Some Tools of a PFE

Updated 10/16/2017


Hi all,

I hope you are all well! Today I will give you a brief overview of the tools I need to use on a regular base.

Chrissy LeMaire, one of the best SQL MVPs in the world, asked me directly via Twitter and also publicly via a Tweet to write down some of the tools a PFE uses and I surely couldn´t deny:

David Peter Hansen started with a fantastic list of tools regarding SQL, which can be found as follows:

My technological specialties are little different though, because I am mainly focused in Windows Client, PowerShell and Security.
I hope that this list will be of help for some of you and I wish you all a lot of fun testing and using the tools!

Client & Debugging:

First of all I start with the typical troubleshooting tools without any order. This is only a small subset of all the tools I sometimes need to use, but you really should be aware of these ones!

DefragTools and Lightsaber

One of the best materials regarding debugging are the DefragTools - Channel 9 video sessions by Andrew Richards, Chad Beeder and Larry Larsen showing some deep dive troublehooting tools and techniques.

In this sessions a so called Lightsaber is explained, which is a dedicated USB-Stick / OneNote-Folder containing the most important debugging tools (the holy grail for every toubleshooter):

Session 131 Lightsabre Windows 10


WinDBG is one of the most important tools debugging memory dumps and many more:

A good way to start here is taking a look at the videos from the DefragTools and using cheat sheets as the following one: here

WinDBG Preview

This year the new WinDBG Preview was announced.

You can see the videos in the DefragTools: here and here

WinDBG - Time Travel Debugging

A cool feature inside the new Preview WinDBG is Time Travel Debugging.

"Time Travel Debugging (TTD) is a reverse debugging solution that allows you to record the execution of an app or process, replay it both forwards and backwards and use queries to search through the entire trace. Today’s debuggers typically allow you to start at a specific point in time and only go forward. TTD improves debugging since you can go back in time to better understand the conditions that lead up to the bug. You can also replay it multiple times to learn how best to fix the problem."

Find further information here:


"Wireshark  is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is one of the standard across many commercial and non-profit enterprises, government agencies, and educational institutions."

Windows Message Analyzer

"Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic, events, and other system or application messages in network troubleshooting and other diagnostic scenarios. Message Analyzer also enables you to load, aggregate, and analyze data from log and saved trace files. It is the successor to Microsoft Network Monitor 3.4 and is a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft to improve protocol design, development, implementation testing and verification, documentation, and support. With Message Analyzer, you can choose to capture local and remote traffic live or load archived message collections from multiple data sources simultaneously."

Take a look here.


" System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network." Defrag Tools #108 - Sysinternals SysMon - Mark Russinovich great blog article - Sysinternals Sysmon unleashed WannaCry Detection with Sysmon

WMI Troubleshooting

The WMI Diagnosis Utility -- Version 2.2 WMI Troubleshooting - Logs

Querying and Viewing the WMI Repository

You should also consider to buy some dedicated books regarding WMI, if you are working very often with it.

Especially also the Windows Internals Book is a good consideration!

WMI Explorer

WMI Explorer     and here the download


WBEMTest is a graphical utility that you can use to test connectivity to remote systems, validate your WMI queries and explore WMI.


Winmgmt is the WMI service within the SVCHOST process running under the LocalSystem account. In all cases, the WMI service automatically starts when the first management application or script requests connection to a WMI namespace. For more information, see Starting and Stopping the WMI Service.

Sometimes the self-repair helps: here

winmgmt /verifyrepository
winmmgmt /salvagerepository
winmgmt /resetrepository


Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows® image or to prepare a Windows Preinstallation Environment (Windows PE) image. DISM can be used to service a Windows image (.wim) or a virtual hard disk (.vhd or .vhdx).

