Sysinternals Suite: Process Monitor, Autoruns, and Essential Diagnostics
Why Windows Built-in Tools Aren't Enough
Here's a situation I've seen play out hundreds of times. Your machine is slow. Task Manager shows 100% disk usage with no obvious culprit. Event Viewer throws error codes you've never heard of. You restart, it gets worse. You start Googling, and every forum thread says something different. Sound familiar?
The real problem isn't your hardware or even Windows itself , it's that the built-in diagnostic tools Microsoft ships with Windows are surface-level. They show you what is happening but rarely why. Task Manager gives you process names. Resource Monitor gives you a rough breakdown. But neither tells you which exact file a process is hammering, which registry keys an application is touching, or what launched silently at boot without your permission.
That's the gap the Sysinternals Suite fills. Mark Russinovich created the Sysinternals web site in 1996 specifically because enterprise IT and developers needed tools that could see past Windows' polished exterior into the actual machinery underneath. Decades later, Microsoft acquired the suite, and it's now the gold standard for Windows and Linux system diagnostics.
The Sysinternals Suite bundles every utility into a single download, from Process Monitor (which logs every file, registry, and network operation on your system in real time) to Autoruns (which shows every single program configured to run at startup, including ones that hide from Task Manager's Startup tab) to Handle, AccessChk, and dozens more. If you're chasing a permission denied error, a mysterious boot delay, a crashing service, or a process you can't kill, this toolkit is where your investigation starts.
I know it can feel intimidating opening a window that floods you with thousands of events per second. That's exactly why this guide exists. I'm going to walk you through setup, filtering, the most-used tools, and how to actually read what you're seeing, without drowning in noise.
One more thing before we start: if you're on a corporate machine, check with your IT department first. Some organizations restrict unsigned tools from running. The Sysinternals tools are all signed by Microsoft, but Group Policy can still block them. If that's your situation, the Advanced Troubleshooting section below has you covered.
Browse all Microsoft fix guides →The Quick Fix, Get Running in 5 Minutes
If you're in a hurry and just need to run a Sysinternals tool right now, without downloading anything, Microsoft has you covered with Sysinternals Live. This service lets you run any tool directly from the web.
Open Windows Explorer (not a browser, the actual File Explorer) and type this into the address bar:
\\live.sysinternals.com\tools\procmon.exeHit Enter. Windows will authenticate to the live share, stream the binary, and launch Process Monitor directly. No installer, no extracted folder, nothing on your disk. For a command prompt, use the same UNC path. If you want to browse all available tools first, open your browser and go to https://live.sysinternals.com/, you'll see the full directory listing.
If you're doing deeper work, or if you're in an environment with restricted internet access, download the full Sysinternals Suite instead. Go to the Microsoft Sysinternals page and grab the suite ZIP. Extract it to a folder like C:\Sysinternals and optionally add that path to your system's PATH environment variable so you can run any tool from any command prompt without navigating to the folder first.
For ARM64 machines (Surface Pro X, Copilot+ PCs, Windows on ARM), grab the dedicated Sysinternals Suite for ARM64 download. Running the x64 build under emulation works but degrades performance noticeably when tools like Process Monitor are capturing high-volume events.
Want to install and auto-update through a familiar interface? The Sysinternals Suite from the Microsoft Store handles that for you, updates come through the Store like any other app.
Head to the official Sysinternals Utilities Index on Microsoft's site and download the version that matches your system. For standard 64-bit Windows PCs, grab the main Sysinternals Suite ZIP. For ARM64 hardware, grab the ARM64 build specifically, it matters for performance-sensitive tools. Extract the archive to a permanent location like C:\Tools\Sysinternals.
Next, add that folder to your system PATH so you can call tools directly. Right-click This PC → Properties → Advanced system settings → Environment Variables. Under System variables, find Path, click Edit, then New, and paste your Sysinternals folder path. Click OK through all dialogs and open a fresh command prompt to verify:
procmon /?
autoruns /?If both print a help output, you're set. If you get "not recognized as an internal or external command", the PATH change didn't take, close and reopen the command prompt, or log off and back on.
On first launch of any Sysinternals GUI tool, a license agreement dialog appears. You must accept it before the tool loads. In automated or scripted environments you can bypass this by pre-accepting the EULA via the registry:
reg add "HKCU\Software\Sysinternals\Process Monitor" /v EulaAccepted /t REG_DWORD /d 1 /fRepeat for each tool you plan to deploy (Autoruns, Handle, etc.). This is the approach for unattended enterprise rollouts, if you skip it, every tool silently exits without showing an error, which trips up a lot of automated scripts the first time.
