Microsoft announced the acquisition of Sysinternals earlier this week. Mark Russinovich and Bryce Cogswell, the founders, are joining Microsoft as Technical Fellows. The Sysinternals tools — Process Explorer, Process Monitor, Autoruns, Rootkit Revealer, dozens of others — are part of the deal.
This is a longer post because the structural questions are larger than the specific transaction.
Who Sysinternals are
Sysinternals (originally Winternals) was founded by Russinovich and Cogswell in 1996 to develop deep-Windows-internals tools. The cumulative product portfolio:
System-monitoring tools. Process Explorer (process trees, handle inspection, DLL loading), Process Monitor (file, registry, network activity tracing), Autoruns (boot-time and login-time program enumeration). Each is, in its category, the most useful tool available for Windows internals work.
Forensic and investigation tools. RootkitRevealer (which discovered the Sony BMG rootkit when Russinovich ran it on his own machine), TCPView (active connection inspection), Strings (binary analysis), LiveKd (live kernel debugging).
System administration tools. PsExec, PsList, PsKill (remote process control), Bginfo (system information display), various others. The cumulative toolkit is what most experienced Windows administrators reach for first.
Free distribution. Almost all of the tools have been free to download and use. The specific commercial product (Winternals Administrator's Pak) was the small fraction; the cumulative free distribution has been the structural contribution.
The cumulative impact on the Windows operations community has been substantial. Sysinternals tools have been operationally essential for incident response, for performance investigation, for routine administration, for research. The tools are, by any reasonable measure, the most-used third-party Windows utilities of the past decade.
What the acquisition includes
Microsoft is acquiring the Sysinternals product portfolio. The specific commitments announced:
The free tools remain free. Microsoft is committing to continuing free distribution of the Sysinternals tools. Specific names may change (the tools may be branded with Microsoft naming); the free availability is preserved.
Russinovich and Cogswell are joining Microsoft. Both as Technical Fellows. The cumulative expertise becomes available to Microsoft's product groups; specific Microsoft tools may benefit from their input.
The commercial Winternals Administrator's Pak is being discontinued. The specific product line is being absorbed; existing customers will be supported through the transition.
The Sysinternals website continues operating under Microsoft management. Specific URLs may eventually move; the current ones continue to work.
The transaction structure is similar to other recent Microsoft acquisitions (Sysinternals, GIANT, Onfolio, others). Microsoft acquires the technology, hires the founders, integrates the products into the broader Microsoft portfolio.
What this means structurally
Three observations.
The cumulative independence of the Windows tools community shrinks. Sysinternals was the most significant independent Windows-tools developer. The acquisition reduces the independent capacity in the category. Future acquisitions may further reduce it.
Russinovich's specific independence is bounded. The Sony BMG disclosure in 2005 was made possible by Russinovich's independent position. As a Microsoft employee, similar future disclosures will face structural pressures that an independent researcher does not face. The cumulative effect on the broader disclosure ecosystem is bounded but real.
Microsoft's tools-development capacity grows. The cumulative integration of Sysinternals expertise into Microsoft's product groups should produce better Microsoft tools over time. The trajectory is positive in this dimension.
The cumulative structural shift is mixed. Some properties improve; some properties weaken; the cumulative trajectory will be visible across years.
What I am paying attention to
Three things over the next 12 months.
The free-tools commitment. 90% probability of preservation. Microsoft has been credible in similar commitments; the specific tools should continue to be freely available.
The cumulative quality of the tools. 70% probability of continued improvement. The specific development cadence may slow as the team integrates with Microsoft processes; the cumulative quality should remain high.
Russinovich's continued public engagement. 80% probability of continued substantive engagement. He has indicated he intends to continue blogging and speaking; specific Microsoft pressures may affect what he can publish; the cumulative public contribution should continue.
What this teaches about the broader trajectory
The cumulative pattern of major technology firms acquiring independent tools developers continues. Specific examples across recent years: Microsoft acquiring GIANT (anti-spyware) in 2004, Microsoft acquiring Sysinternals now, Symantec acquiring Veritas in 2005, various smaller acquisitions across the Windows tools community.
The cumulative effect on the broader ecosystem: fewer independent voices, more integration into major commercial products, fewer free tools available without commercial-firm sponsorship. The trajectory is structurally similar to other consolidation patterns in mature technology categories.
For specific independent tools developers reading this: the consolidation will continue. Specific small developers will face acquisition offers; specific decisions about whether to accept will become more common. The cumulative cost-benefit analysis is per-developer; the structural pattern is consistent.
What I am doing
For my own infrastructure: continued use of Sysinternals tools. The acquisition does not change the operational utility; the cumulative familiarity is unchanged.
For client work: continued reliance on Sysinternals tools for incident response and routine administration. Specific tools that I reach for first remain operationally essential.
For my own writing: more on the consolidation trajectory as it develops. The cumulative archive of writing about the tools ecosystem will inform future structural assessments.
A small reflection on Russinovich personally
I have not met Russinovich personally; I have read his work for years. The cumulative contribution to the Windows operations community has been substantial. The Sony BMG disclosure was, on the available evidence, more important than most published security research of the past five years.
For the broader field: thank you to Russinovich for the work to date. The specific tools have been operationally essential; the specific publications have been structurally important.
For Microsoft: the acquisition is a meaningful gain. The cumulative expertise should benefit specific Microsoft products; the specific care taken with the Sysinternals tools community matters.
For the broader operations community: continue using the tools; continue reading Russinovich's writing; continue the cumulative discipline that the tools support.
More in time.