Published Jan 29, 2026, 8:00 AM EST
Oluwademilade is a tech enthusiast with over five years of writing experience. He joined the MUO team in 2022 and covers various topics, including consumer tech, iOS, Android, artificial intelligence, hardware, software, and cybersecurity. In addition to writing at MUO, his work has appeared on HowtoGeek and SlashGear.
Oluwademilade attended the University of Ibadan in Nigeria, earning a medical degree from the College of Medicine. Excelling in public service, Oluwademilade was honored with the title of Global Action Ambassador by a student organization affiliated with the United Nations. He received this designation in Kuala Lumpur…
Published Jan 29, 2026, 8:00 AM EST
Oluwademilade is a tech enthusiast with over five years of writing experience. He joined the MUO team in 2022 and covers various topics, including consumer tech, iOS, Android, artificial intelligence, hardware, software, and cybersecurity. In addition to writing at MUO, his work has appeared on HowtoGeek and SlashGear.
Oluwademilade attended the University of Ibadan in Nigeria, earning a medical degree from the College of Medicine. Excelling in public service, Oluwademilade was honored with the title of Global Action Ambassador by a student organization affiliated with the United Nations. He received this designation in Kuala Lumpur, Malaysia, in recognition of his efforts to make a positive global impact in 2020
In his free time, Oluwademilade enjoys testing new AI apps and features, troubleshooting tech problems for family and friends, learning new coding languages, and traveling to new places whenever possible.
We tend to picture malware as a big, dramatic moment. A ransomware warning splashed across the screen. A sudden, unceremonious blue screen. In real life, the truly dangerous stuff is much ghostlier. It is a shady process sipping your CPU to mine crypto, a “helpful” little app phoning home to an IP address you have never seen before, or a stubborn script that reinstalls itself every time you reboot.
Windows Task Manager is rarely sufficient to surface this kind of behavior. When something feels off — or when I’m simply auditing a system’s overall health — I reach for the Windows Sysinternals Suite. Built by Mark Russinovich, now Microsoft’s Chief Technology Officer (CTO) and Technical Fellow of Azure, these tools are widely regarded as the gold standard for deep system inspection. They’re lightweight, portable, and precise.
I’ll share five Sysinternals tools that I personally use to hunt down anomalies on my system.
Sysinternals Suite
OS Windows
Developer Mark Russinovich
Price model Free
Explore and troubleshoot Windows like a pro with the Sysinternals Suite. It packs advanced tools for monitoring processes, security, and system performance.
Process Explorer
Task Manager’s smarter, scarier older brother
If Task Manager is a blunt butter knife, Process Explorer is a scalpel. It is the very first thing I open when a system starts dragging its feet or acting strangely. At a glance, it may resemble Task Manager, but once you dig in, the depth is on a different level. Nothing else shows you the full family tree of running processes quite like this.
I lean on Process Explorer to catch process impostors. Malware loves to dress up as something boring and trustworthy, like svchost.exe or chrome.exe, hoping you will not look too closely at essential Windows processes that could be hiding a virus. Process Explorer does not fall for that. It shows you who “gave birth” to what. If I spot a svchost.exe that came from explorer.exe instead of services.exe, my eyebrows go up immediately. That is usually a dead giveaway.
My favorite feature is the built-in VirusTotal check. You do not have to play guessing games. With a quick toggle in the Options menu, Process Explorer checks the hash of every running executable against VirusTotal and adds a simple detection score right into the process list. A clean 0 out of dozens is reassuring. Anything else jumps to the top of my “what is this doing here?” list.
TCPView
See who your computer is whispering to in the dark
These days, malware is pretty much helpless without an internet connection. Whether it is a RAT waiting for instructions or a keylogger shipping off your passwords, it has to phone home at some point. That is why TCPView is the tool I reach for when I want to catch those backroom conversations in the act.
Instead of a wall of command-line text like the netstat command, TCPView lays everything out in a clean, living list that updates in real time. You can actually watch connections appear and disappear. I keep an eye out for programs that have no business being online in the first place. If I ever see something like Notepad or Calculator sitting there with an “Established” link to a random IP, my gut immediately says something is wrong.
