Microsoft Ships New Malware Hunting Utility

On the heels of its July 2006 acquisition of Mark Russinovich’s Winternals Software, Microsoft has replaced the popular Regmon and Filemon utilities with a single tool offering advanced capabilities for real-time monitoring of registry and process thread activity.

The release of the new utility, called Process Monitor coincides with the relaunch of the Sysinternals portal as the Windows Sysinternals TechCenter on Microsoft TechNet.

Russinovich, a respected Windows kernel guru who joined the Redmond, Wash. vendor as a Technical Fellow in the Platforms and Services Division, describes Process Monitor as “a powerful new monitoring tool that is best described as Regmon and Filemon on steroids.”

Regmon and Filemon are hugely popular among virus and spyware researchers who use the real-time file and registry monitoring tools to determine changes made to an infected operating system.

The new Process Monitor, which was rewritten from scratch, will also include a third utility called Process Explorer in a single interface.

According to Microsoft, the new utility features an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, and simultaneous logging to a file.

“[These] powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit,” the company said.

Process Monitor, available as a free download, runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 and Windows Vista.

Process Monitor can be used to track process and thread startup and exit, including exit status codes; monitor image (DLL and kernel-mode device driver) loads. It also captures data for operation input and output parameters, as well as capture thread stacks for each operation to identify the root cause of an operation.

Microsoft also announced the release of Sysinternals Suite, a single download package that includes the entire set of SysInternals tools and utilities.

Since closing the Winternals Software acquisition, Microsoft has completed the migration of Sysinternals content and tools to its domains. Russinovich’s blog, which was used to expose Sony BMG’s use of a rootkit in its copy protection scheme, has been ported to Microsoft’s TechNet site and the free utilities have been moved to Microsoft Download.

However, the source code for the tools will not be migrated. “The number of source code downloads didn’t justify the migration, support and possible integration problems it might cause with other Windows components down the road,” said Otto Helweg, program manager in Microsoft’s Windows Server and Tools division.

Check out’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer’s Weblog.