Sysinternals Suite
Free Windows Tools for IT Pros

Yes, Sysinternals Suite is completely free. Microsoft makes all 70+ tools available at no cost, with no subscription tier, no feature unlock, and no “premium” version. The suite has been free since it was part of the original Sysinternals website in the late 1990s, and Microsoft has maintained that pricing policy since acquiring the company in 2006.

The download is a direct ZIP file from Microsoft’s own CDN at download.sysinternals.com. There is no registration, no email address required, and no download manager to install. The full suite (167.8 MB) and the ARM64 edition (15.3 MB) are both available without any account. Individual tools are also available as standalone downloads from the Microsoft Learn Sysinternals documentation pages.

There are no license fees for personal or commercial use. Many organizations deploy Sysinternals tools across entire fleets of workstations for IT administration and security monitoring. The license agreement (which you must accept the first time you run each tool) permits use within your organization – you cannot redistribute the tools commercially or strip the Microsoft branding.

Pro tip: If you need to pre-accept the EULA across a managed deployment, you can push a registry key: HKCU\Software\Sysinternals\EulaAccepted = 1 via Group Policy before your users first launch the tools.

See the Download section above for direct download links.

Yes, Sysinternals Suite is safe for Windows 11. Every executable in the suite is digitally signed by Microsoft Corporation, so Windows can verify the publisher before running the tool. Antivirus vendors who flag Sysinternals tools are almost always triggering on behavioral heuristics – PsExec looks like remote-access malware, ProcMon hooks the kernel like a rootkit – not on any malicious code in the files themselves.

The latest release (March 26, 2026) was built and tested on Windows 11. Tools like Process Explorer, Autoruns, and Process Monitor work correctly on Windows 11 22H2 and 23H2 including the ARM64 builds for Snapdragon X Series devices. The dark mode introduced in 2022 integrates with Windows 11’s system-wide dark theme setting.

If Windows Defender or your endpoint security platform flags a Sysinternals tool, here is how to handle it:

1. Verify the file is signed by Microsoft: right-click the .exe, Properties, Digital Signatures tab
2. Check the file hash against the current official download – re-download if you are unsure about the source
3. Add a hash-based exclusion in your security software for the specific tool you need
4. Do not create broad folder exclusions for C:\Sysinternals – use per-file hash rules instead

Pro tip: You can verify any Sysinternals tool’s signature from the command line with the included Sigcheck tool: sigcheck64.exe -v procexp64.exe – it checks both the file signature and VirusTotal simultaneously.

Check System Requirements for the full compatibility matrix.

No, Sysinternals Suite does not require installation. The entire suite ships as a ZIP file. You extract it to any folder, and every tool runs directly as a portable .exe. Nothing is written to C:\Program Files, no entries are added to the registry (unless you run Sysmon, which installs as a service by choice), and there is no uninstaller because there is nothing to uninstall.

The portable nature of the tools is one of their most useful properties. You can carry the suite on a USB drive and run it on any Windows machine without touching the system. IT professionals often keep the suite on a bootable diagnostic drive or a shared network folder accessible from any workstation. You can also run tools directly from a UNC path or a network share.

The exception is Sysmon, which must be explicitly installed as a Windows service if you want persistent logging. To install it: sysmon64.exe -i [optional: -c config.xml]. To uninstall it later: sysmon64.exe -u. The other 70+ tools in the suite have no installation step at all.

Some tools create small per-user settings files in the user profile (for example, Process Monitor saves its filter settings to a .pmc file) but these are optional and stored in your user AppData folder, not in system locations.

Pro tip: Create a folder at C:\Sysinternals and add it to your system PATH variable. Then you can type procexp or autoruns in any command prompt or the Run dialog to launch tools instantly without navigating to the folder.

See the Getting Started section for step-by-step extraction and PATH setup instructions.

Sysinternals Suite bundles 70+ individual Windows utilities. The most widely used ones fall into five categories: process management, network monitoring, security and diagnostics, disk and file utilities, and system information tools.