My usual move is to sort by the State column so all the active connections float to the top, which is the fastest way to check for open TCP/IP ports. Then I scan for anything weird, like traffic on oddball ports or processes that do not even bother to show a proper name or icon. A quick right-click and a Whois lookup tells me who owns the IP. If it points to a cloud server halfway across the world in a place I never deal with, I do not overthink it. I just shut the connection down.
Autoruns
Exorcising the ghosts that haunt your boot sequence
Persistence is malware’s whole personality. The people behind it know you are going to reboot sooner or later, so they plant scripts and executables in startup locations to ensure their code reappears the moment the system comes back online. Windows has dozens of these entry points, and the Startup tab in Task Manager only exposes a small slice of them.
Related
This free tool finds out exactly what’s slowing down your Windows boot
A blunt, unsentimental look at what’s dragging your boot time through mud
That is why I lean on Autoruns. It is nosy in the best possible way. It sweeps the Registry, the Task Scheduler, WMI, and a bunch of obscure corners you probably did not even know Windows had. When the list finally settles, my eyes go straight to anything highlighted in pink. That color means the code is unsigned, which is a red flag. On a healthy system, the vast majority of startup programs you can safely disable should be digitally signed by Microsoft or a well-known name like Adobe or Google.
To keep from drowning in noise, I always flip on my favorite filter. In Options -> Scan Options, I enable Verify Code Signatures and then hide Microsoft entries. This strips away the thousands of legitimate Windows components and leaves a concise list of third-party software. If a pink, unsigned entry points to a file living in a temporary path — such as AppData\Local\Temp— it’s almost always a strong indicator of malware trying to maintain persistence.
Process Monitor (ProcMon)
Drinking from the firehose to find the needle
When I’m dealing with a truly stealthy infection that refuses to stay dead, I stop being polite and reach for Process Monitor. This is the heavy artillery. It records real-time activity across the file system, Registry, and running processes, giving me a granular view of what the system is actually doing under the hood.
Fair warning, though: ProcMon is noisy. Like, hundreds-of-thousands-of-events-in-seconds noisy. I do not use it to casually browse. I use it to answer very specific, almost petty questions, like “What exact file is recreating this sketchy registry key every time I delete it?”
My little “assassin” routine starts with pausing the capture (Ctrl + E) as soon as the tool launches to stop the initial data flood. Then I select the Target icon from the toolbar and drag it onto a suspicious window or error message. Process Monitor automatically filters the event log to show only the activity tied to that process. From there, I can trace exactly which files it’s touching and where it’s attempting to stash its configuration data.
Sysmon (System Monitor)
Retrospective justice for midnight malware
The first four tools I covered above are great for catching things in the act, but what about the stuff that only happens when you are not looking? Malware is often context-aware, designed to go silent the moment it detects user activity.
That is where Sysmon earns its keep. It runs in the background and writes everything it sees to the Windows Event Log. I put it on machines I want to keep an eye on over the long haul. Compared to Windows’ built-in auditing, Sysmon is obsessively detailed. It records hashes for every program that loads, every network connection that fires up, and every process that gets created.
The feature I lean on most is Event ID 1, which logs process creation. It gives me a kind of digital paper trail. So if I wake up and there is a mystery file sitting on my desktop, I can rewind the night and see exactly what made it, when it happened, and what command line was used.
Stop guessing and start hunting
Using these five Sysinternals tools, I feel much more in control of my Windows PC’s security. They have helped me catch and remediate issues that standard antivirus software sometimes overlooks. The best part is that all these utilities are free and portable; you can run them on any Windows machine (and Microsoft keeps them up to date with the latest OS versions). If you’re a tech-savvy or curious user, I encourage you to give them a try. Not only will you enhance your ability to catch suspicious behavior early, but you’ll also learn a ton about how Windows works under the hood.
In my experience, a little first-hand sleuthing with Sysinternals tools can go a long way in keeping your system clean and your mind at ease when something “feels off” on your PC. Happy hunting!