|
Sigcheck
|
|
Hits: 4 |
|
Date added: 03/01/2005 |
|
Verify that images are digitally signed and dump version information with this simple command-line utility.
usage: sigcheck [-i][[-s]|[-v]][-q][-u] [-c catalog file] <file or directory>
-c Look for signature in the specified catalog file
-i Show image signers
-s Recurse subdirectories
-q Quiet (no banner)
-u Show unsigned files only
-v Csv output
One way to use the tool is to check for unsigned files in your WindowsSystem32 directories with this command:
sigcheck -u c:windowssystem32
You should investigate the purpose of any files that are not signed.
Download Sigcheck (16 KB)
Streams
The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax file:stream , you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type echo hello > test:stream . You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter more < test:stream (the type command doesn't accept stream syntax so you have to use more).
NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.
Usage: streams [-s] [-d] <file or directory>
-s Recurse subdirectories.
-d Delete streams.
Streams takes wildcards e.g. 'streams *.txt'. |
|
|
|
|
|
LoadOrder
|
|
Hits: 2 |
|
Date added: 03/01/2005 |
|
This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. |
|
|
|
|
|
|
LogonSessions
|
|
Hits: 10 |
|
Date added: 03/01/2005 |
|
If you think that when you logon to a system there's only one active logon sessions this utility will surprise you. It lists the currently active logon sessions and, if you specify the -p option, the processes running in each session. LogonSessions works on Windows 2000 and higher.
Usage: logonsessions [-p] |
|
|
|
|
|
|
PendMoves
|
|
Hits: 3 |
|
Date added: 03/01/2005 |
|
There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLMSystemCurrentControlSetControlSession ManagerPendingFileRenameOperations value.
This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is not accessible. |
|
|
|
|
|
|
Junction
|
|
Hits: 4 |
|
Date added: 03/01/2005 |
|
Win2K's version of NTFS supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:SYMLINK specified C:WINNTSYSTEM32 as its target, then an application accessing D:SYMLINKDRIVERS would in reality be accessing C:WINNTSYSTEM32DRIVERS. Directory symbolic links are known as NTFS junctions in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes the linkd program for creating junctions. I therefore decided to write my own junction-creating tool: Junction. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Win2K's Remote Storage Service (RSS), as well as volume mount points.
If you want to view reparse information, the usage for Junction is the following:
Usage: junction [-s] <directory or file name>
-s Recurse subdirectories.
If you want to create or delete a junction, use Junction like this:
Usage: junction [-d] <junction directory> [<junction target>]
To delete a junction specify the -d switch and the junction name.
-Source code:
http://www.sysinternals.com/files/jnctnsrc.zip |
|
|
|
