Microsoft shipped a wide-ranging update to the Sysinternals suite on May 7, breathing new life into essential troubleshooting tools for Windows administrators and developers. The refresh touches nearly every major utility—Autoruns, ProcDump, ZoomIt, DebugView, NotMyFault, Process Explorer, Process Monitor, and several Linux-targeted tools—with Autoruns and ProcDump receiving the most notable new capabilities.

What’s new in the May 7 Sysinternals update

The star of this release is Autoruns, the startup manager that reveals every auto-starting extension, service, driver, and more. Autoruns now detects and displays packaged Win32 applications (MSIX-packaged apps) that configure themselves to launch at boot or login. Previously, these modern app packages were invisible to Autoruns, leaving gaps in startup auditing. With this update, administrators can finally see and control the persistence mechanisms of packaged apps alongside traditional executables.

ProcDump, the lightweight crash-dump utility, gets a long-requested feature: process tree dumping. You can now tell ProcDump to capture a full process tree when a target process triggers a dump. This means if the main process has spawned children, all of them are included in the memory snapshot, preserving forensic context and aiding in debugging complex multi-process applications. The new -tree switch instructs ProcDump to walk the process tree recursively from the target.

ZoomIt, the on-screen annotation and zoom tool, adds a \"draw on screen\" mode that persists annotations during screen recording, making it easier to create training videos. DebugView receives high-DPI awareness, finally looking crisp on 4K monitors. NotMyFault, the crash-and-hang driver used to demonstrate kernel-mode fault analysis, adds new modes for simulating memory leaks and deadlocks.

Process Explorer and Process Monitor also gain incremental improvements. Process Explorer now shows Windows Runtime (WinRT) API usage for processes that have registered a WinRT activation, helping developers spot cross-process calls. Process Monitor improves its filter engine performance when monitoring high-volume events.

Linux-oriented tools, including ProcDump for Linux, Sysmon for Linux, and PsExec for Linux, receive parity updates with their Windows counterparts. ProcDump for Linux inherits the process tree dump feature, and Sysmon for Linux adds support for more event types.

Autoruns: Closing the packaged-app blind spot

For years, Autoruns has been the go-to tool for hunting persistence on Windows. It enumerates run keys, scheduled tasks, services, drivers, browser extensions, and dozens of other autostart locations. However, the rise of MSIX packaging and the Microsoft Store meant that some legitimate—and malicious—applications could hide their startup entries from Autoruns. Packaged apps register their extensions through manifest entries and COM activations that older Autoruns versions didn’t parse.

The updated Autoruns now examines the AppX manifest files of every installed packaged application and extracts any defined startup triggers. When a packaged app declares a windows.autoStartupTask, a logon trigger, or a background task with activation on launch, Autoruns surfaces it under a new \"Packaged Apps\" tab. This gives security teams the same visibility into Store-delivered and sideloaded packaged apps as they’ve long had for classic Win32 software.

Real-world impact

Consider a typical enterprise environment where employees install productivity tools from the Microsoft Store. Some of those tools may set up background sync services or notification listeners that start with Windows. Previously, an IT admin scanning for bloat or potential malware would miss these entries entirely. Now, they appear right alongside traditional startup items. The feature is particularly valuable for incident responders hunting advanced persistent threats (APTs) that abuse packaged app deployment for stealth.

ProcDump: The power of process tree dumps

ProcDump’s new process tree capability fills a common debugging gap. When a process crashes, it’s often the child processes that hold the key evidence—maybe a worker process exhausted memory, or a plug-in container corrupted the parent’s state. Capturing only the parent dump used to mean losing that context.

With the -tree flag, ProcDump performs a recursive walk of the target’s child processes (and their children) at the moment of the dump. Each process gets its own .dmp file, preserving their separate address spaces. The files are named with the process IDs to maintain clarity. Analysts can load the entire set into WinDbg or Visual Studio and reconstruct the inter-process state.

