With a nod to Vivek Gite and his popular 20 Linux System Monitoring Tools Every SysAdmin Should Know article, we present “20 Top Windows SysAdmin Tools You Should Know”.
Many of the programs listed below are included with Windows and provide all kinds of information about what is happening on the computer. Some you’ve probably heard of, and hopefully a few will be new to you.
1. Task Manager – CPU and memory usage
Popular Alternatives to TcpView For Linux for Windows, Linux, PortableApps.com, Software as a Service (SaaS), Mac and more. Explore apps like TcpView For Linux, all suggested and ranked by the AlternativeTo user community.
Everyone that deals with Windows in a system administrator capacity has to know about the most common of SysAdmin Tools, Task Manager. The nice thing is it keeps getting better with each new version of Windows.
The screenshots below show Task Manager from Windows 2008 R2. To make sure you see everything, click the button (a check box in older versions) in the lower left corner.
- Sysinternals Networking Utilities.; 2 minutes to read; m; In this article. AD Explorer Active Directory Explorer is an advanced Active Directory (AD) viewer and editor. AD Insight AD Insight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications.
- As a developer coming from a Windows background, I'd always find the different Powertoys and Sysinternals apps as invaluable tools in aiding programming. Is there something similar for a developer to.
- TCPView is not available for Mac but there is one alternative that runs on macOS with similar functionality. The most popular Mac alternative is PortsMonitor. If that doesn't work for you, our users have ranked 10 alternatives to TCPView, but unfortunately only one is available for Mac.
- NetLimiter more advanced than TCPview and other Nirsoft? (sniff UDP remote address for Sea of thieves) Hello I use windows 10 64bits On Sea of Thieves me and my friends use Netlimiter to identify the remote server ip address and port to connect to the same server and loot stuff together in the same alliance, this is not against the TOS.
The Processes tab is probably the most useful. Here you can see the list of running processes, how much memory and CPU each process is using, the user account the process is running under and more.
In addition, you can click View -> Select Columns… to show even more information, such as the Session ID a process is in, the full path to the executable, how much virtual memory the process has allocated, and more. One stop system administrator goodness 🙂
But wait, there’s more!
The Performance tab gives some nice charts of CPU utilization. You can also see total memory, kernel memory, etc.
A low amount of Free memory is not a bad thing — it often means Windows is using your RAM to cache parts of the hard disk, thus speeding up many operations. If the RAM is needed, the caches will give it back.
One of the best kept secrets, the Resource Monitor, is also accessible from here.
2. Resource monitor – high level disk I/O tracking
Have you ever been using a computer or server and noticed it get really sluggish? Sometimes you can hear the disk thrashing and know that some process is busier than you want it to be. If you’re lucky, you can check Task Manager and sort by CPU to see which process is using a lot of CPU. But in many cases, the offending process is doing very little with CPU because it’s so busy thrashing the disk. Another fairly common piece of Windows SysAdmin Tools, the Resource Monitor, lets you find the culprit.
Start the Resource Monitor and click the Disk tab. Expand the “Processes with Disk Activity” drop down. Sort the list by the “Total (B/sec)” column to quickly see which process is so busy. To further understand what is happening, you can expand the “Disk Activity” drop down and sort that list by “Total (B/sec)”. Looking at the file names will sometimes give a hint about whether the process is doing a backup, writing to a log file, or some other activity.
3. Performance Monitor (aka Perfmon)
Performance Monitor is a real gem on Windows, and many IT folks would benefit by becoming more comfortable with it. The operating system publishes many useful stats here (active database connections, active HTTP connections, CPU usage, time per disk read, network usage, process memory, etc). In addition, other application providers can also include stats, and most (all?) of Microsoft’s major apps do, like IIS, MS SQL Server and Exchange.
When you first start perfmon.exe or perfmon.msc (they’re the same), it’s not much to look at. Make sure to click the “Performance Monitor” node, and then the green plus symbol to add counters to watch.
There are sooo many counters that can be monitored that this article can’t even begin to cover them. One thing that will help though – when you’re looking at the list of counters, check the “Show description” box at the bottom left corner – this helps you understand what the selected counter does.
Also note that Perfmon can connect to other computers on your network and display their counter values.
