Windows Sysinternals Toolkit Walkthrough
Date: June 12th 2025
Category: Windows 11 Projects
Tools Installed
Installed via Chocolatey:
choco install sysinternals -y --ignore-checksumsInstall location:C:\ProgramData\chocolatey\lib\sysinternals\tools
Command-line access enabled for:
procexp
autoruns
procmon
tcpview🔗 Official Microsoft page:
https://learn.microsoft.com/sysinternals
1. Process Explorer
-
Launched with
procexp -
Enabled VirusTotal integration:
-
Options > VirusTotal.com > Check VirusTotal.com
-
-
Investigated:
-
PowerPanel Personal.exe(flagged 1/72 — confirmed false positive)
-
-
Verified digital signatures via:
-
Right-click process → Properties →
Verified:field
-
-
Used Lower Pane View for:
-
DLLs and Handle usage
-
2. Autoruns
-
Launched with
autoruns -
Configured:
-
Options > Hide Microsoft Entries -
Options > Scan Options > Submit Unknown Images
-
-
Focused on reviewing:
-
Logon, Scheduled Tasks, Drivers, Services
-
-
Checked VirusTotal flags and verified digital signatures
-
Disabled or marked suspicious unsigned entries
3. Process Monitor (Procmon)
-
Launched with
procmon -
Paused default capture:
Ctrl + E -
Applied filters for:
-
Specific processes (e.g.,
notepad.exe) -
Registry and file system operations
-
-
Resumed capture for real-time inspection
-
Saved capture via
File > Save > .PML
4. TCPView – Active Network Monitoring
Tool Summary:
-
Launched with:
tcpview -
Displays:
-
All active TCP/UDP connections
-
Local and remote addresses
-
Process ownership
-
Packet counts and traffic volume
-
Observations:
| Process | Remote Host/Service | Notes |
|---|---|---|
firefox.exe |
google.com (via 142.250.x.x) |
Normal browser activity |
steam.exe |
valve.net, akamai.net, u2-puls.tech |
Related to Steam/Valve CDN |
PowerPanel |
Internal kubernetes.docker.internal |
Local/VM bridge — normal |
syncthing.exe |
u2-puls.tech / Docker bridges |
Syncthing sync traffic — expected |
WHOIS Lookup: akamaitechnologies.com
TCPView revealed connections to domains like akamaistream.net, a known CDN subdomain.
WHOIS record for akamaitechnologies.com:
| Field | Value |
|---|---|
| Domain | akamaitechnologies.com |
| Registrar | MarkMonitor Inc. |
| Created | August 18, 1998 |
| Updated | July 16, 2024 |
| Expires | August 17, 2025 |
| DNS | AX0.AKAMAISTREAM.NET, NS2-32.AKAMAISTREAM.NET, etc. |
| Status | Protected (delete/transfer/update disabled) |
| Registrar Abuse | abusecomplaints@markmonitor.com |
| Official Whois | https://www.icann.org/wicf/ |
🔗 Akamai Official Site: https://www.akamai.com
Conclusion:
-
Akamai is a globally trusted CDN and security platform used by Steam, Microsoft, Apple, and others.
-
Connections to
akamaistream.netand related domains in TCPView are expected and not malicious. -
WHOIS verified the legitimacy and ownership of the Akamai domains.
5. PowerShell Signature Verification
Command used:
Get-AuthenticodeSignature "C:\Path\To\File.exe"Example:
Get-AuthenticodeSignature "C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe"Reviewed:
-
Statusfield =Valid -
SignerCertificate.Subject= Trusted vendor (e.g., Microsoft Corporation)
There are tons of other tools for system analysis as well.