I have the 4th edition and plan on picking up the 5th soon. I have not read it cover to cover (I am sure I would be much wiser in the ways of Windows than I am if I would have!) but have found it to be a very valuable resource into the workings of Windows. You may want to start with the 5th and only get the 4th if you think it is necessary after you have finished the 5th. My understanding is that the editions are cumulative and only drops out information they think are old and do not have much relevance anymore (e.g. Windows 3.1, NT 3.5, etc).
Another book that is particularly pertinent to this thread that you may want to look into when it comes out is "Windows Sysinternals Administrator's Reference" also authored by <http://www.amazon.com/s/ref=ntt_athr_dp_sr_1?_encoding=UTF8&sort=relevancer ank&search-alias=books&field-author=Mark%20Russinovich> Mark Russinovich. This book was original supposed to be out last fall but was unfortunately delayed. I think it now has a spring release date. I will definitely be picking up a copy. Jody _____ From: [email protected] [mailto:[email protected]] On Behalf Of Josh Ciceraro Sent: Friday, February 12, 2010 8:29 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Sysinternals Another tool I like is streams. You can use this to scan for alternate data streams. I found netcat on a box with this once. On another note, has anyone ever looked at any of the Windows Internals Books? I am thinking about buying the 4th ( http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/r ef=sr_1_2?ie=UTF8 <http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/ ref=sr_1_2?ie=UTF8&s=books&qid=1265909914&sr=1-2> &s=books&qid=1265909914&sr=1-2 ) and 5th ( http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Develope r/dp/0735625301/ref=sr_1_1?ie=UTF8 <http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Develop er/dp/0735625301/ref=sr_1_1?ie=UTF8&s=books&qid=1265909914&sr=1-1> &s=books&qid=1265909914&sr=1-1 ) editions Thanks for the link to the malware analysis video. I started watching it last night and what little I saw I liked. Gonna finish it today at work. On Thu, Feb 11, 2010 at 8:52 PM, Tim Mugherini <[email protected]> wrote: For those who forget your USB drive of tools while on the job http://live.sysinternals.com/ Also if you like the tools - I came across this Malware Analysis video from Mark Russinovich (author of the sysinternals suite) a couple of years back. For those not familiar with the tools , its definitely worth a watch. My personal Fav tool/feature would be the dumping of strings from volatile memory using process explorer Here's the video http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 On Thu, Feb 11, 2010 at 7:32 PM, Matthew Lye <[email protected]> wrote: > I went a cached the site, especially all the source code. > Never know if MS is going to let a good thing keep going. > -Matthew Lye > > You can do anything you set your mind to when you have vision, > determination, and and endless supply of expendable labor. > <No trees were harmed during this transmission. However, a great number of > electrons were terribly inconvenienced> > > > On Fri, Feb 12, 2010 at 6:41 AM, Jack Daniel <[email protected]> wrote: >> >> One thing MS did right when they bought Sysinternals was bundle all of >> the tools in a single compressed file for easier download. >> >> So, who else dropped everything a few years ago when the MS >> acquisition of Sysinternals was announced and downloaded copies of >> everything they could find? >> >> Jack >> >> >> On Thu, Feb 11, 2010 at 2:23 PM, Josh Ciceraro <[email protected]> >> wrote: >> > I always put process explorer on all of my machines. It puts the task >> > manager to shame. Microsoft should be embarrassed. Psexec is another >> > awesome tool. I have just recently started using process monitor and >> > the >> > information you can get from it is just awesome. >> > >> > On Thu, Feb 11, 2010 at 1:34 PM, Butturini, Russell >> > <[email protected]> wrote: >> >> >> >> Absolutely. Sysinternals tools are the BEST for forensics, >> >> troubleshooting, systems management.Anything under the sun! I use >> >> psinfo, >> >> psloggedon, pslist,listdlls, and logonsessions in my forensics toolkit, >> >> and >> >> use process explorer as well when investigating malware. >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> From: [email protected] >> >> [mailto:[email protected]] On Behalf Of Tyler >> >> Robinson >> >> Sent: Thursday, February 11, 2010 12:27 PM >> >> To: PaulDotCom Security Weekly Mailing List >> >> Subject: Re: [Pauldotcom] Sysinternals >> >> >> >> >> >> >> >> From both a white and grey hat perspective I love erd commander and >> >> pstools especially psexec I would be lost without psexec. >> >> >> >> On Feb 11, 2010 11:23 AM, "Josh Ciceraro" <[email protected]> >> >> wrote: >> >> >> >> Hello, >> >> >> >> I was wondering if anyone here in the group uses any of the >> >> sysinternals >> >> tools and what are some favorites. I really like autoruns, process >> >> explorer, and process monitor. Disk2Vhd seems pretty promising, though >> >> I >> >> haven't played with it yet. >> >> >> >> -- >> >> kaizoku Josh >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> >> >> **************************************************************************** ** >> >> This email contains confidential and proprietary information and is not >> >> to >> >> be used or disclosed to anyone other than the named recipient of this >> >> email, >> >> and is to be used only for the intended purpose of this communication. >> >> >> >> >> >> **************************************************************************** ** >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > -- >> > kaizoku Josh >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> >> >> >> -- >> ______________________________________ >> Jack Daniel, Reluctant CISSP >> http://twitter.com/jack_daniel >> http://www.linkedin.com/in/jackadaniel >> http://blog.uncommonsensesecurity.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- kaizoku Josh
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
