The "SysNocturnals Tools" are a set of utilities for the Windows platform, primarily for diagnostic, troubleshooting, and informational purposes. They are inspired by and not entirely dissimilar from Microsoft's Sysinternals tools, about which I co-wrote the authoritative reference books with Mark Russinovich. (BTW, Troubleshooting with the Windows Sysinternals Tools makes a great gift!) I came up with the name "SysNocturnals" rather late at night, which is when I've always done most of my work.
Like the Sysinternals tools, the SysNocturnals tools are entirely free for use. Unlike the current Sysinternals tools, the SysNocturnals tools' source code is also available and free for use under terms of the MIT license.
While I'm at it, I'm also providing a repository here for binaries and tools that I published on my blogs at Microsoft that are no longer available on their blog platform, including LUA Buglight, the App Install Recorder scripts, and IEZoneAnalyzer. See “SysNocturnals Extras” here.
| Name | Description |
|---|---|
| Troubleshooting tools | |
Zombie Finder (README) (Video presentation) |
Identifies zombie processes/threads and the living processes causing them to be undead. A "zombie process" is the kernel memory leakage of process and thread handles of processes that have exited. |
GuiObjectUse (README) |
Reports GUI object use by process in session 0 or other sessions. Its primary use case is to find the root cause of session 0 desktop heap exhaustion. |
| Management tools | |
AppLockerPolicyTool (README) |
AppLocker policy management, through Local GPO and CSP, which is the interface used by MDM providers such as Intune. |
RunAsUsers (README) |
Tool for executing programs in the desktop and security context of interactively logged-on users, from code running as System in session 0. |
WindowTool (README) |
Window management tool |
| Informational tools | |
TSSessions (README) |
Enumerates terminal services sessions, window stations, desktops, and more |
GetLocalizedResources (README) |
Extracts localized text from resource files and other Portable Executable binaries |
RegBinaryToSD (README) |
Converts REG_BINARY data to a readable Security Descriptor or SDDL |
SddlHelp (README) |
Helps with writing and understanding Security Descriptor Definition Language (SDDL), which is a textual means for representing Windows security descriptors, and how to do so for a variety of object types. |
| Test-scenario tools | |
VirtMemTest (README) |
GUI app for testing memory allocation, CPU-hog, hung-app, and other scenarios |
Zombie Maker (README) |
Creates zombie processes/threads for demonstration/testing purposes (e.g., with ZombieFinder) |
| SysNocturnals Suite | |
| SysNocturnalsSuite.zip | All the latest SysNocturnals Tools in one zip file |
Most but not all of the SysNocturnals tools are provided in x64 and x86 versions, named ToolName.exe and ToolName32.exe. The 32-bit versions will of course
work on 32-bit Windows versions (yes, there still are some), and should work correctly on 64-bit as well, as they will selectively and temporarily disable
WOW64 file system redirection. AppLockerPolicyTool.exe and RunAsUsers.exe are both x86 only, and will work correctly on all supported Windows versions.
The tools' text output is often tab-delimited text with headers. I prefer this format over comma-separated text, as it largely avoids the need of having
to modify data when it contains embedded delimiter characters (e.g., having to quote text that contains commas and then deal with embedded quotes)
and then determine which is the data and which are added characters that should be removed. Also, tab-delimited text on the clipboard pastes
perfectly right into Microsoft Excel. Tab-delimited CSV is also super easy to work with in PowerShell: pipe it in to ConvertFrom-Csv -Delimiter "`t" and
now you've got objects. For example:
GuiObjectUse.exe | ConvertFrom-Csv -Delimiter "`t" | ?{ $_."User objects" -gt 30 }