Sysinternals Tools Updates

From Windows Sysinternals

What's New (December 11, 2019)
  • Sysmon v10.42
    This update to Sysmon addresses a number of memory leaks, introduces the "Excludes Any" and "Excludes All" filtering conditions and resolves a number of bugs.

  • Zoomit v4.52
    This update to Zoomit resolves a number of dual-monitor related issues.

  • Whois v1.21
    This refresh of Whois contains various bug fixes.
 
From Windows Sysinternals

What's New (April 28, 2020)

  • Sysmon v11.0
    This major update to Sysmon includes file delete monitoring and archive to help responders capture attacker tools, adds an option to disable reverse DNS lookup, replaces empty fields with ‘-‘ to work around a WEF bug, fixes an issue that caused some ProcessAccess events to drop, and doesn’t hash main data streams that are marked as being stored in the cloud.
  • Sysinternals April 27 Update Video
    Mark Russinovich covers what’s new in this update, with a demo of Sysmon’s new file delete monitoring and capture capability.
 
What's New (June 24, 2020)
  • Sysmon v11.10
    This update to Sysmon now captures stream content for alternate data streams into logged events, which is useful for investigating downloads tagged with ‘Mark of the Web’ (MOTW) streams, introduces an ‘is-any’ filter condition, and fixes several bugs.
  • Sigcheck v2.80
    Sigcheck, a flexible tool for showing file versions, file signatures, and certificate stores, introduces a -p option for specifying a trust GUID for signature verification, and it now shows certificate signing chains even when a certificate in the chain is untrusted.
  • Sysinternals June 24 Update Video
    Mark Russinovich covers what’s new in this update, with demos of Sysmon’s alternate data stream content capture and new features in Sigcheck.

Source: Windows Sysinternals - Windows Sysinternals

Note: RAMMAP still has a small (non fatal) bug. I am waiting until that has been fixed (no, no details).
 
(From: Windows Sysinternals - Windows Sysinternals)
(For me these tools are a bit too "geeky". Personally I use only Process Explorer & RAMMAP on a (very) regular basis)

What's New (September 17, 2020)
  • Sysmon v12.0
    In addition to several bug fixes, this major update to Sysmon adds support for capturing clipboard operations to help incident responders retrieve attacker RDP file and command drops, including originating remote machine IP addresses.
  • Process Monitor v3.60
    This update to Process Monitor, a utility that logs process file, network and registry activity, adds support for multiple filter item selection, as well as decoding for new file system control operations and error status codes.
  • Procdump v10.0
    This release of Procdump, a flexible tool for manual and trigger-based process dump generation, adds support for dump cancellation and CoreCLR processes.
  • ARM64 ports
    In addition, several tools have been newly ported to and are now available for ARM64. These include: AdInsight v1.2, AutoLogon v3.1, Autoruns v13.98, ClockRes v2.1, DebugView v4.9, DiskExt v1.2, FindLinks v1.1, Handle v4.22, Hex2Dec v1.1, Junction v1.07, PendMoves v1.02, PipeList v1.02, Procdump v10.0, Process Explorer v16.32, RegDelNull v1.11, RU v1.2, Sigcheck v2.8, Streams v1.6, Sync v2.2, VMMap v3.26, WhoIs v1.21 and ZoomIt v4.52. Download all ARM64 tools in a single download with the Sysinternals Suite for ARM64.
 

What's New (October 15, 2020)​

  • VMMap v3.30 This update to VMMap, a utility that reports the virtual memory layout of a process, identifies .NET Core 3.0 managed heaps.
  • RAMMap v1.60 This release to RAMMap, a utility that analyzes and displays physical memory usage, adds customizable map colors and a new command line option, -e, to empty the different types of system working sets.
 
From Windows Sysinternals

What's New (November 04, 2020)​


  • AdExplorer v1.50 This release of AdExplorer, an Active Directory (AD) viewer and editor, adds support for exporting data from the "Compare" dialog and is now available for x64 and ARM64.
  • Disk Usage (DU) v1.62 This release of Disk Usage (DU), a tool for viewing disk usage information, now also accounts for the MFT (Master File Table), removes the MAX_PATH limitation and is now available for ARM64.
 
Windows Sysinternals:

What's New (January 11, 2021)​


  • Sysmon v13.00
    This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks.
  • Process Monitor v3.61
    This update to Process Monitor adds monitoring for RegSaveKey, RegLoadKey and RegRestoreKey APIs, as well as fixes a bug in the details output for some types of directory queries.
 