When it's working, double-clicking Procmon.exe opens Process Monitor and immediately starts capturing. You should see events flooding in within half a second.
Process Monitor is one of the most powerful Windows diagnostic tools ever built, and also one of the most overwhelming if you open it cold. Within five seconds you'll have 50,000+ events on an idle machine. The tool captures every file system read/write, every registry access, and every network connection from every process. That's the point. But you need filters to make it actionable.
Go to Filter → Filter… (or press Ctrl+L). The filter dialog has three columns: Column, Relation, and Value. Here's the most common starting filter for isolating a specific application:
Process Name | is | yourapp.exe | Include
Process Name | is | System | Exclude
Process Name | is | svchost.exe | ExcludeTo find out why an application is failing to open a file, add this filter on top:
Result | is | ACCESS DENIED | Include
Result | is | NAME NOT FOUND | IncludeNow you're only seeing denied file access attempts by your target process. This single filter combination solves roughly 60% of "why is this application broken" cases I've worked on. The result column will show you the exact file path Windows rejected, and from there you either fix NTFS permissions or identify a missing dependency.
For registry troubleshooting, click the Show Registry Activity toolbar button (it looks like a database icon). Filter to your process, filter results to NAME NOT FOUND, and you'll see every registry key the app tried to read that doesn't exist, often pointing to a missing or corrupt installation component.
Save your filter set via Filter → Save Filter… so you don't rebuild it each session. When you see the event stream slow to a trickle of relevant entries, the filter is working. That's your signal to start reading.
Autoruns is the definitive answer to "why does my computer take forever to boot?" and "what is this mystery process that keeps appearing?" It shows you every single program, service, driver, browser extension, and scheduled task configured to launch automatically, from over 30 different locations that Windows uses for auto-start.
The built-in Task Manager Startup tab shows maybe 10–15% of what Autoruns shows. Malware authors know this. They hide persistence in places like HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, AppInit DLLs, and LSA authentication packages, all of which Autoruns exposes.
Launch autoruns.exe as Administrator (right-click → Run as administrator). This is important, without elevation you won't see system-level entries. Go to Options → Scan Options and check Check VirusTotal.com. Autoruns will hash every auto-start binary and query VirusTotal, flagging anything with detections in a red or yellow highlight. This is a fast first-pass malware sweep.
To investigate a suspicious entry: right-click it and choose Jump to Image to open the file location in Explorer, or Jump to Entry to go directly to the registry key or file path that's registering it.
To disable an entry without deleting it, uncheck the checkbox next to it. Autoruns writes the original value to a backup location so you can re-enable cleanly. To delete permanently, right-click → Delete. I always disable first, reboot, and confirm the problem is gone before deleting, that way if you disabled the wrong thing, you can put it back without reinstalling anything.
The Logon tab is where most boot-delay culprits live. Sort by Image Path to group entries by location, anything running from %TEMP% or a user's AppData\Roaming with no description is immediately suspicious.
You've seen this one: "The action can't be completed because the file is open in another program." Windows gives you that error and nothing else. No process name. No way to know what's holding the lock. Handle fixes that.
Open an elevated command prompt and run:
handle.exe "C:\path\to\locked\file.txt"Handle (currently at v5.0 as of October 2022) will list every process that has an open handle to that file, including the process ID (PID) and handle type. Once you have the PID, you can kill the process from Task Manager or via:
taskkill /PID 1234 /FTo close a specific handle without killing the entire process (useful for system processes you can't terminate), use:
handle.exe -c <handle-hex-value> -p <PID> -yThe -y flag skips the confirmation prompt. Be careful here, closing a handle that a process is actively using can crash that process or corrupt the file. Use it on hung or zombie handles, not active ones.
AccessChk (v6.15) complements Handle by showing you what permissions exist on a resource rather than who has it open. To check what a specific user or group can do with a directory:
accesschk.exe -d "C:\SensitiveFolder" -u "DOMAIN\username"To find all services a non-admin user can modify (a common privilege escalation path in penetration testing and security audits):
accesschk.exe -ucqw "Authenticated Users" -k "HKLM\System\CurrentControlSet\Services"When the output shows RW (Read/Write) access for a low-privileged account on a service registry key, that's a misconfiguration worth fixing immediately. This is the exact kind of check security teams run before a pen test engagement.
