCertificate.Subject = Trusted vendor (e.g., Microsoft Corporation)

There are tons of other tools for system analysis as well.

No Comments
Back to top