Windows Sysinternals:

What's New (April 21, 2021)​


  • Process Monitor v3.70 This update to Process Monitor allows constraining the number of events based on a requested number minutes and/or size of the events data, so that older events are dropped if necessary. It also fixes a bug where the Drop Filtered Events option wasn’t always respected and contains other minor bug fixes and improvements.
  • Sysmon v13.10 This update to Sysmon adds a FileDeleteDetected rule that logs when files are deleted but doesn't archive, deletes clipboard archive if event is excluded and fixes an ImageLoad event bug.
  • Theme Engine This update to the theme engine uses a custom title bar in dark mode, similar to MS Office black theme. WinObj and TCPView have been updated. Expect more tools using the theme engine in the near future!
 
Windows Sysinternals:
  • Process Monitor v3.80 Process Monitor is the latest tool to integrate with the new Sysinternals theme engine, giving it dark mode support.
  • Sysmon v13.20 This update to Sysmon, an advanced system security monitor, adds "not begin with" and "not end with" filter conditions and fixes a regression for rule include/exclude logic.
  • TCPView v4.10 This update to TCPView, a TCP/UDP endpoint query tool, adds the ability to filter connections by state.
  • Process Explorer v16.40 This update to Process Explorer, an advanced process, DLL and handle viewing utility, adds process filtering support to the main display and reports process CET (shadow stack) support.
  • PsExec v2.34 This PsExec release reverts to sending all PsExec output to stderr so that only target process output emits to stdout.
  • Sigcheck v2.81 Sigcheck v2.81 fixes a bug in filtering output for unsigned VirusTotal unknown files and now reports the signing time for files with untrusted certificate signatures.
  • WinObj v3.10 This WinObj update extends search functionality to include symbolic link targets.
 
Windows Sysinternals:
  • ProcDump v10.1 This update to ProcDump, a command-line utility for generating memory dumps from running processes, adds a new option (-dc) for specifying a dumpfile comment and supports "triage" dumps (-mt).
  • RDCMan v2.8 RDCMan, a utility for managing multiple remote desktop connections, is now part of the Sysinternals family of tools!
 
From Autoruns v14.02, WinObj v3.12, Tcpview v4.15 and Process Monitor v3.85:

Autoruns v14.02
Autoruns, a utility for monitoring startup items, receives a series of UI improvements related to the dark theme and general Windows 10 tweaks, VirusTotal and signed files regressions fixes.

WinObj v3.12
WinObj, a utility for inspecting objects in the NT Object Manager’s namespace, receives a series of UI improvements related to the dark theme and general Windows 10 tweaks.

Tcpview v4.15
TCPView, a utility for monitoring network connections on Windows systems, receives a series of UI improvements related to the dark theme and general Windows 10 tweaks.

Process Monitor v3.85
Process Monitor, a utility for observing in real time file system, Registry and process or thread activity, receives a series of UI improvements related to the dark theme and general Windows 10 tweaks.
 
From Autoruns v14.04, high DPI icons for WinObj, Tcpview, Process Monitor and build tools refresh

Autoruns v14.04

This update for Autoruns adds a series of display/theme fixes, restores autorunsc, fixes a regression for rundll32 entries, limits per-user scans to the user locations, fixes Microsoft entry hiding and adds a high DPI application icon.

WinObj v3.13, Tcpview v4.16 and Process Monitor v3.86 get high DPI application icons.

AccessEnum v1.33, CacheSet v1.01, Contig v1.81, Desktops v2.01, Disk2vhd v2.02, DiskMon v2.02, EFSDump v1.03, LoadOrder v1.02, PsShutdown v2.53, RegJump v1.11, ShareEnum v1.61, ShellRunas v1.02 get new builds with updated Windows libraries.
 
From Autoruns v14.06 and Sysmon v13.30:

Autoruns v14.06

This Autoruns release fixes a crash happening for scheduled tasks containing spaces.

Sysmon v13.30

This Sysmon update adds user fields for events, fixes a series of crash-causing bugs - for example with the Visual Studio debugger - and improves memory usage and management in the driver.
 
From ADExplorer v1.51, Autoruns v14.07, CacheSet v1.02, Process Monitor v3.87 and Sysmon v13.31

Active Directory Explorer v1.51

This Active Directory Explorer update fixes a Windows Store packaging crash.

Autoruns v14.07
This Autoruns update can open .arn files from the command line, fixes RunDll32 parameter handling in some cases, supports toggling Active Setup entries, fixes a crash when no ProcExp can be found in the path and improves 32/64 bit redirection.

CacheSet v1.02
This CacheSet update fixes a 64 bit OS regression.

Process Monitor v3.87
This Process Monitor update fixes a series of bugs with filter file loading, ring buffer handling and improves filter dialog navigation, some UI interactions with column headers and the About dialog.

Sysmon v13.31
This Sysmon release improves handle management in the service code and restores event ID 16 contents.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top