The most commonly used tools by category:

• Processes: Process Explorer, Process Monitor (ProcMon), ProcDump, ListDLLs, Handle
• Network: TCPView, Whois, PsPing
• Security & Startup: Autoruns, Sigcheck, Sysmon, AccessChk, AccessEnum, ShareEnum
• Disk & Files: Disk2vhd, DiskView, Du (disk usage), SDelete, NTFSInfo, PageDefrag
• System Info: BgInfo, RAMMap, VMMap, CoreInfo, ClockRes, WinObj, LoadOrder
• Remote Admin (PsTools): PsExec, PsInfo, PsKill, PsList, PsLoggedOn, PsService, PsShutdown, PsLogList
• Utilities: ZoomIt, RDCMan, BGInfo, DebugView, RegJump, Strings, Streams

Both 32-bit and 64-bit versions of each tool are included in the full suite ZIP (e.g., procexp.exe and procexp64.exe). On 64-bit Windows, always use the 64-bit variants for accurate results – the 32-bit versions of some tools cannot see 64-bit processes correctly.

Pro tip: The .chm help file included with each tool (e.g., procexp.chm) contains complete documentation with screenshots. Right-click the .chm file and choose Properties, then click Unblock if Windows has blocked it from opening.

See the Key Features section for detailed descriptions of the 10 most essential tools.

Sysinternals Suite runs on Windows 7 SP1 and later, including Windows 10, Windows 11, and all Windows Server versions from 2008 R2 onwards. The tools are native Windows executables with no .NET Framework requirement, which means they start quickly and work on even heavily locked-down enterprise images.

Hardware requirements are minimal. A 1 GHz processor and 256 MB of RAM will run most tools without issues. The one tool that can be demanding is Process Monitor in high-throughput scenarios – when capturing events from a busy system, ProcMon’s buffer can consume several gigabytes of RAM if you let it run for hours without clearing. For normal diagnostic sessions (minutes rather than hours), 1 GB of RAM is plenty.

Disk space is 167.8 MB for the full suite ZIP extracted. If you routinely save Process Monitor capture files (.pml files), allocate extra space – a 10-minute capture on a busy system can produce a 500 MB+ file.

Architecture coverage:

• x86 (32-bit Windows): Included in the full suite ZIP
• x64 (64-bit Windows): Included in the full suite ZIP (use procexp64.exe etc.)
• ARM64 (Windows 11 on ARM): Separate ARM64 edition download (15.3 MB)
• Nano Server: Separate Nano Server edition (9.6 MB) – GUI tools excluded

Pro tip: Most GUI tools require Local Administrator rights or SeDebugPrivilege. If you need to run diagnostics as a standard user, use AccessChk to check what access the standard user account has before escalating.

Full details are in the System Requirements table above.

Windows SmartScreen shows a warning because the executable was downloaded from the internet and has not yet built up enough “reputation” on your specific machine. This is a generic internet-download warning that triggers for any program you download, not a specific flag against Sysinternals tools.

The important distinction: SmartScreen can warn about files that are simply new downloads, or it can warn about files it believes are malicious. For Sysinternals tools, the warning is always the former – the tools are digitally signed by Microsoft Corporation, which you can verify by right-clicking the .exe, choosing Properties, and checking the Digital Signatures tab.

To dismiss the warning and run the tool:

1. When SmartScreen appears, click “More info” (small text, left side)
2. A “Run anyway” button will appear – click it
3. You will only see this warning once per tool per machine

Alternatively, right-click the .exe file, choose Properties, and click the Unblock checkbox at the bottom of the General tab. This removes the “Zone.Identifier” alternate data stream that marks the file as downloaded from the internet, which is what triggers SmartScreen in the first place.