DebugView (now at v5.0 as of March 26, 2026) is the tool you reach for when an application or driver is misbehaving silently, no error dialog, no event log entry, just broken behavior. Many Windows applications and virtually all drivers write debug strings using OutputDebugString() (Win32) or DbgPrint() (kernel). Under normal circumstances, those messages disappear into the void unless a debugger is attached. DebugView intercepts them and shows them to you live.
Launch dbgview.exe as Administrator. Go to Capture → Capture Global Win32 and Capture → Capture Kernel. Now reproduce the problem you're investigating. Watch the output window, you're looking for error strings, failure codes, or stack traces that the application writes but never surfaces in the UI.
The v5.0 release specifically improves Windows 11 support, adds a modern dark UI, and includes performance optimizations, if you've been running an older version and it felt sluggish on Windows 11, upgrade now.
Use Edit → Filter/Highlight to color-code specific strings. For example, highlight anything containing "error" or "fail" in red so it jumps out immediately. Save the capture via File → Save As and share it with a developer or support team, the timestamped log is far more useful than a screenshot.
For remote debugging scenarios, DebugView can also capture debug output from remote machines over the network. Go to Computer → Connect and enter the target machine name. You'll need admin rights on the remote machine and appropriate firewall rules allowing the connection. This is a huge time-saver for troubleshooting server issues without sitting in front of the machine, or connecting via Remote Desktop just to run a tool.
When your capture shows a clean stream with no error messages during the problem reproduction, the issue likely isn't in the app's debug path, move to Process Monitor to look at file and registry activity instead.
Advanced Troubleshooting
Enterprise Deployment via Group Policy
Deploying the Sysinternals Suite across a domain? The cleanest approach is to host the suite on a file share and use a Group Policy Software Installation or a startup script to copy it to each machine. Map a network share and add \\yourserver\tools\sysinternals to the PATH via a GPO Computer Configuration preference.
For pre-accepting EULAs at scale, create a GPO that runs this PowerShell at computer startup:
$tools = @("Process Monitor","Autoruns","Handle","AccessChk","DebugView","BGInfo")
foreach ($tool in $tools) {
$regPath = "HKLM:\Software\Sysinternals\$tool"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
Set-ItemProperty -Path $regPath -Name "EulaAccepted" -Value 1 -Type DWord
}This runs silently at boot for every domain machine and means your tools are immediately usable when you remote in during an incident, no EULA prompt blocking you at 2 AM.
BgInfo for Server Documentation
BgInfo (v4.33, updated February 2025) deserves special mention for server environments. It auto-generates a desktop background displaying IP addresses, computer name, OS version, last boot time, free disk space, and any other WMI-queryable field you want. In environments with dozens of RDP sessions open simultaneously, BgInfo prevents the "which server am I on?" mistake that causes admins to run commands against the wrong machine.
Deploy it via a GPO logon script pointing to a shared .bgi config file on your SYSVOL, so all servers automatically pick up configuration changes without any manual updates.
Analyzing Crash Dumps with NotMyFault
NotMyFault (v4.40, updated March 2026) is a controlled way to trigger system crashes, hangs, and kernel memory leaks on demand, specifically for validating that your crash dump configuration is working before you need it in production. The v4.40 release adds secure kernel and hypervisor crash triggers, which matters for systems running Credential Guard or Virtualization-Based Security.
Before running NotMyFault, verify your memory dump settings: System Properties → Advanced → Startup and Recovery → Settings. Set the dump type to Complete memory dump or Automatic memory dump and note the dump file path (default: %SystemRoot%\MEMORY.DMP). Then use NotMyFault to trigger a controlled crash and confirm the dump file appears. If it doesn't, you have a dump configuration problem you want to discover now, not after a real crash.
Event Viewer Cross-Reference
When Process Monitor shows a failing operation, cross-reference it in Event Viewer under Windows Logs → System and Application. Common event IDs to look for alongside Sysinternals data: Event ID 7034 (service crashed unexpectedly), Event ID 7031 (service terminated unexpectedly), and Event ID 1000 (application crash with faulting module name). The combination of Process Monitor's file/registry trace and Event Viewer's error codes gives you the complete picture.
Prevention & Best Practices
The best time to get familiar with the Sysinternals Suite is before something breaks. I've watched engineers spend eight hours troubleshooting a problem that would have taken twenty minutes if they'd had a baseline Process Monitor capture from before the problem started. Here's how to build that safety net.
Run Autoruns on every new machine you're responsible for within the first week. Document what should be there. Export the list via File → Save as an Autoruns data file (.arn). Store it somewhere accessible. When something weird starts happening months later, you can do File → Compare against your saved baseline and see exactly what changed, new entries highlighted in green, removed entries in red. This is one of the fastest ways to spot a malware infection or a misbehaving software update.
