Introduction

Windows, by default, provides you with several utilities to monitor local activity on a computer, whether that activity is coming from users or from processes. Detailed monitoring is required to detect unauthorized access, discover suspicious activity, and gain a deep overall understanding of what is going on in the background. Much in the same way a network administrator would use a packet sniffer or an intrusion detection system (IDS) to monitor activity on a computer, a system administrator or an advanced user can utilize the tools provided by the Winternals team.

In this chapter, you will learn how to use Sysinternals tools to monitor active sessions on a computer and discover which processes are accessing which resources. You will also learn how to get a live listing of all file and Registry activity, and where that activity is coming from.

Viewing Users Who Are Logged On and What They re Doing

Knowing who is using the resources on your network and what they are doing with those resources is an essential ability for any administrator. Thankfully, tools are available from Sysinternals that allow us to get an overview of the users who are logged on to a computer, as well as information about the sessions created when users log on and what files or resources they are using.