Windows Sysinternals Toolkit Walkthrough

Date:  June 12th 2025 Category:  Windows 11 Projects 

 

 Tools Installed 

 Installed via Chocolatey: 

 choco install sysinternals -y --ignore-checksums 

 Install location: C:\ProgramData\chocolatey\lib\sysinternals\tools 

 Command-line access enabled for: 

 procexp

autoruns

procmon

tcpview 

 🔗 Official Microsoft page: https://learn.microsoft.com/sysinternals 

 

 1. Process Explorer 

 

 

 Launched with procexp 

 

 

 Enabled VirusTotal integration : 

 

 

 Options > VirusTotal.com > Check VirusTotal.com 

 

 

 

 

 Investigated: 

 

 

 PowerPanel Personal.exe (flagged 1/72 — confirmed false positive) 

 

 

 

 

 Verified digital signatures via: 

 

 

 Right-click process → Properties → Verified: field 

 

 

 

 

 Used Lower Pane View for: 

 

 

 DLLs and Handle usage 

 

 

 

 

 

 2. Autoruns 

 

 

 Launched with autoruns 

 

 

 Configured: 

 

 

 Options > Hide Microsoft Entries 

 

 

 Options > Scan Options > Submit Unknown Images 

 

 

 

 

 Focused on reviewing: 

 

 

 Logon , Scheduled Tasks , Drivers , Services 

 

 

 

 

 Checked VirusTotal flags and verified digital signatures 

 

 

 Disabled or marked suspicious unsigned entries 

 

 

 

 3. Process Monitor (Procmon) 

 

 

 Launched with procmon 

 

 

 Paused default capture: Ctrl + E 

 

 

 Applied filters for: 

 

 

 Specific processes (e.g., notepad.exe ) 

 

 

 Registry and file system operations 

 

 

 

 

 Resumed capture for real-time inspection 

 

 

 Saved capture via File > Save > .PML 

 

 

 

 4. TCPView – Active Network Monitoring 

 Tool Summary: 

 

 

 Launched with: tcpview 

 

 

 Displays: 

 

 

 All active TCP/UDP connections 

 

 

 Local and remote addresses 

 

 

 Process ownership 

 

 

 Packet counts and traffic volume 

 

 

 

 

 Observations: 

 

 

 

 Process 

 Remote Host/Service 

 Notes 

 

 

 

 

 firefox.exe 

 google.com (via 142.250.x.x ) 

 Normal browser activity 

 

 

 steam.exe 

 valve.net , akamai.net , u2-puls.tech 

 Related to Steam/Valve CDN 

 

 

 PowerPanel 

 Internal kubernetes.docker.internal 

 Local/VM bridge — normal 

 

 

 syncthing.exe 

 u2-puls.tech / Docker bridges 

 Syncthing sync traffic — expected 

 

 

 

 

 WHOIS Lookup:  akamaitechnologies.com 

 TCPView revealed connections to domains like akamaistream.net , a known CDN subdomain. 

 WHOIS record for akamaitechnologies.com : 

 

 

 

 Field 

 Value 

 

 

 

 

 Domain 

 akamaitechnologies.com 

 

 

 Registrar 

 MarkMonitor Inc. 

 

 

 Created 

 August 18, 1998 

 

 

 Updated 

 July 16, 2024 

 

 

 Expires 

 August 17, 2025 

 

 

 DNS 

 AX0.AKAMAISTREAM.NET , NS2-32.AKAMAISTREAM.NET , etc. 

 

 

 Status 

 Protected (delete/transfer/update disabled) 

 

 

 Registrar Abuse 

 abusecomplaints@markmonitor.com 

 

 

 Official Whois 

 https://www.icann.org/wicf/ 

 

 

 

 🔗 Akamai Official Site: https://www.akamai.com 

 Conclusion: 

 

 

 Akamai is a globally trusted CDN and security platform used by Steam, Microsoft, Apple, and others. 

 

 

 Connections to akamaistream.net and related domains in TCPView are expected and not malicious . 

 

 

 WHOIS verified the legitimacy and ownership of the Akamai domains. 

 

 

 

 5. PowerShell Signature Verification 

 Command used: 

 Get-AuthenticodeSignature "C:\Path\To\File.exe" 

 Example: 

 Get-AuthenticodeSignature "C:\ProgramData\chocolatey\lib\sysinternals\tools\procexp.exe" 

 Reviewed: 

 

 

 Status field = Valid 

 

 

 SignerCertificate.Subject = Trusted vendor (e.g., Microsoft Corporation) 

 

 

 There are tons of other tools for system analysis as well.