(Side note, there is a compiled list of typical counters to monitor for Microsoft Exchange at:
/help/latestSMHelp.aspx?page=howto_monitor_exchange.aspx )
4. Services
The Services applet (services.msc — it’s the gear looking thingy in Administrator Tools) is where you can control the service processes that are running on Windows. Of particular interest to IT admins is the service’s start up type (usually automatic or manual) and the Log On As account.
‘Recovery’ is a cool under-used feature. Right click a service and go to Properties. Here you can tell Windows what it should do if the service stops unexpectedly (crashes). Restarting the service is often a good option.
5. Event Log Viewer – system logs, errors and events
One SysAdmin Tool no one should overlook is the Windows Event Log Viewer. It shows a wealth of information about problems that might be happening on a server, including hardware errors, server restarts and more. The Application and System logs are typically where you’ll find what you’re looking for, but there are more logs than that on modern Windows. If you have a blue screen, a server hang, or an application misbehaving, look in the Event Log first.
6. PsExec – start apps on remote computers
PsExec is not an app that comes with Windows, but it’s a free sysadmin tool/utility from Microsoft (originally from Sysinternals) that lets you start apps on a remote computer.
In the simple example above, PsExec was started locally, to run ipconfig on a remote computer (‘archive’) to find out what gateway it is using. PsExec can be very handy in many situations. If you need a redistributable PsExec, take a look at PAExec.
7. Process Monitor – low level file I/O and registry spying
Another beauty from Microsoft’s sysadmin tools (Sysinternals) is Process Monitor. From the web page: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.”
The power is in the filtering – you can have it show you only registry access to a particular key, or file I/O operations taking place in a specific folder, or from a specific program. It’s a great help when something ought to work but doesn’t because you can (for example) see where a file or registry read is failing.
8. Task Scheduler
Unix has its cron, and Windows has Task Scheduler. (Well, Windows also has ‘at’, but that’s another story). Task Scheduler can be found in Administrator Tools, or started via taskschd.msc.
From the screenshot, you can see that various companies (Google and Adobe for example) will create scheduled tasks so their applications are launched periodically for some background processing. Windows itself has many tasks it uses. And of course, you can easily create your own. One simple example is to compress and/or move log files. Or run a periodic database cleanup script. Or to check for updates. Or ….
9. netstat – view network connections
Being familiar with netstat signals you’re no mere hobbyist, but a serious IT professional. Netstat shows the status of current network connections – run it without any command line arguments and that’s what you’ll see.
To see connections along with the process that created them, run netstat –b. To see current connections as well as ports that are listening for incoming connections, run netstat –ab as shown below:
Note that the process involved with the port is shown below the port information. So mysqld is listening on port 3306, not 3389.
10. Wireshark – view network packets
If you ever need to see network packets entering and leaving a computer, look no further than Wireshark. This is a fantastic free SysAdmin tool that will capture every packet, and even better, break each one down into its appropriate protocol headers and content. Below I’ve clicked a packet for an HTTP 302 redirect message coming in from a web server.
The documentation is great, and once you get the hang of it, you can spy on all of the applications on your computer, see what servers they are talking too, and what information is being sent and received.
Doug N
If there was a command-line utility that could compete with robocopy in terms of usefulness, it’s PsExec. The Sysinternals PsExec utility is as ubiquitous as they come in an IT admin arsenal. This tool allows administrators to remotely run commands just as if they were on the local computer.
To cover the PsExec tool in depth, it was fitting to cover this coveted tool in an ATA Ultimate Guide. In this guide, you will learn what psexec is, what it’s capable of any many examples of how to use this useful tool.
What is PsExec.exe?
If you’re new to IT or perhaps haven’t had the need to run commands and tools on remote computers, you might not know what psexec is.
PsExec or psexec.exe is a command-line utility built for Windows. It allows administrators to run programs on local and more commonly remote computers. It is a free utility part of the Sysinternals pstools suite built by Mark Russinovich many years ago.
It was built to replace tools like telnet that forced you to open up ports and introduce security vulnerabilities. Nowadays, we have other options like PowerShell Remoting and the Invoke-Command PowerShell cmdlet but PsExec still has its place.
PsExec allows full interactivity for console application without having to install any software. As you’ll see through this Ultimate Guide, PsExec can launch interactive command prompts, run as local system on remote computers, run commands on multiple computers at once and more.
