Troubleshooting Filesystems with Sysinternals Tools

Windows supports multiple different filesystems, everyone of them with their strengths and weaknesses. This course will teach you what filesystems are and how you can manage and troubleshoot them with Sysinternals tools.
Course info
Rating
(13)
Level
Beginner
Updated
Jan 8, 2018
Duration
42m
Table of contents
Description
Course info
Rating
(13)
Level
Beginner
Updated
Jan 8, 2018
Duration
42m
Description

You can't use an OS without the filesystem, so knowing how to troubleshoot it is crucial. In this course, Troubleshooting Filesystems with Sysinternals Tools, you'll learn the basics of troubleshooting. First, you'll dive into an overview of how to delete malware which is the hardest to detect and remove. Then, you'll learn how to work with hard and soft links within different filesystems. Finally, you'll master how to find hidden alternate data streams. When you're finished with this course, you'll have a foundational knowledge of Sysinternals tools that will help you as you move forward in troubleshooting filesystems.

About the author
About the author

Sami Laiho is one of the world's top experts in Windows OS and Security. Sami specializes in OS internals, troubleshooting, management, and security.

More from the author
More courses by Sami Laiho
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi, everyone. My name is Sami Laiho. Welcome to my course, Troubleshooting Filesystems with Sysinternals Tools. I'm a senior technical fellow at my own company, Adminize. Every operating system has a file system beneath it. They vary a lot between different versions and manufacturers. You can't really do any troubleshooting without having the knowledge on how filesystems work. Many file systems' hidden features allow not only good, but also malicious applications to hide and terrorize your system. In this course you will learn how to play hide and seek with malware and also how to troubleshoot filesystem-related issues. You will also learn how to keep your storage clean and working more efficiently. This is even more important in the age of SSDs when your system becomes dead slow if you fill it up. Some of the major topics that we will cover include how filesystems differ from each other, how NTFS can hide things from you, how to analyze what is taking up all the space on your drive. By the end of this course you will know how to effectively manage filesystems in Windows. Before beginning the course you should have viewed the first course on this learning path on the Sysinternals toolkit on Pluralsight. I hope you'll join me on this Troubleshooting Filesystems with Sysinternals Tools at Pluralsight.

Analyzing Disk Usage with Sysinternals Utilities
This module is called Analyzing Disk Usage with Sysinternals Utilities. Many people might think that to see a directory's disk usage you would just run DIR/S. So you would see the directory and all the sub directories in it. There are a lot of factors that this does not take into consideration. Sysinternals gives you a tool called DU. exe, directory usage. DU reports the disk-space usage for a certain directory and everything below it and takes all factors into account. These factors include hard links, directory and file symbolic links, junction points, compressed and sparse files, alternate data streams, ADS, and unused cluster space. If you are looking at a situation where you're running low on your hard disk space, there is a tool which is outside of the Sysinternals suite, which I have to say I actually used just before starting to record this video. It is called TreeSize. There's a TreeSize Personal, which is free and then there's a company version that you can buy. It is a phenomenal tool for just making sure that you're not storing something on your disk that you do not want to be there. For me, it also shows how I need to free space with my OneDrive with the new OneDrive files on demand in Windows 10 1709. There's a neat trick in here. If you haven't figured it out, there is a really cool small executable inside of Windows called clip. exe and in this example you're actually taking the directory usage and taking a CSV file out of it and then just putting it to the clipboard so you can go straight to Excel and just paste it in.

Managing Post-reboot File Operations with Sysinternals Utilities
The last module is called Managing Post-reboot File Operations with Sysinternals Utilities. Why should you care about this? There are two reasons. First of all, it will tell you how to get rid of files in a place where they're really locked down or they're taken and re-served by another process. Many people will hear friends saying, please reboot with Linux and try to remove it, but instead of that I think you should just take a look at how these post-reboot file operations work. They're actually mostly used inside of Windows for hotfixes. You know that hotfix installations require some files to be changed. Sometimes you're wondering why do you need to reboot the box and we can actually take a look at that as well with these tools. You can also take and manipulate that list to your own benefit. This is all done at the end of the day with a few registry keys. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager key, there are a few values. One is called PendingFileRenameOperations and one called PendingFileRenameOperations2. You could manipulate these yourself, but you would always have to remember the syntax. So I guess it's just easier if you download the Sysinternals tool and use PendMoves. exe which is the tool that will list you what files are going to be replaced or deleted during the next reboot. It is a phenomenal tool for knowing why your computer actually needs to reboot. Then we have movefile. exe. Movefile can manipulate those post-reboot commands for your own benefit. You can use it like movefile, source, and destination to move a file that would otherwise be re-served by a process and unmovable in the live OS, or if you set the destination file to nothing with two double quotes it will actually delete the file.