Example usage 

procdump.exe -accepteula -tree -ma 1234

This monitors process ID 1234 and its entire tree, generating full memory dumps when any trigger condition is met. Combined with other switches like -c (CPU threshold) or -h (memory commit threshold), the tree dump can be invoked automatically when a resource leak impacts the whole process family.

ZoomIt and the rest of the lineup

ZoomIt’s screen recording mode now respects on-the-fly annotations. Previously, if you used ZoomIt to draw arrows or highlight text during a recording, the annotations would fade after a few seconds. Now you can lock them on screen, and they remain visible until you clear them manually. This is a boon for creating quick how-to clips.

DebugView, the kernel and application debug output monitor, finally received UI love. It’s now per-monitor DPI-aware, so it scales properly on mixed-resolution setups—think a 4K laptop screen next to a 1080p external monitor. The font rendering is crisp at any scaling percentage, which is long overdue for a tool that often stays open for hours during log analysis.

NotMyFault’s new simulation modes let testers trigger specific kernel-mode failures more easily. The \"Memory Leak\" option allocates non-paged pool memory without releasing it, while \"Deadlock\" simulates a classic resource contention between two threads. Both are educational and useful for testing monitoring tools.

Process Explorer and Process Monitor tweaks might look small, but the WinRT activation column in Process Explorer is a gem for developers. It reveals which processes are registered as handlers for contract IDs or protocol activations, making it simpler to trace COM-like interactions. Process Monitor’s filter improvements are under the hood, but users reporting faster event matching during heavy disk or network tracing will appreciate the difference.

Linux side catches up

Microsoft’s continued investment in Sysinternals for Linux is evident in this release. ProcDump for Linux 2.0 brings the process tree dump feature, using the same -tree syntax. This works with processes forked from a parent, including background jobs and containers. Sysmon for Linux 1.4 adds network connection events and process image load auditing, matching more of the Windows feature set. PsExec for Linux finally supports redirection of standard input and output, making it a viable alternative to ssh for quick command execution in CI/CD pipelines.

Why this update matters

Sysinternals tools are more than utilities—they’re the language of Windows troubleshooting. When a server behaves oddly, a support engineer doesn’t ask \"What do you see in Task Manager?\" They ask \"What does Process Explorer show?\" The suite’s comprehensive view of the OS internals is unmatched. Updates that adapt these tools to modern Windows constructs, like packaged apps and process trees, ensure they remain relevant.

For IT professionals, the Autoruns enhancement alone justifies downloading the May 7 package. Startup persistence is the most common technique used by malware, and any blind spot is a risk. Packaged apps, once a niche deployment method, are now mainstream thanks to the Microsoft Store for Business and internal LOB applications. Being able to audit them with Autoruns closes a vulnerability assessment gap.

ProcDump’s process tree dumps will save countless debugging hours for developers working on microservices or plugin-host architectures. Capturing the whole family in one operation makes post-mortem analysis faster and more accurate.

How to get the update

All Sysinternals tools can be downloaded individually from Microsoft’s Sysinternals site or via the Sysinternals Suite bundle. The tools are portable executables; no installation is required. Run them from a network share, USB drive, or local folder. Note that many tools require administrative privileges for full functionality.

As always, check the Sysinternals Blog for detailed changelogs and usage scenarios. The May 7 update applies to both the classic Windows versions and the Linux editions available on GitHub.

Community feedback so far

Early reports on tech forums praise the Autoruns improvement. One security analyst noted, “I found three packaged apps that were silently running background tasks. Autoruns flagged them immediately.” Another administrator mentioned the importance of the -tree ProcDump flag for their containerized environment, where sidecar processes often fail alongside the main container.

Some users expressed hope for a UI refresh across the entire suite, but the focus remains on functional enhancements. Given the tools’ small footprint and near-zero overhead, most are happy with incremental utility improvements.

Looking ahead

The Sysinternals team continues to adapt these classic tools for an evolving ecosystem. With Windows increasingly embracing containerization, Windows Subsystem for Linux, and cloud-native deployments, expect future updates to deepen integration with these paradigms. For now, the May 7 release solidifies the suite’s position as the essential toolkit for anyone who peeks under Windows’ hood.