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth


System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files. This article describes how to run the System File Checker tool (SFC.exe) to scan your system files and to repair missing or corrupted system files. If a Windows Resource Protection (WRP) file is missing or is corrupted, Windows may not behave as expected. For example, some Windows functions may not work, or Windows may crash. 

sfc /scannow
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > c:\windows\logs\cbs\sfcdetails.log 

Event Viewer

The Event Viewer is a Microsoft Management Console (MMC) snap-in. You can start Event Viewer by adding the snap-in to MMC or by double-clicking the snap-in file, Eventvwr.msc, which is located in the %SYSTEMROOT%\system32 folder. In addition, Event Viewer can be started from the Windows interface or the command line by using the following procedures.

Must-read documents (!): Spotting_the_Adversary_with_Windows_Event_Log_Monitoring Detecting-Lateral-Movement-through-Tracking-Event-Logs

Windows Event Forwarding

Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.

Windows Event Forwarding to a workgroup Collector Server

Introducing Project Sauron – Centralised Storage of Windows Events – Domain Controller Edition

Telerik Fiddler

"The free web debugging proxy for any browser, system or platform" - Fiddler is great for website performance analysis and troubleshooting of encrypted traffic.


CMTrace is a real time log file viewer for System Center Configuration Manager.

Important features:

  • Real-time logging
  • Merging multiple log files together at once.
  • Highlighting -  error messages in red; warning messages in yellow.
  • Error Lookups
  • Standard format for many log files

Error lookup:

Log Parser

"Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart. Most software is designed to accomplish a limited number of specific tasks. Log Parser is different... the number of ways it can be used is limited only by the needs and imagination of the user. The world is your database with Log Parser."

Log Parser Studio

Log Parser Studio is a utility that allows you to search through and create reports from your IIS, Event, EXADB and others types of logs. It builds on top of Log Parser 2.2 and has a full user interface for easy creation and management of related SQL queries.

Further information here.

Windows System Control Center - WSCC

"WSCC allows you to install, update, execute and organize the utilities from various system utility suites. WSCC can install and update the supported utilities automatically. Alternatively, WSCC can use the http protocol to download and run the programs. The portable edition doesn't require installation and can be run directly from a USB drive."

WSCC supports the following utility suites:

  • Sysinternals Suite
  • NirSoft Utilities


"The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications."

You really should know about the Sysinternals tools! Most of the tools are discussed and explained in the mentioned DefragTools. Start here.


"Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit."


"TheProcess Explorerdisplay consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded."


"ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts."


"Autoruns has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autorunsreports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities."


"PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems."

Nirsoft Tools

"Unique collection of freeware desktop utilities, system utilities, password recovery tools, components, and free source code examples." The NirSoft Tools include some really nice tools as the following: RegistryChangesView

"NirLauncher is a package of more than 200 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years."


"PPing is designed to give you the easiest possible solution for discovering ports from a windows console. The design was heavily oriented towards the terminology and behavior of the classic ping tool under windows."

Alternatively you can do it with PowerShell:


Further examples can be found here.


"PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers."


Windows Powershell module that leverages a custom version of the SSH.NET Library to provide basic SSH functionality in Powershell. The main purpose of the module is to facilitate automating actions against one or multiple SSH enabled servers


The LogLauncher gathers all important logs from one or many machines and is really awesome! It can be download here.

IE / Edge - F12 Developer Tools

The Microsoft Edge F12 DevTools are built with TypeScript, powered by open source, and optimized for modern front-end workflows. 

Use the Debugger to step through code, set watches and breakpoints, live edit your code and inspect your caches. Test and troubleshoot your code

The Microsoft Edge F12 DevTools Debugger

The Performance panel offers tools for profiling and analyzing the responsiveness of your UI during the course of user interaction.F12 DevTools Performance panel

Take a look through the docs and additionally here:

Microsoft Security Compliance Toolkit

"This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs).  Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a Domain Controller or inject them directly into testbed hosts to test their effects. "

Here you will find important announcements:

And this will give you further guidance: Defrag Tools #174 - Security Baseline, Policy Analyzer and LGPO


"PerfView is a performance-analysis tool that helps isolate CPU- and memory-related performance issues."