To unblock all tools at once, run from an elevated PowerShell: Get-ChildItem C:\Sysinternals -Recurse | Unblock-File

Pro tip: If you are deploying Sysinternals tools via Group Policy or SCCM, use a software distribution method that does not attach the Zone.Identifier stream – files deployed via Group Policy Preferences or SCCM packages do not trigger SmartScreen warnings.

See also: Getting Started Step 2 for more about the first-run experience.

Yes, all Sysinternals tools work on Windows 10, including the latest 22H2 build. Windows 10 is the most tested platform for the suite, and Microsoft regularly validates the tools against Windows 10 feature updates before releasing new versions. Tools like Process Explorer, Autoruns, ProcMon, and TCPView behave identically on Windows 10 and Windows 11.

A few Windows 10-specific notes worth knowing:

• Dark mode support arrived in October 2022, so the GUI tools respect Windows 10’s system-wide light/dark theme setting if you are on that version or later.
• Process Explorer on Windows 10 shows UWP (Universal Windows Platform) apps and their container processes, which look different from Win32 processes in the tree.
• Autoruns on Windows 10 includes entries for scheduled tasks and UWP autostart registrations that older Windows versions did not have.
• Sysmon on Windows 10 can log DNS query events (Event ID 22) and clipboard capture events (Event ID 24), both of which require Windows 10 build 1709 or later.

If you are on Windows 10 32-bit (still used on some older hardware), use the 32-bit versions of each tool (e.g., procexp.exe rather than procexp64.exe). On 64-bit Windows 10, always use the 64-bit variants for complete visibility.

Pro tip: Windows 10 ships with a built-in package manager (winget) that can download and update many tools, but Sysinternals Suite is not in the winget repository. Download it directly from the Download section or use the Sysinternals Live network share.

Sysinternals Suite has no built-in auto-updater. To update, you download the latest ZIP from the Download section and extract it over your existing Sysinternals folder, overwriting the old files. The entire process takes about two minutes.

Steps to update:

1. Close any running Sysinternals tools (so their .exe files are not locked)
2. Download the latest SysinternalsSuite.zip from the Download section on this page
3. Extract the ZIP to the same folder where your current tools live (e.g., C:\Sysinternals)
4. Choose “Replace all files” when Windows asks about overwriting
5. Relaunch any tools you need – they will be the updated versions

Individual tools can also be updated independently. Each tool has its own page on Microsoft Learn (e.g., learn.microsoft.com/en-us/sysinternals/downloads/procexp) where you can see its release date and download just that tool as a standalone ZIP.

Microsoft typically updates individual tools on an as-needed basis – when a Windows update changes system internals that affect the tool – rather than on a fixed schedule. The full suite bundle is updated roughly monthly to reflect the latest individual tool releases. You can see the exact date on the Sysinternals Suite download page.

Pro tip: Create a scheduled task or a simple PowerShell script that downloads the ZIP, extracts it, and verifies the version – this is the closest thing to auto-update the suite offers. Run it monthly or after major Windows feature updates to stay current.

To check the current version of a specific tool, right-click its .exe and choose Properties, then click the Details tab to see the file version number.

Most Sysinternals tools are Windows-only. The suite was built specifically for Windows internals and has no macOS version. However, Microsoft has ported a handful of tools to Linux as standalone open-source releases.

Available on Linux (from Microsoft GitHub):

• ProcMon for Linux – Process Monitor ported to Linux, available as an AppImage and .deb package from github.com/Microsoft/ProcMon-for-Linux. It monitors file system events using eBPF and produces output in a format similar to the Windows version.
• ProcDump for Linux – Dumps a process on trigger conditions (CPU spike, memory threshold, signal). Available from github.com/Microsoft/ProcDump-for-Linux.

On macOS, there are no official Sysinternals ports. Mac users working on Windows diagnostics typically run the tools in a Windows virtual machine (VMware Fusion, Parallels, or the free UTM). For native macOS alternatives with similar functionality: Activity Monitor covers basic Process Explorer use cases, fs_usage approximates Process Monitor’s file monitoring, and Little Snitch or Lulu cover network monitoring similar to TCPView.

