Home > C/C++, OS Internals, Tech > Free (and legal) SysInternals Source Code….

Free (and legal) SysInternals Source Code….

November 21, 2009 Leave a comment Go to comments

Before Mark Russinovich sold his company (Winternals) to Microsoft, he used to release the source code to many of his SysInternals utilities. I did some Google-ing and have found much of this code is still online at: http://sysinternals.kompjoefriek.nl/rip/www.sysinternals.com/SourceCode.html

Mark Russinovich is well known for his Windows Internals series of books:

The source code is written primarily in C and includes many of his GUI and console applications. I’ve found this source code useful as a reference for the “right” way to do things, as this code has been used in utilities that have run on millions of computers. Some of these utilities were designed for Windows 95/NT4, but most were designed for Windows 2000/XP.

•    Access Enums

This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.

•    ADRestore

Restore tombstoned Active Directory objects in Server 2003 domains

•    AutoLogon

Bypass password screen during logon

•    CachSet

CacheSet is a program that allows you to control the Cache Manager’s working set size using functions provided by NT. It’s compatible with all versions of NT and full source code is provided.

•    Ctrl2Cap

This is a kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys. Filtering at this level allows conversion and hiding of keys before NT even “sees” them. Full source is included. Ctrl2cap also shows how to use NtDisplayString() to print messages to the initialization blue-screen.

•    DiskExt

Display volume disk-mappings

•    FMIFS – ChkdskX and FormatX

Complete source code for chkdsk and format clone programs. These examples demonstrate the use of file system utility functions that you can incorporate into your own applications.

•    Fundelete

This utility expands the NT 4.0 Recycle Bin to catch file deleted from command prompts and within programs, and it comes with full source code. Several powerful device driver techniques, including getting a user’s SID within a driver, enumerating a directory’s contents, and generating IRPs, are demonstrated in source code available for download.

•    Junction

Create Win2K NTFS symbolic links

•    NetStatp

Wonder how TCPView works? Netstatp is a program with source that demonstrates how to program some of TCPView’s functionality. It shows how to use IP Helper interfaces, documented in MSDN, to obtain a list of TCP/IP endpoints. Note, however, that netstatp doesn’t show process names on NT 4 and Win2K like TCPView and TCPVCon.

•    NewSID — NOTE that changing a computer’s SID is NEVER NECESSARY

Learn about the computer SID problem everybody has been talking about and get a free computer SID changer, NewSID, complete with full source code.

•    NTFSInfo

Use NTFSInfo to see detailed information about NTFS volumes, including the size and location of the Master File Table (MFT) and MFT-zone, as well as the sizes of the NTFS meta-data files.

•    PipeList

Did you know that the device driver that implements named pipes is actually a file system driver? In fact, the driver’s name is NPFS.SYS, for “Named Pipe File System”. What you might also find surprising is that it’s possible to obtain a directory listing of the named pipes defined on a system. The directory listing NPFS returns also indicates the maximum number of pipe instances set for each pipe and the number of active instances.

•    RegHide

A subtle but significant difference between the Win32 API and the Native API (see Inside the Native API for more information on this largely undocumented interface) is the way that names are described. In the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API.

How is this possible? The answer is that a name which is a counted Unicode string can explicitly include NULL characters (0) as part of the name. For example, “Key”. To include the NULL at the end the length of the Unicode string is specified as 4. There is absolutely no way to specify this name using the Win32 API since if “Key” is passed as a name, the API will determine that the name is “Key” (3 characters in length) because the “” indicates the end of the name.

When a key (or any other object with a name such as a named Event, Semaphore or Mutex) is created with such a name any applications using the Win32 API will be unable to open the name, even though they might seem to see it. The program below, RegHide(source code is included), illustrates this point. It creates a key called “HKEY_LOCAL_MACHINE\Software\Sysinternals\Can’t touch me!” using the Native API, and inside this key it creates a value. Then the program pauses to give you an opportunity to see if you can view the value using any Registry editor you have handy (Regedit, Regedt32 or a third-party Registry editor). Because Regedit and Regedt32 (and likely an third party Registry editor) use the Win32 API, they will see the key listed as a child of Sysinternals, but when you try to open the key you’ll get an error. This is because the Registry editor will try to open “Can’t touch me!” without the trailing NULL (which is interpreted as the end of the string) and won’t find this name. After you’ve verified this exit the program and this special key will be deleted.

•    SDelete

Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program. Complete source code is included.

•    ShareEnum

Scan file shares on your network and view their security settings to close security holes.

•    TokenMon

Watch security-related activity, including logon, logoff, privilege usage, and impersonation with this monitoring tool. Full source code included.

•    VCMon

A VCache (Windows 95 disk cache) monitor, from our May 1996 Dr. Dobb’s Journal article on VxD Service hooking. Full source is included.

•    VxDMon

VxDMon provides a never-before-seen look into Windows 95 VxDs. See how VxDs interact with one another and monitor the performance of VxD services, including your own.

Categories: C/C++, OS Internals, Tech
  1. aker
    October 1, 2010 at 9:47 AM

    now the file cant retrieved …

  2. Klaus
    February 2, 2011 at 10:18 AM

    The Megaupload link at http://sysinternals.kompjoefriek.nl/oh_shi.html still works. Rapidshare and Megashare are down.

  3. aks
    July 16, 2012 at 2:23 AM

    not working .. :(

  4. hamid faisal
    November 18, 2012 at 6:54 AM

    nothing online now……

  5. m3rlin
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s