Live Response - Making use of Sysinternals tools

Given how useful the Sysinternals suite of tools is, it's probably worth a quick post to show how these can be obtained and used via Live Response to save disrupting an end user.

Thankfully Sysinternals exposes the tools at the following location:

https://live.sysinternals.com/

Therefore, given the power of PowerShell, we can download Process Monitor, run a trace and zip up the file.  To do so, the following commands can be issued:

  • powershell
  • New-Item -Path "c:\" -Name "PMLTrace" -ItemType "directory"
  • cd .\PMLTrace\
  • Invoke-WebRequest https://live.sysinternals.com/Procmon64.exe -UseBasicParsing -OutFile procmon64.exe
  • &"./procmon64.exe" /accepteula /quiet /minimized /nofilter /Runtime 15 /backingfile trace15seconds.pml
  • Compress-Archive .\trace15seconds.pml .\trace15seconds.zip

The above sequence are all PowerShell commands, of course you could create a directory with 'mkdir' and 'CD' to it first.

Notes:

  • The example, runs an unfiltered minimized trace for 15 seconds to the file trace15seconds.pml in the same directory.
  • If you try and create the archive with compress-archive before the .PML file is closed you will get a message that the file is being used by another process.

Once you have obtained the zip file, i.e. copied to a filer location or asked the end user to send it, you can delete the directory if needed.

It is worth bearing in mind that some of the Sysinternals tools maybe classified as PUAs until authorised. E.g. PsExec, PsKill.

I hope the above is a helpful!

Regards,
Jak