Software Listing of Author : "Mark Russinovich"
- AdRestore
- License: Freeware
- Price: 0.00


Introduction
- Windows Server 2003 introduces the ability to restore deleted ("tombstoned") objects. This simple command-line utility enumerates the deleted objects in a domain and gives you the option of restoring each one. Source code is based on sample code in the Microsoft Platform SDK.
This MS KB article describes the use of AdRestore:
840001: How to restore deleted user accounts and their group memberships in Active Directory
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: WinOther
- CacheSet
- License: Freeware
- Price: 0.00


CacheSet is a program that allows you to control the Cache Manager's working set size using functions provided by NT. It's compatible with all versions of NT.
Introduction
- CacheSet is an applet that allows you to manipulate the working-set parameters of the system file cache. Unlike CacheMan, CacheSet runs on all versions of NT and will work without modifications on new Service Pack releases. In addition to providing you the ability to control the minimum and maximum working set sizes, it also allows you to reset the Cache's working set, forcing it to grow as necessary from a minimal starting point. Also unlike CacheMan, changes made with CacheSet have an immediate effect on the size of the Cache.
Use CacheSet to performance tune the system Cache size in a way not possible without tweaking internal...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: WinOther
- ClockRes
- License: Freeware
- Price: 0.00


ClockRes is an application that helps you view the resolution of the system clock.
Ever wondered what the resolution of the system clock was, or perhaps the maximum timer resolution that your application could obtain? The answer lies in a simple function named GetSystemTimeAdjustment, and the ClockRes applet performs the function and shows you the result.
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 81 KB
- Download
- Platform: WinOther
- Ctrl2cap
- License: Freeware
- Price: 0.00


This is a kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys. Filtering at this level allows conversion and hiding of keys before NT even "sees" them. Ctrl2cap also shows how to use NtDisplayString() to print messages to the initialization blue-screen.
Introduction
Ctrl2cap is a kernel-mode device driver that filters the system's keyboard class driver in order to convert caps-lock characters into control characters. People like myself that migrated to NT from UNIX are used to having the control key located where the caps-lock key is on the standard PC keyboard, so a utility like this is essential for our editing well-being.
Installation and Use
Install Ctrl2cap running the command "ctrl2cap /install"...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 51 KB
- Download
- Platform: WinOther
- EFSDump
- License: Freeware
- Price: 0.00


Introduction
Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including oned-deOCLQueryUsersOnEncryptedFiled-deOCLthat lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files.
Using EFSDump
-s*Recurse subdirectories.
EFSDump takes wildcards e.g. 'efsdump *.txt'.
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: WinOther
- Hex2dec
- License: Freeware
- Price: 0.00


Introduction
Tired of running Calc everytime you want to convert a hexadecimal number to decimal Now you can convert hex to decimal and vice versa with this simple command-line utility.
Usage: hex2dec [hex|decimal]
Include x or 0x as the prefix of the number to specify a hexadecimal value.
e.g. To translate 1233 decimal to hexadecimal: hex2dec 1233
e.g. To translate 0x1233 decimal to hexadecimal: hex2dec 0x1233
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: WinOther
- ListDLLs
- License: Shareware
- Price:


A question that I often get asked is "Do you know of a utility that will show me which DLLs are loaded on Windows 9x or NT?". The answer I gave up until recently was "no", until I discovered a tool in the Windows NT Resource Kit called tlist that does show this information. ListDLLs. Unlike tlist, ListDLLs is able to show you the full path names of loaded modules - not just their base names.
ListDLLs can also flag loaded DLLs which have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL), and can tell you which DLLs were relocated because they are not loaded at their base address. for WindowsXP, 2003, Vista, 2008, 7
- Publisher: Mark Russinovich
- Date Released:
- Download
- Platform: Windows 7, WinOther, WinServer, WinVista
- PsFile
- License: Freeware
- Price: 0.00