It supports all versions of Windows since Windows XP. That means, that yes, PsExec on Windows 10 is a thing too. It’s a simple tool to run that works on nearly everything but don’t confuse its simplicity with its capabilities!
Prerequisites
You simply need to be running a modern Windows operating system for PsExec to run on your local computer. However, you’re going to want to run psexec against remote computers. To do that, you’ll need to ensure a few items are in place.
If you don’t have these items in place now or unsure, don’t worry. In the next section, we’ll cover how to write some PowerShell to test your remote computers.
- A modern Windows computer (local)
- File and Printer Sharing open (remote computer, TCP port 445)
- The admin$administrative share available (remote computer)
- You know a local account’s credential (remote computer)
As of this writing, PsExec is at v2.2 and will be the version you’ll be learning about in this article.
Installing PSexec (With Remote Computer Setup)
Technically, you don’t install PsExec since it’s just a command-line utility but close enough. Since no installation is necessary, you simply need to download and extract it from the PsTools zip file. PsExec isn’t available as a standalone utility and is part of the PsTools suite of tools.
Downloading PSExec
You can either extract the ZIP file manually or here’s a handy PowerShell snippet to download and extract PsExec from its pstools ZIP file. Note that this removes all of the other PsTools tools. Many are still handy but we’re not going to cover those in this article.
Remote Computer Configuration
Once you have PsExec downloaded, you’ll then need to ensure any remote computer you’re going to run it on is open. PsExec has simple requirements; File and Printer Sharing enabled and the admin$ administrative share available.
You could go to all of the remote computers, open up the Windows Firewall applet, go to Allowed Apps and enable File and Printer Sharing on all computers as you see below.
Note that File and Printer Sharing is a known security risk so ensure only the Private firewall profile is enabled.
Or you could visit each computer and run the netsh utility to open it up via:
Or you could use PowerShell’s Set-NetFirewallRule cmdlet to do it.
If you’d rather not visit each computer, you have PowerShell Remoting available and you’re in an Active Directory domain, you could also open up the firewall on many computers at once using the Invoke-Command cmdlet.
Using PsExec
Before you can run, you need to walk. If you’ve never used PsExec before, you’re in for a treat! Be sure to read this section first to get your feet wet to learn the basics before jumping in the deep end later in this article.
The first time you run PsExec on a new system, you will immediately see the PsExec license agreement come up. You’ll have to click on the Agree button to begin using it.
If you’d like to prevent the license agreement from being displayed, you can silently accept it using the /accepteula switch as shown below.
You’ll learn a few tricks at silencing this EULA popup on local and remote computers later in the article.
Finding Help
When exploring PsExec, you shouldn’t use any switch at all. When you simply run psexec with no switches, it will return all options and a brief explanation of what each does. All of the options are in the below table for your convenience.
Running a Simple Remote Command
At its most basic, PsExec requires two parameters: a computer name and a command to run. If you have a command to run on the remote computer that doesn’t require any arguments like hostname, you can simply add it after the computer name.
Note that if you don’t specify a full file path, the command to run must be in the user or system path. Also, if you have a program with spaces in the name, you can always enclose the program in spaces such as “my application.exe”.
You can see below that to execute the hostname command on the CONTOSODC1 computer, you define it’s UNC path followed by the command. PSExec will then connect to the remote computer securely, execute the command and return the output. In this case, the hostname command returned the hostname of the computer which is CONTOSODC1.
If the command isn’t cmd or another console, PsExec will quickly exit the remote session and return the exit code the remote process returned.
Note: The error or exit code returned from psexec is not coming from PsExec itself. Instead, it’s coming from the command that psexec executed on the remote computer.
How PsExec Works on Remote Computers
PsExec goes through a few steps to execute programs on remote computers.
- Create a PSEXESVC.exe file in C:Windows.
- Create and start a Windows service on the remote computer called PsExec.
- Execute the program under a parent process of psexesvc.exe.
- When complete, the PsExec Windows service will be stopped and removed.
When the process doesn’t work 100% correctly you may have to manually remove the service using the sc command.
Running a Simple Local Command
Even though PsExec is best known for running commands on remote computers, you can also run commands locally.
You can run commands locally by simply not providing a computer name like below.
