# Windows Sysinternals Toolkit Walkthrough #### **Date:** June 12th 2025 **Category:** Windows 11 Projects --- ### Tools Installed Installed via Chocolatey: ```powershell choco install sysinternals -y --ignore-checksums ``` Install location: `C:\ProgramData\chocolatey\lib\sysinternals\tools` Command-line access enabled for: ```powershell procexp autoruns procmon tcpview ``` 🔗 Official Microsoft page: [https://learn.microsoft.com/sysinternals](https://learn.microsoft.com/sysinternals) --- ## 1. Process Explorer - **Launched** with `procexp` - Enabled **VirusTotal integration**: - `Options > VirusTotal.com > Check VirusTotal.com` - Investigated: - `PowerPanel Personal.exe` (flagged 1/72 — confirmed false positive) - Verified digital signatures via: - Right-click process → Properties → `Verified:` field - Used **Lower Pane View** for: - **DLLs** and **Handle usage** --- ## 2. Autoruns - Launched with `autoruns` - Configured: - `Options > Hide Microsoft Entries` - `Options > Scan Options > Submit Unknown Images` - Focused on reviewing: - **Logon**, **Scheduled Tasks**, **Drivers**, **Services** - Checked VirusTotal flags and verified digital signatures - Disabled or marked suspicious unsigned entries --- ## 3. Process Monitor (Procmon) - Launched with `procmon` - Paused default capture: `Ctrl + E` - Applied filters for: - Specific processes (e.g., `notepad.exe`) - Registry and file system operations - Resumed capture for real-time inspection - Saved capture via `File > Save > .PML` --- ## 4. TCPView – Active Network Monitoring ### Tool Summary: - Launched with: `tcpview` - Displays: - All active TCP/UDP connections - Local and remote addresses - Process ownership - Packet counts and traffic volume ### Observations:
ProcessRemote Host/ServiceNotes
`firefox.exe``google.com` (via `142.250.x.x`)Normal browser activity
`steam.exe``valve.net`, `akamai.net`, `u2-puls.tech`Related to Steam/Valve CDN
`PowerPanel`Internal `kubernetes.docker.internal`Local/VM bridge — normal
`syncthing.exe``u2-puls.tech` / Docker bridgesSyncthing sync traffic — expected
--- ### WHOIS Lookup: `akamaitechnologies.com` TCPView revealed connections to domains like `akamaistream.net`, a known CDN subdomain. WHOIS record for `akamaitechnologies.com`:
FieldValue
**Domain**akamaitechnologies.com
**Registrar**MarkMonitor Inc.
**Created**August 18, 1998
**Updated**July 16, 2024
**Expires**August 17, 2025
**DNS**`AX0.AKAMAISTREAM.NET`, `NS2-32.AKAMAISTREAM.NET`, etc.
**Status**Protected (delete/transfer/update disabled)
**Registrar Abuse**
**Official Whois**[https://www.icann.org/wicf/](https://www.icann.org/wicf/)
🔗 Akamai Official Site: [https://www.akamai.com](https://www.akamai.com) ### Conclusion: - Akamai is a globally trusted **CDN and security platform** used by Steam, Microsoft, Apple, and others. - Connections to `akamaistream.net` and related domains in TCPView are **expected** and **not malicious**. - WHOIS verified the legitimacy and ownership of the Akamai domains. --- ## 5. PowerShell Signature Verification Command used: ```powershell Get-AuthenticodeSignature "C:\Path\To\File.exe" ``` Example: ```powershell Get-AuthenticodeSignature "C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe" ``` Reviewed: - `Status` field = `Valid` - `SignerCertificate.Subject` = Trusted vendor (e.g., Microsoft Corporation) There are tons of other tools for system analysis as well.