PerfView Defrag Tools videos: Part8, Part7, Part6, Part5, Part4, Part3, Part2, Part1

Windows Analyzer 

"Included in the Windows Assessment and Deployment Kit (Windows ADK), Windows Performance Analyzer (WPA) is a tool that creates graphs and data tables of Event Tracing for Windows (ETW) events that are recorded by Windows Performance Recorder (WPR), Xperf, or an assessment that is run in the Assessment Platform. WPA can open any event trace log (ETL) file for analysis."

This tool is one of the most important ones for a Client PFE.

Windows Performance Recorder

"Included in the Windows Assessment and Deployment Kit (Windows ADK), Windows Performance Recorder (WPR) is a performance recording tool that is based on Event Tracing for Windows (ETW). It records system events that you can then analyze by using Windows Performance Analyzer (WPA)."

This tool is necessary to create the traces for the Windows Analyzer.

Xperf and scripts

I also got some (old but gold) xperf-scripts:


Last but not least comes the well-know Notepad++. If you don´t know this tool you definitely missed something! It is especially good, when working with very big log files >50MB and/or with xml files.

It includes the following features:

Visual Studio 2017

Yes - I use it a lot.


One of my main specialties is also one of my biggest tools. You can actually achieve everything with PowerShell: gather information, automate and even use techniques, which are completely missing in the UI. You can even automate most of the described tools above - and as for example the new Project Honolulu for Windows Server is completely based on PowerShell and uses PowerShell WMI cmdlets in its backend. But for using PowerShell in the daily work there are also some tools you really need to know.

ISE with ISESteoroids

PowerShell.exe and PowerShell_ISE.exe are the most known tools fo PowerShell using in Windows. The ISE is not the best toolset, if you are coming from Visual Studio for example. I am a former .Net software architect and by working with PowerShell this was my first little downside. But - there is this addon called ISESteroids from Tobias Weltner, which brings a bunch of additional functions to the ISE and results into a complete great toolset - here are some of the added capabilities:

  • Essential Editor Settings - Secondary Toolbar
  • Code Refactoring
  • Advanced Search&Replace
  • Ensuring Code Compatibility
  • Creating Modern User Interfaces
  • Security and Protection
  • Community Tools


"Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux. It comes with built-in support for JavaScript, TypeScript and Node.js and has a rich ecosystem of extensions for other languages (such as C++, C#, Python, PHP, Go) and runtimes (such as .NET and Unity). Begin your journey with VS Code with these introductory videos."

VSCode will replace the most used tool - the ISE - within the next time and therefore you really should take a look at it. I gathered the most important articles around this topic, which you really should go through:

How to install Visual Studio Code and configure it as a replacement for the PowerShell ISE

Why I use Visual Studio Code to write PowerShell

Transitioning from PowerShell ISE to VS Code Here you will find all default keybindings, which will help you a lot.

VSTS / Git / Release Pipeline

Visual Studio Team Services just allows to easily create your complete Release Pipeline. I will not spend too much time in here, because it is a dedicated topic, but focusing into more professional and sophisticated powershelling or dev, you really should take a closer look at it.


Working with XAML-created PowerShell GUIs I very often reuse my own projects PSGUI and PSGUIManager:

Knowledge Management:

A fact is - as a PFE you are always working hard and you are always lacking time. Also no one in the world can now everything, but you should know where to find the information. Very often totally undererstimated, but the knowledge management is one of the most important areas, where you can improve your work quality and performance. I will show you some of my most used tools to manage all the information and my time.

Email Structure

A good email structure is the most important thing nowadays. As a PFE you easily get hundreds or thousands of emails per day. Most of them contain at least some information, which may be usable at some point in the future. There are dozens of books out there to assist you in these kind of tasks. I want to show you one of my favorite books:

How to be a Productivity Ninja: Worry Less, Achieve More and Love What You Do Kindle Edition


I grab every information into my OneNote and sort it. The biggest benefit of OneNote is the performant search capability.
It looks like this:

And as you probably would expect, I have dozens of notebooks:

If I found some interesting blog posts I normally just copy them and add them to my OneNote. I always remember some passphrases or keywords to the topics I am searching for and this helps a lot!