On Windows Subsystem for Linux (WSL 2), Process Monitor for Linux can run inside the WSL environment to monitor Linux processes, while Windows-side tools like Process Explorer can monitor the WSL host process (vmmem) from the Windows side.

Pro tip: For cross-platform IT shops, Sysmon for Linux (github.com/Microsoft/SysmonForLinux) provides the same event log telemetry as Windows Sysmon, making it possible to correlate Windows and Linux system events in the same SIEM with a consistent event schema.

For Windows downloads, see the Download section above.

Sysinternals Live is a network share hosted by Microsoft that lets you run any Sysinternals tool directly over the internet without downloading it first. You access it via the UNC path \\live.sysinternals.com\tools\ from Windows Explorer or from a Run dialog.

To use it, open File Explorer and type \\live.sysinternals.com\tools\ in the address bar. Windows mounts the network share and shows all 70+ tool executables as if they were local files. Double-click any tool to run it – Windows streams the executable and launches it. You can also run tools directly from the command line: \\live.sysinternals.com\tools\procexp.exe

Practical use cases:

• Diagnosing a machine you cannot copy files to (locked-down endpoint, no USB access)
• Running a quick check without permanently installing tools on a system
• Always getting the latest version of a tool without maintaining a local copy

The limitations: it requires internet access (obviously), the tool download happens at startup which adds 2-5 seconds per launch depending on your connection, and some tools are blocked by corporate firewalls that deny WebDAV or SMB access to external hosts. The EULA acceptance still applies – the first run of each tool on each machine will show the license agreement.

Pro tip: You can map Sysinternals Live as a network drive for easy access: net use S: \\live.sysinternals.com\tools. Then type S:\procexp.exe to launch Process Explorer from anywhere on that machine.

For offline environments, download the full suite from the Download section instead.

Yes, Sysinternals Suite works fully offline. The tools are self-contained native Windows executables that do not need internet access to run. You download the ZIP once, extract it, and every tool in the suite runs without any network connection.

The only features that require internet access are:

• VirusTotal integration in Process Explorer and Sigcheck – these query VirusTotal’s API with a file hash. Without internet, the VirusTotal column simply shows no result.
• Sysinternals Live (\\live.sysinternals.com) – which is the online-only delivery method, not the downloaded suite.
• Update checking – no built-in auto-update, but if you have an update checker script it needs internet to check for new versions.

In air-gapped or restricted corporate environments, the downloaded suite works exactly as expected. Process Monitor captures kernel events locally, Autoruns reads the local registry and file system, TCPView monitors local network state, Sysmon logs to the local Windows Event Log. All core functionality is entirely local.

For environments where even the initial download is controlled, your IT administrator can push the Sysinternals tools via SCCM, Intune, or a software distribution package without individual machines ever accessing the Microsoft CDN directly.

Pro tip: ProcMon capture files (.pml) can be collected from offline machines and then opened for analysis on a different machine that has internet access, letting you do VirusTotal lookups and remote analysis without needing to connect the target machine to the internet.

Download the full offline-ready suite from the Download section above.

Both are excellent, and many professionals use both. The honest answer is that they solve different problems well, and the “better” tool depends on exactly what you are trying to do.

Sysinternals Suite wins on breadth. You get 70+ tools covering far more ground than Process Hacker’s single executable – Autoruns alone does something Process Hacker does not touch. The tools carry Microsoft’s signature, which matters in corporate environments where unsigned tools face execution policy blocks. Sysinternals is also actively maintained by a team at Microsoft that understands Windows internals deeply, and the documentation is excellent.

Process Hacker (now rebranded System Informer) wins on depth within its process monitoring scope. Its network tab, service management, and memory editor are more capable than Process Explorer in some specific scenarios. The open-source nature means the community can fix issues and add features between official releases. System Informer supports custom plugins and has a more configurable UI.