Why would you do this? One reason would be to execute commands as the local SYSTEM account. You can use the -s switch to run any command as SYSTEM locally or remotely as you’ll learn more about later.
Take a look at the short video below. Notice that you simply need to provide the -s switch along with the command interpreter executable for psexec to launch a new command session as NT AUTHORITYSYSTEM.
PsExec Commands (Getting More Advanced)
Once you’ve got the basics down, you can then start learning more advanced techniques in psexec. PsExec can do a lot more than just run a single command on a single computer.
Running commands on multiple computers
PsExec isn’t just limited to running commands on one remote computer at a time. This tool also has support to copy programs and run commands on multiple computers at once.
You can run PsExec on multiple computers at once a few different ways.
Comma-separated Computer Names
Typically when running a command on a single remote computer, you will specify a single computer name like REMOTECOMPUTER. You can also specify multiple computers separated by commas like below.
All Computers in an Active Directory Domain
If you’re running PsExec on an Active Directory domain-joined computer and you’d like to blast out a command execution on all computers in that domain, use a wildcard.
PsExec will search your entire Active Directory domain and attempt to run a command on every computer. Below is example syntax on how PsExec will attempt to connect to every computer on the domain the executing computer is a part of and run the hostname command.
Note that if you use an asterisk to find all computers in a domain while the local computer is part of a workgroup, you will receive the error A system error has occurred: 6118.
Using a wildcard forces PsExec to essentially run the command net view /all to first find all computers in the domain. This is an outdated way to find computer information due to its dependency on NetBIOS.
Reading from a File
Another way you can run commands on multiple computers at once is to use a text file. Using the syntax @<filename.txt>, PsExec will read every line in the text file as if it were a computer name. It will then process each computer individually.
Below you can see an example of using PowerShell to create a text file of line-delimited computer names and using that as input for psexec.
Copying local programs to the remote computer
Using the -c switch, psexec will copy any local program to the remote computer prior to execution.
Perhaps you have an EXE on your local computer in a C:Tools folder and would like to run it on a remote computer. You can do so using the following syntax:
When you use the -c switch and don’t specify an executable file, PsExec will still copy the file but you’ll receive an error stating system cannot find the file specified. This happens because PsExec will always attempt to run the file you copy.
If you need to copy files to remote computers prior to using PsExec, use the Copy-Item PowerShell cmdlet instead.
Tcpview Alternative Clothing
Running Remote Processes under Alternate Credentials
Another popular use case of PsExec is to run commands under alternative accounts. By default, PsExec will attempt to connect to the remote computer under your currently-logged-in account. More specifically, it will impersonate your account on the remote computer.
Using the -u and optional -p switch allows you to connect to the remote computer with an alternative user account. PsExec will then encrypt both the username and password and send them to the remote computer for authentication.
For example, if you’re in a workgroup, you’ll always need to specify the username to authenticate to the remote computer as.
If both computers are a member of Active Directory, be sure to preface the user account with the domain name.
Note that when you do not use the -u switch, psexec impersonates your logged-in account on the remote computer. It will not have access to any network resources.
Running Processes as the LOCAL SYSTEM Account
One of the most useful features of running PsExec under an alternative account is using the -s switch. This switch allows PsExec (and your remotely-executed application) to run under the remote (or local) computer’s LOCAL SYSTEM account.
Notice below I didn’t include a remote computer name. PsExec will just as gladly run on the local computer as well. In this instance, I’m using the -s option to tell PsExec to launch a local command prompt as the LOCAL SYSTEM account.
To run a command prompt as LOCAL SYSTEM on a remote computer, add the computer name to the reference like below:
Launching GUI Applications Remotely
Another useful PsExec switch is -i. By default, PsExec does not allow the remotely-executed command to bring up any windows on the remote computer. This is helpful because if you’re executing commands remotely, you’re not going to see the screen anyway.
But perhaps you need to bring up programs for your users. You personally won’t be using the application but an end-user will. In that case, use the -i switch.
Maybe you need to bring up a notepad window on a remote computer. Not a problem. Run notepad.exe with the -i switch and PsExec will open up Notepad.
Be sure to also use the -d switch to disconnect when the interactive window is brought up though. By default, PsExec will wait for the process it executed to complete. If the remote process (Notepad in this case) is kept running, PsExec will never return control.
