Microsoft is Porting Sysinternals Tools to Linux - ProcDump Released

If you have administered Windows computers or assisted in Windows malware removal, then there is a good chance you have heard of the popular free Sysinternals utilities. 

These utilities were created by a company called Winternals that was purchased by Microsoft in 2006 and offered power users the ability to manipulate files, processes, and various Windows internals in a highly granular way.

According to a Tweet, Microsoft is now porting these utilities to Linux starting with the Windows ProcDump utility.

Turns out we made a procdump for linux! https://t.co/YInC1lfFme #sysinternals cc @markrussinovich

— David Fowler (@davidfowl) November 4, 2018

ProcDump is a utility that allows users to create crash dumps, or core dumps, of processes based upon certain criteria such as high CPU utilization, various time intervals, when the process has an unhandled exception, or when it hangs.

Now Linux users can either compile ProcDump or install a precompiled binary. Instructions on how to do this can be found at the project's GitHub page.

The Linux version of ProcDump does not offer all of the same features that the Windows version does. For example, the Linux version only allows you to create core dumps based on CPU utilization, memory usage, or over various intervals of time.

The options for the Linux version are shown below.

Usage: procdump [OPTIONS...] TARGET
   OPTIONS
      -C          CPU threshold at which to create a dump of the process from 0 to 100 * nCPU
      -c          CPU threshold below which to create a dump of the process from 0 to 100 * nCPU
      -M          Memory commit threshold in MB at which to create a dump
      -m          Trigger when memory commit drops below specified MB value.
      -n          Number of dumps to write before exiting
      -s          Consecutive seconds before dump is written (default is 10)
   TARGET must be exactly one of these:
      -p          pid of the process
      -w          Name of the process executable

Microsoft plans on porting other Sysinternals utilities

Microsoft has also announced that ProcMon for Linux is already under development and that they plan on porting more Sysinternals tools as well.

Indeed. Let us know what you’re interested in and we’ll take a look.

— Mario Hewardt (@MarioHewardt) November 4, 2018

Users have already requested Process Explorer, and if there are any other recommendations, Microsoft appears to be willing and ready to listen.