Teams is our new communication tool, which allows to add all other services directly into it, aswell as meetings similar to Skype.


"Microsoft To-Do helps you manage, prioritize, and complete the most important things you need to achieve every day, powered by Intelligent Suggestions and Office 365 integration. Download the To-Do Preview today."

It is important to manage my tasks and time - therefore I used for a long time Wunderlist - then To-Do and now the tool below - Office Tasks or so called Microsoft Planner from the O365. I would say, that Microsoft To-Do is the consumer app and Microsoft Planner is the enterprise app.

Office Tasks

"Take the chaos out of teamwork and get more done! Planner makes it easy for your team to create new plans, organize and assign tasks, share files, chat about what you’re working on, and get updates on progress."

Office Tasks is my new tool, which I use with my personal O365 account to manage all upcoming work and personal tasks. The good thing about this specific one is, that you can assign tasks to dedicated users in your O365 account and leverage everything with documents from your OneDrive / for Business.


Social Media:

Social media is important.  Networking is important.  You really should not ignore this.  

Most of the news as blog posts, announcements, official discussions and many more can be catched by being involved into social media. This is one of the most important things today to stay up to date in the IT. Additionally to this I use some more tools, which bring a huge benefit to my daily work. This aren´t all of my tools, but probably the most important ones.


Twitter is necessary to stay up to date and gather all new blog articles from officials or well-known people as MVPs.


In LinkedIn you very often find great high level articles specifically targetting CXOs, which contain good information.
It is also the most important platform for networking. I get frequently asked via LinkedIn regarding little technical topics (and I am totally fine with this!) and in the counterpart I also try to get some feedback from the people regarding our newest technologies.
One more topic is jobs - LinkedIn is from my experience the most used platform for sharing jobs and the place where job hunters are trying to fill up their sophisticated jobs. If you want to join this chance you really should ensure, that your profile is completely and correctly filled. There has also been added a feature to provide headhunters with further information, if you are searching for a job and what direction it should go to.


I really need to write this down. We are in a time, where blogs are important.

As you are reading my blog post, you know that blogs may contain useful information, but even more - sometimes official announcements are made via blogs. You need to have a dedicated list of blogs, where you take a look into in regular timeframes.

Michael Niehaus´ one for example is one of the most important ones for me and probably also for you:


" Hootsuiteis a social media management platform, created by Ryan Holmes in 2008. The system’s user interface takes the form of a dashboard, and supports social network integrations for TwitterFacebookInstagramLinkedInGoogle+YouTube, and many more."

I am using Hootsuite a lot - it is very useful for me, because I can now plan postings to all my social media accounts in advance.

As you can see it is also combinable with Right Relevance:

Right Relevance

"Discover fresh relevant content to your interests, save interesting articles, follow influential experts, be the first to share soon-to-be viral content and much more."

I really love Right Relevance, because it just gives me the most important blog articles and news regarding specific topics. Included in Hootsuite I can now just share the most important information just in time and set it up into my "read-line".

The Old Reader

The Old Reader is a RSS-reader which I like a lot! I have added my favorite blogs here and can easily prove, what articles I missed.

Conferences & UserGroups

As an IT-Pro you really should visit conferences and usergroups from time to time. As mentioned before - networking is one of the most important things in a life of an IT-Pro and you can do this the best at conferences and usergroups!


This one is my main tool to identify UserGroups in my area and I am managing the German PowerShell UserGroup and more dedicated the Munich one via MeetUp. We are having around 30-50 attendees every time and you realy should use it to connect yourself!


If you are speaking a lot at conferences you would have seen, that many conferences are moving their CFP to Papercall. Take a look - there may be a conference you want to speak on.

The End

Thank you all for reading the whole list - I hope, that some of the mentioned ideas tools and techniques will help you in the future. If you find any important things missing or want to discuss any of the parts you are always free to comment. I am happy to hear your feedback and opinions!


All the best,

David das Neves

Premier Field Engineer, EMEA, Germany
Windows Client, PowerShell, Security