The "net file" command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn't let you see that information for remote systems. PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier.
Installation
Just copy PsFile onto your executable path, and type "psfile".
Using PsFile
The default behavior of PsFile is to list the files on the local system that are open by remote systems. Typing a command followed by "- " displays information on the syntax for the command.
Usage: psfile [\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
- PsKill
- License: Freeware
- Price: 0.00


Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process.
Installation
Just copy PsKill onto your executable path, and type pskill with command-line options defined below.
Using PsKill
See the September 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of PsKill.
Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If you...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 1126 KB
- Download
- Platform: WinOther
- PsList
- License: Freeware
- Price: 0.00


pslist exp*would show statistics for all the processes that start with "exp", which would include Explorer.
-d*Show thread detail.
-m*Show memory detail.
-x*Show processes, memory information and threads.
-t*Show process tree.
-s [n]*Run in task-manager mode, for optional seconds specified. Press Escape to abort.
-r n*Task-manager mode refresh rate in seconds (default is 1).
\computer*Instead of showing process information for the local system, PsList will show information for the NT/Win2K system specified. Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system.
-u*username If you want to kill a process on a remote system and the account you are executing...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 1126 KB
- Download
- Platform: WinOther
- PsLoggedOn
- License: Freeware
- Price: 0.00


You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely.
PsLoggedOn is an applet which can display both the locally logged on users and users logged on via resources for either the local computer, or a remote one.If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. Full source code is included.
PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 1126 KB
- Download
- Platform: Win2000, WinOther, WinServer
- PsSuspend
- License: Freeware
- Price: 0.00


PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that's consuming the resource, suspending permits you to let it continue operation at some later point in time.
Installation
Copy PsSuspend onto your executable path and type "pssuspend" with command-line options defined below.
Using PsSuspend
Running PsSuspend with a process ID directs it to suspend or resume the process of that ID on the local computer. If you specify a process name PsSuspend will suspend or resume all processes that have that name. Specify the -r switch to resume suspended processes.
Usage: pssuspend [- ]...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 1126 KB
- Download
- Platform: WinOther
- PsTools
- License: Freeware
- Price: 0.00


The Windows NT and Windows 2000 Resource Kits come with a number of command-line tools that help you administer your Windows NT/2K systems. Over time, I've grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.
Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 1126 KB
- Download
- Platform: Win2000, WinOther, WinServer
- SDelete
- License: Freeware
- Price: 0.00


One feature of Windows NT/2000's (Win2K) C2-compliance is that it implements object reuse protection. This means that when an application allocates file space or virtual memory it is unable to view data that was previously stored in the resources Windows NT/2K allocates for it. Windows NT zero-fills memory and zeroes the sectors on disk where a file is placed before it presents either type of resource to an application. However, object reuse does not dictate that the space that a file occupies before it is deleted be zeroed. This is because Windows NT/2K is designed with the assumption that the operating system controls access to system resources. However, when the operating system is not active it is possible to use raw disk editors and recovery tools to view and recover data that the operating system has deallocated. Even when you...
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: Win2000, WinOther, WinServer
- VolumeID
- License: Freeware
- Price: 0.00


While WinNT/2K and Windows 9x's built-in Label utility lets you change the labels of disk volumes, it does not provide any means for changing volume ids. This utiltity, VolumeID, allows you to change the ids of FAT and NTFS disks (floppies or hard drives).
Usage: volumeid xxxx-xxxx
This is a command-line program that you must run from a command-prompt window.
Note that changes on NTFS volumes won't be visible until the next reboot. In addition, you should shut down any applications you have running before changing a volume id. NT may become confused and think that the media (disk) has changed after a FAT volume id has changed and pop up messages indicating that you should reinsert the original disk (!). It may then fail the disk requests of applications using those drives.
- Publisher: Mark Russinovich
- Date Released:
- Download Size: 40 KB
- Download
- Platform: Win2000, WinOther, WinServer