Sysinternals first-response kit guide
A practical Sysinternals first-response map for process, file handle, startup, network, login, and registry symptoms.
Good For
- Windows triage
- process investigation
- startup review
- locked file troubleshooting
- network connection review
How to Use It
- Use Process Explorer when the question is what process owns CPU, memory, handles, services, or suspicious child processes.
- Use Process Monitor only with a short capture window and tight filters so the trace stays readable.
- Use Autoruns for startup, logon, driver, service, scheduled task, and browser helper review before removing anything.
- Use Handle or Process Explorer to identify the process holding a file or directory lock.
- Use TCPView for live process-to-connection mapping before assuming the firewall is the issue.
- Preserve screenshots, exported CSV, or saved PML traces before escalating.
Execution Modes
- local
- remote-single-host
Inputs and Outputs
Inputs
- symptom
- process name
- file path
- host name
- short capture window
Outputs
- operator-notes
- log-file
- csv
Command Starter
Example pattern only. Adjust for your environment before running.
sigcheck64.exe -nobanner -m C:\Path\To\Binary.exe handle64.exe C:\Path\To\LockedFile.txt tcpview.exe
Validation
- The selected Sysinternals tool matches the symptom instead of creating noisy evidence.
- Captured output identifies process name, path, publisher/signature, user context, and timestamp where relevant.
- Any remediation recommendation is based on evidence and has separate approval.
Reporting
- export Autoruns or TCPView data for review
- attach Process Monitor filters and saved traces to tickets
- record process path, signature, command line, and owner context
Safety Notes
- Download Sysinternals from Microsoft and verify tool source before use.
- Do not delete startup entries, kill processes, or change services during first-response evidence capture.
- Process Monitor traces may contain sensitive paths, registry keys, and usernames.