Free (and legal) SysInternals Source Code….
Before Mark Russinovich sold his company (Winternals) to Microsoft, he used to release the source code to many of his SysInternals utilities. I did some Google-ing and have found much of this code is still online at: http://sysinternals.kompjoefriek.nl/rip/www.sysinternals.com/SourceCode.html
The source code is written primarily in C and includes many of his GUI and console applications. I’ve found this source code useful as a reference for the “right” way to do things, as this code has been used in utilities that have run on millions of computers. Some of these utilities were designed for Windows 95/NT4, but most were designed for Windows 2000/XP.
• Access Enums
This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
Restore tombstoned Active Directory objects in Server 2003 domains
Bypass password screen during logon
CacheSet is a program that allows you to control the Cache Manager’s working set size using functions provided by NT. It’s compatible with all versions of NT and full source code is provided.
This is a kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys. Filtering at this level allows conversion and hiding of keys before NT even “sees” them. Full source is included. Ctrl2cap also shows how to use NtDisplayString() to print messages to the initialization blue-screen.
Display volume disk-mappings
• FMIFS – ChkdskX and FormatX
Complete source code for chkdsk and format clone programs. These examples demonstrate the use of file system utility functions that you can incorporate into your own applications.
This utility expands the NT 4.0 Recycle Bin to catch file deleted from command prompts and within programs, and it comes with full source code. Several powerful device driver techniques, including getting a user’s SID within a driver, enumerating a directory’s contents, and generating IRPs, are demonstrated in source code available for download.
Create Win2K NTFS symbolic links
Wonder how TCPView works? Netstatp is a program with source that demonstrates how to program some of TCPView’s functionality. It shows how to use IP Helper interfaces, documented in MSDN, to obtain a list of TCP/IP endpoints. Note, however, that netstatp doesn’t show process names on NT 4 and Win2K like TCPView and TCPVCon.
• NewSID — NOTE that changing a computer’s SID is NEVER NECESSARY
Learn about the computer SID problem everybody has been talking about and get a free computer SID changer, NewSID, complete with full source code.
Use NTFSInfo to see detailed information about NTFS volumes, including the size and location of the Master File Table (MFT) and MFT-zone, as well as the sizes of the NTFS meta-data files.
Did you know that the device driver that implements named pipes is actually a file system driver? In fact, the driver’s name is NPFS.SYS, for “Named Pipe File System”. What you might also find surprising is that it’s possible to obtain a directory listing of the named pipes defined on a system. The directory listing NPFS returns also indicates the maximum number of pipe instances set for each pipe and the number of active instances.
A subtle but significant difference between the Win32 API and the Native API (see Inside the Native API for more information on this largely undocumented interface) is the way that names are described. In the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API.
How is this possible? The answer is that a name which is a counted Unicode string can explicitly include NULL characters (0) as part of the name. For example, “Key”. To include the NULL at the end the length of the Unicode string is specified as 4. There is absolutely no way to specify this name using the Win32 API since if “Key” is passed as a name, the API will determine that the name is “Key” (3 characters in length) because the “” indicates the end of the name.
When a key (or any other object with a name such as a named Event, Semaphore or Mutex) is created with such a name any applications using the Win32 API will be unable to open the name, even though they might seem to see it. The program below, RegHide(source code is included), illustrates this point. It creates a key called “HKEY_LOCAL_MACHINE\Software\Sysinternals\Can’t touch me!” using the Native API, and inside this key it creates a value. Then the program pauses to give you an opportunity to see if you can view the value using any Registry editor you have handy (Regedit, Regedt32 or a third-party Registry editor). Because Regedit and Regedt32 (and likely an third party Registry editor) use the Win32 API, they will see the key listed as a child of Sysinternals, but when you try to open the key you’ll get an error. This is because the Registry editor will try to open “Can’t touch me!” without the trailing NULL (which is interpreted as the end of the string) and won’t find this name. After you’ve verified this exit the program and this special key will be deleted.
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program. Complete source code is included.
Scan file shares on your network and view their security settings to close security holes.
Watch security-related activity, including logon, logoff, privilege usage, and impersonation with this monitoring tool. Full source code included.
A VCache (Windows 95 disk cache) monitor, from our May 1996 Dr. Dobb’s Journal article on VxD Service hooking. Full source is included.
VxDMon provides a never-before-seen look into Windows 95 VxDs. See how VxDs interact with one another and monitor the performance of VxD services, including your own.