Schedule a monthly Contig run on your most-used files and folders. Contig (v1.83, updated March 2023) defragments individual files rather than the entire drive, it's targeted and fast. While Windows 10 and 11 auto-defragment spinning drives on a schedule, SSDs don't need traditional defragmentation, but Contig can still be useful to ensure frequently used files land in contiguous blocks on HDDs, which matters for things like large database files or virtual machine disk images.
Set BgInfo to run at logon on all your servers. The time investment is thirty minutes once; the payoff is avoiding every "wrong server" mistake forever.
Keep the Suite updated. The Sysinternals team ships meaningful updates regularly, DebugView just got a full Windows 11 overhaul and dark mode, ZoomIt added full panorama screenshot support in v11.0, these aren't just bug fixes, they're capability upgrades. If you installed the suite from the Microsoft Store, updates happen automatically. If you're running the ZIP version, check the Sysinternals Blog for change notes periodically.
- Run Autoruns as Administrator on every new machine and save the baseline
.arnfile immediately - Pre-accept Sysinternals EULAs via registry on all managed machines so tools are ready to use during incidents
- Add your Sysinternals folder to the system PATH so any tool is one command away from any prompt
- Keep a Process Monitor filter set saved for your most common troubleshooting scenarios, don't rebuild from scratch every time
Frequently Asked Questions
Can I run Sysinternals tools without downloading anything to my computer?
Yes, Sysinternals Live lets you run tools directly from Microsoft's web share. In Windows Explorer, enter \\live.sysinternals.com\tools\procmon.exe in the address bar and hit Enter. In a command prompt use the same UNC path. You can also browse the full tool directory at https://live.sysinternals.com/ in a browser. Note that this requires internet access and Windows will cache the binary locally in a temp location while it runs, nothing is permanently installed.
Why does Autoruns show more startup items than Task Manager's Startup tab?
Task Manager's Startup tab only checks a handful of registry run keys and the Startup folders. Autoruns checks over 30 different auto-start locations, including AppInit DLLs, Winlogon notification packages, browser helper objects, scheduled tasks, services, drivers, and LSA authentication providers. Legitimate software and malware alike use these lesser-known locations specifically because Task Manager misses them. That's why security professionals treat Autoruns as the authoritative startup inventory tool, not Task Manager.
Process Monitor is flooding me with events, how do I stop the noise and find what I need?
Press Ctrl+L to open the Filter dialog and start with two filters: include only the process name you're investigating, then add a Result filter for ACCESS DENIED or NAME NOT FOUND depending on what you're chasing. You can also click the toolbar icons to toggle showing only file activity, only registry activity, or only network activity, hiding the other two categories alone cuts 70% of the noise on most machines. Save your filter set so you don't have to rebuild it next time.
I get an error saying Sysinternals tools are blocked by my organization, what do I do?
This is a Group Policy or AppLocker restriction set by your IT department. The Sysinternals tools are all Microsoft-signed binaries, so if they're blocked it's an explicit policy decision rather than an accident. Contact your IT administrator and request an exception or ask them to run the tool on your behalf. If you're the IT admin, check Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies and AppLocker rules under Application Control Policies in Group Policy Editor (gpedit.msc).
Which Sysinternals Suite download should I use, the regular ZIP, ARM64, or Microsoft Store version?
Use the standard Sysinternals Suite ZIP for regular x64 Windows machines. If you're on an ARM64 device, Surface Pro X, Qualcomm Snapdragon-based Windows PCs, or any Copilot+ PC, grab the Sysinternals Suite for ARM64 specifically, as running x64 binaries under emulation degrades capture performance significantly for high-throughput tools like Process Monitor. The Microsoft Store version is the best choice if you want hands-off automatic updates and don't need to manage a shared network path, it installs, updates, and manages itself like any Store app.
Can I use Contig on an SSD, or is it only for hard drives?
Contig works on SSDs at the filesystem level but traditional file defragmentation on an SSD provides no performance benefit and adds unnecessary write cycles that wear the drive. Where Contig remains useful on SSDs is for ensuring specific large files, like VM disk images or database files, are written as a single contiguous block when first created, which can reduce NTFS metadata overhead. For spinning hard drives, Contig (v1.83) is genuinely useful for quickly defragmenting individual heavily-fragmented files without running a full drive defrag. The contig -a flag analyzes fragmentation without making any changes, so you can check first.