Free tools

All Windows tools are updated to run on Windows 10.

Skip straight to tools for Windows and FreeDOS (for forensic purposes).

Windows tools

BrowseList

BrowseList retrieves the browse list on a Windows network.

CPUID

CPUID shows various properties of your CPU.

CrashProcess

Pass CrashProcess a PID, and it crashes the process if you have sufficient permissions. It can be useful for testing stuff.

DBProbe

DBProbe checks the directed broadcast ping amplification factor for a network.

DumpUsers

DumpUsers can dump account names and information even though RestrictAnonymous has been set to 1.

EFSView

EFSView lists the users who have ordinary decryption keys or recovery keys for an EFS encrypted file.

EtherChange

EtherChange can change the Ethernet address of the network adapters in Windows.

ExploreLibs

ExploreLibs is a tool for viewing the contents of LIB files.

FindIDT

FindIDT searches for and prints the IDTs in a physical memory dump.

GPList

GPList lists information about the applied Group Policies.

GSD - (Get Service DACL)

GSD (Get Service DACL) gives you the DACL (Discretionary Access Control List) of any service you specify as a command line option.

Inzider

Inzider shows which processes listen at which ports. Inzider was the first tool that could do that in Windows, back in the 1990s. This updated version shows more information than before, including IPv6 information, svchost.exe service information, and the date and time each port was opened.

IPSecScan

IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled. It was the first IPSec scanner out there.

ListDrivers

ListDrivers lists the loaded kernel drivers.

ListModules

ListModules lists the modules (EXE's and DLL's) that are loaded into a process.

ListObj

ListObj prints the entire Windows object space.

LNS - List NTFS Streams

LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams).

MACMatch

MACMatch lets you search for files by their last write, last access or creation time without changing any of these times.

NSCopy

NSCopy works as a copy command with one big difference from others. If you have the "Back up files and directories" user right, you can copy files even if you don't have any explicit permission to read them. It doesn't take ownership of the file to do it.

PEriscope

PEriscope is a PE file inspection tool. It works on ordinary 32-bit files as well as 64-bit and .NET ones.

PMDump

PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.

PromiscDetect

PromiscDetect checks locally if your network adapter(s) is running in promiscuous mode, which may be a sign that you have a sniffer running on your computer. It was the first tool that could do that in Windows.

SetOwner

Allows you to set file ownership to any account, as long as you have the "Restore files and directories" user right.

SIMQuery

A tool that retrieves the ICCID and IMSI from a GSM SIM card.

UndeleteSMS

UndeleteSMS can recover deleted SMS messages from a GSM SIM card.

Winfo

Uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.

WKML

WKML (Windows Kernel Module Loader) is a tool for loading and unloading kernel modules in Windows. It can also display a list of the currently loaded modules.

WPSweep

WPSweep is a simple ping sweeper, that is, it pings a range of IP addresses and lists the ones that reply.

FreeDOS tools

TAFT

TAFT is an ATA (IDE) forensics tool that communicates directly with the ATA controller. It can retrieve various information about a hard disk, as well as look at and change the HPA and DCO settings.