Using the -d switch with -i will tell PsExec to not wait for the remote process to finish. Instead, it will disconnect and return control to you as soon as the remote process is executed.
Redirecting Output
Psexec will rely any output sent from the remote process to your local session. Typically, this output will go directly to your local console. But if you’d like to redirect it, you can do so using typical redirection operators.
For example, if you’d like to run a command and silence all output, you could redirect output and errors to null using ^> nul ^2^&1.
Note the special characters are escaped with a hat. ( ^).
PsExec Use Cases
Once you’ve learned how to use psexec, you’ll inevitably come across various specific use cases. In this section, you’ll learn some real-world use cases and examples using psexec.
Launching a Remote Command Prompt (psexec cmd)
One of the most common use cases is launching PsExec as an interactive command prompt. PsExec doesn’t just run commands remotely. It can also send command output back to your console. Because of this, it can make a great telnet (if anyone is still using that) or perhaps PowerShell Enter-PSSession replacement.
To launch a remote command, specify the remote computer name and run the cmd application. Cmd is the Windows command interpreter. Since PsExec supports interactive use, it will gladly return a flashing cursor and a prompt.
At this point, the world is your oyster. You can run commands on your local computer via this “nested” command prompt and they will be executed on the remote computer.
To exit from the command prompt, type exit. PsExec will stop the cmd process on the remote computer and return focus to the local computer.
Do NOT use Ctrl-C to close out of an interactive cmd session. Always use exit. If you use Ctrl-C, the psexec session will remain running on the remote computer.
Installing Software Remotely
You can use PsExec as a poor-man’s software deployment tool. Perhaps you have an MSI installer that you need to run on one or more remote computers called setup.msi. This installer needs to be copied to the remote computers and then executed with the msiexec.exe utility with a few switches.
Below is an example of how you could use PsExec to remotely deploy software. This example copies setup.msi to the remote computer then launches the MSI installer interactively on as the SYSTEM account.
Accepting the EULA without the /accepteula switch
As mentioned earlier, the first time PsExec runs, you’ll have to accept a EULA. You could use the /accepteula switch but you could also “stage” it in the registry.
When launched for the first time, PsExec creates a registry key at HKCUSoftwareSysinternalsPsExec. Instead of that registry key, it creates a registry value called EulaAccepted with a DWORD value of 1.
Using your favorite method to modify the registry on remote computers, you simply need to create this key/value on computers you’d like to run PsExec on. Once created, no need to run /accepteula!
Marrying PowerShell and PsExec
Before PowerShell, all we had was PsExec. Now, we have options. PowerShell can replace PsExec in many situations but complement it in others.
Building Computer Names with PowerShell
Instead of using * to find all computers in the domain, you can use PowerShell instead. By using PowerShell, you can not only pick certain computers but you don’t have to use the firewall-prone net view /all behavior.
You can use PowerShell to create a string containing all computer names separated by a comma. You can then pass that string to PsExec which will merrily process each one like you typed each one manually.
You can see below an example of using the Get-AdComputer cmdlet part of the ActiveDirectoryPowerShell module.
Enabling PowerShell Remoting Remotely
If you have remote computers you’d rather use PowerShell Remoting with instead of PsExec, you can use PsExec to enable them.
By running Enable-PSRemoting or the winrm.cmd batch file on remote computers, you can quickly turn on PowerShell Remoting across many computers at once.
Below you can see an example of calling the winrm.cmd batch file on a remote computer running as the SYSTEM account. Because the output from that command isn’t needed, it’s silenced with 2>&1> $null.
PsExec Error Messages
It’s worth mentioning again upfront that most error codes you see returned from PsExec are from the remote process; not from PsExec. But it’s helpful to have an understanding of these error codes and what they might mean.
Tcpview Alternative Meaning
If you’d like a reference on all Windows error codes, I recommend checking out this exhaustive list of Windows error codes.
Tcp View 2019
Below is a list of common error codes you may see returned by PsExec.
Tcpview Alternative Products
Your Feedback
ATA Ultimate Guides are big. There’s a lot of information in these and I’m bound to miss a thing here or there or make a mistake. If you notice anything wrong or think something should be added to this guide, please let me know via the comments. I’d be happy to credit you in the post.
Credits
- Thanks to Mathias (comments) for numerous feedback.