Key practical differences:

• Startup management: Autoruns (Sysinternals) is far better – Process Hacker has no equivalent
• Live process view: Very similar capability; System Informer has a slightly more detailed network tab
• Enterprise deployment: Sysinternals is easier – signed by Microsoft, no policy issues
• Remote administration: Sysinternals wins with PsExec, PsInfo, and the full PsTools suite
• Security logging: Sysmon (Sysinternals) has no equivalent in Process Hacker
• NirSoft Utilities is a third option that fills gaps both leave – particularly for password recovery and network tools

Pro tip: Install both on your diagnostic toolkit. Use Sysinternals for startup management, remote admin, and security monitoring; use System Informer when you need deep process inspection and memory editing. They do not conflict.

Download Sysinternals Suite from the Download section above.

Most Sysinternals tools require administrator privileges for full functionality. The standard way to run a tool as admin is to right-click its .exe and choose “Run as administrator.” Windows will show a UAC prompt if your account is not already elevated.

Three approaches for running tools with admin rights:

1. Right-click method: Right-click the .exe file and choose “Run as administrator” – UAC prompts for confirmation. This is the simplest one-time approach.
2. Compatibility settings: Right-click the .exe, Properties, Compatibility tab, check “Run this program as an administrator.” The tool will always prompt for UAC when launched.
3. Elevated command prompt: Open a Command Prompt as administrator (right-click Start, “Terminal (Admin)” or “Command Prompt (Admin)”), then navigate to your Sysinternals folder and run tools from there. Any tool you launch from an elevated prompt inherits admin rights.

On systems where your user account does not have local admin rights, you will need to use runas /user:DOMAIN\Administrator procexp64.exe and enter the administrator password when prompted.

In a domain environment, IT staff sometimes run Sysinternals tools on remote machines via PsExec: psexec64.exe \\TARGETPC -s procexp64.exe – the -s flag runs it as the SYSTEM account, which has even higher privileges than local admin.

Pro tip: Some tools like BgInfo and ZoomIt work perfectly without admin rights. Only tools that inspect kernel structures (Process Explorer, Process Monitor, Autoruns) need elevation for their core functionality. If a tool opens briefly and closes or shows an “access denied” error, try running it as administrator first before troubleshooting further.

See the Getting Started guide for more setup tips.

Adding Sysinternals to your Windows PATH lets you launch any tool by typing its name in any Command Prompt, PowerShell window, or the Run dialog (Win + R) – no need to navigate to the folder each time.

Steps to add Sysinternals to PATH (Windows 10 and 11):

1. Press Win + R, type sysdm.cpl, press Enter to open System Properties
2. Click the Advanced tab, then Environment Variables
3. Under “System variables” (bottom section), find the variable named Path and double-click it
4. In the Edit Environment Variable dialog, click New
5. Type C:\Sysinternals (or whichever folder you extracted the tools to)
6. Click OK through all three dialogs
7. Open a new Command Prompt (the PATH change does not apply to already-open windows)
8. Type procexp and press Enter – Process Explorer should launch

Alternatively, from an elevated PowerShell in one line:

Once PATH is set, you can run any tool by name. For example: type autoruns to open Autoruns, procmon for Process Monitor, tcpview for TCPView, or bginfo for BgInfo. Tab completion in PowerShell also works for tool names.

Pro tip: Add both C:\Sysinternals to the System PATH (for all users) and separately, if you have PsTools you want available, the same folder covers them too since all tools are in one flat directory. For 64-bit systems, tools like procexp64, procmon64 and autoruns64 are the ones to run – the PATH lets you call them by the 64-bit name directly.

See Getting Started Step 3 for full initial setup instructions.

Uninstalling Sysinternals Suite is straightforward because there is no installation process – you simply delete the folder you extracted the tools to. There is no entry in “Add or Remove Programs” because nothing was installed via an installer.

Complete cleanup steps:

1. Delete the Sysinternals folder (e.g., C:\Sysinternals) – this removes all 70+ tools
2. Remove the PATH entry: Go to System Properties (Win + R, sysdm.cpl), Advanced, Environment Variables, find Path under System variables, and delete the Sysinternals entry
3. Remove saved settings (optional): Process Monitor saves filters to %APPDATA%\Roaming\Sysinternals\ – delete this folder if you want a complete cleanup
4. Remove EULA registry keys (optional): Delete HKCU\Software\Sysinternals from the registry via regedit if you want to remove all traces
5. Uninstall Sysmon if you installed it: From an elevated command prompt, run sysmon64.exe -u before deleting the files. If you delete sysmon64.exe before uninstalling the service, use sc delete Sysmon64 to remove the service entry manually.

The suite leaves no background services running (except Sysmon if you chose to install it), no registry entries for startup (unless you created them), and no scheduled tasks. After deleting the folder, the suite is fully gone from the system.

Pro tip: If you want to temporarily remove the tools from a system without permanently deleting them, simply remove the folder from PATH. The files remain on disk, but no processes can launch them accidentally, and they will not show up in application searches.

Need to start fresh? Download the latest suite from the Download section above.

For someone just starting with Sysinternals, Autoruns is the best first tool to learn. It has a practical immediate use case (cleaning up slow startups), its UI is self-explanatory compared to Process Monitor’s event flood, and you can learn it in 10 minutes and see real results right away.

The beginner toolkit, in order of learning priority:

1. Autoruns – Launch it, let it scan, look at the “Logon” and “Scheduled Tasks” tabs. Anything you do not recognize, right-click and choose “Search Online.” Uncheck entries you want to disable (they stay in the list, just disabled – you can re-enable if something breaks). This alone can speed up boot times measurably.
2. Process Explorer – Replace Task Manager permanently: go to Options > Replace Task Manager. Learn to read the process tree colors: cyan = service, purple = packed executable (flag this for review), green = new process. Right-click any process to search online or check VirusTotal.
3. TCPView – Open it and watch network connections in real time. The color changes (green = new connection, red = closed connection) make it easy to spot which programs are connecting to where.

Save Process Monitor for when you have a specific problem to debug – it generates overwhelming amounts of data until you know how to filter it. Beginners who start with ProcMon often get discouraged by the volume. Start with Autoruns, graduate to Process Explorer, and learn ProcMon once you have a specific question to answer.

Pro tip: The best way to learn Process Explorer is to open it alongside your regular work for a week without changing anything. Just observe the process tree, learn what normal looks like on your system, and notice when new processes appear. After a week, abnormal processes will be immediately obvious.

Download Sysinternals Suite from the Download section and follow the Getting Started guide for setup.

The official source for Sysinternals Suite is Microsoft’s own Sysinternals download CDN at download.sysinternals.com. The direct download URL for the full suite is https://download.sysinternals.com/files/SysinternalsSuite.zip, which always points to the current release.

The official documentation and per-tool download pages are at learn.microsoft.com/en-us/sysinternals/, where you can also find changelogs, release notes for each tool, and the complete documentation library.

If you want to verify you have the genuine files:

• Download from the Download section on this page or directly from download.sysinternals.com
• After downloading, right-click any .exe, choose Properties, click Digital Signatures – the signer should be Microsoft Corporation
• The Authenticode timestamp on the signature confirms when the file was signed – current releases were signed in early 2026

Avoid downloading Sysinternals tools from unofficial mirrors or file-sharing sites. Because these tools touch sensitive parts of the OS (processes, memory, network), fake or modified versions are a real risk. Always verify the Microsoft signature before running any tool.

The suite is also available from the Microsoft Store for Windows (Product ID: 9p7knl5rwt25), which provides an alternative delivery method for environments where store deployments are preferred. However, the direct ZIP download from Microsoft’s CDN is the fastest and most reliable option for most use cases.

Pro tip: Bookmark the Download section for fast access to the latest direct links whenever a new version releases.