Sysinternals tools (e.g., Autoruns.exe, Process Explorer, PsExec) are widely used for diagnostics, malware analysis, and deep system inspection. However, in some cases, these tools may fail to launch, close immediately after opening, or display security warnings, especially on secured or managed Windows systems.
These issues are often caused by security features like Controlled Folder Access, Windows Defender, or Smart App Control, which may block or restrict tool execution. In other cases, problems arise due to NTFS Alternate Data Streams (ADS) marking the file as internet-downloaded (Zone.Identifier), Group Policy restrictions, third-party security software, or simply the absence of elevated privileges.
If you encounter any of these issues, this guide will show you several methods to fix and safely restore full functionality to Sysinternals tools on Windows 11.
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Unblock the Executable (remove Zone Identifier) | ✓ | |
| Method 2: Unblock via PowerShell | ✓ | ✓ |
| Method 3: Disable Smart App Control (if applicable) | ✓ | |
| Method 4: Add an exclusion in Microsoft Defender | ✓ | ✓ |
| Method 5: Check Controlled Folder Access | ✓ | ✓ |
How to fix issues when running Sysinternals in Windows 11
If a Sysinternals tool briefly opens and then immediately closes, shows a “This app can’t run on your PC” or SmartScreen warning, does nothing when you select Run as administrator, or hangs without producing any logs, it’s likely being blocked by one of the several Windows 11 security features.
📌 Prerequisites: Before you begin resolving these issues, here are some general prerequisites to keep in mind:
- These methods apply to all editions of Windows 11.
- Confirm that the tool is from the official Microsoft Sysinternals site.
Method 1: Unblock the Executable (remove Zone Identifier)
Windows adds a Zone.Identifier tag to files downloaded from the internet, which may silently block or restrict their execution. This method removes that restriction.
📌 Use Cases: Use this when the tool doesn’t launch or immediately closes after opening, especially after downloading it from the internet.
📌 Prerequisites: Tools must be extracted properly if downloaded as ZIP files.
- Right-click the downloaded .exe file (e.g., Autoruns.exe) and select Properties.
- In the General tab, scroll to the bottom.
- Mark the checkbox labeled Unblock. (See #1 in ⚠️ Things to look out for.)
- Click Apply, then OK.
- Try relaunching the tool.
Method 2: Unblock via PowerShell
📌 Use Cases: Use this when you need to unblock multiple tools quickly or automate the unblocking process using scripts or command-line commands.
📌 Prerequisites: Administrative access is required to run PowerShell. If tools are downloaded as ZIP files, they must be extracted properly.
- Press Win + S to open Search.
- Type Powershell, then right-click Windows PowerShell from the result and select Run as administrator.
- Run this command to unblock a single file:
Unblock-File -Path “C:\Path\To\Your\Tool.exe” - Do this for each tool you’d like to unblock. (See #1 in ⚠️ Things to look out for.)
Method 3: Disable Smart App Control (if applicable)
Smart App Control (SAC) is a Windows 11 security feature that can silently block unsigned executables such as Sysinternals tools.
📌 Use Cases: Use this when the tool is silently blocked without error messages, and you suspect Smart App Control is interfering.
📌 Prerequisites: You must be signed in as an administrator.
⚠️ Important: Smart App Control can only be turned off permanently. Re-enabling it requires a system reset.
- Press Win + I to open Settings.
- Go to Privacy & Security > Windows Security > App & browser control.
- Under Smart App Control, click Smart App Control settings.
- If it’s On (enabled), toggle it Off.
💡 Tip: Not all editions of Windows 11 include SAC. If you don’t see the setting, skip this method.
Method 4: Add an exclusion in Microsoft Defender
Microsoft Defender may falsely flag some Sysinternals tools as threats and delete or block them. Adding an exclusion tells Defender to ignore these files and folders.
📌 Use Cases: Use this when Windows Defender actively deletes, quarantines, or prevents the tool from running, even after unblocking.
📌 Prerequisites: You must be signed in as an administrator.
- Press Win + S to open Search.
- Type Windows Security and open the app once found.
- Go to Virus & Threat Protection > Manage settings.
- Scroll down to Exclusions, then click Add or remove exclusions.
- Add the folder containing your Sysinternals tools or the specific .exe. (See #2 in ⚠️ Things to look out for.)
⚠️ Warning: Only exclude files from trusted sources. Adding the wrong exclusion could weaken system protection.
Method 5: Check Controlled Folder Access
Controlled Folder Access (CFA) is a ransomware protection feature that restricts changes to protected folders and may block tool execution.
📌 Use Cases: Use this when the tool launches but hangs, fails to log output, or cannot access protected folders like Documents or Desktop.
📌 Prerequisites: You must be logged in as an administrator.
- Press Win + S to open Search.
- Type Windows Security and open the app once found.
- Go to Virus & Threat Protection > Manage ransomware protection.
- Click Controlled folder access.
- If it’s On, click Allow an app through Controlled folder access.
- Click Add an allowed app > Browse all apps.
- Select the Sysinternals tool .exe file. (See #3 in ⚠️ Things to look out for.)
Once added, the app can now access protected folders without being blocked.
⚠️ Things to look out for
Risks | Potential Consequences | Reversals |
| Unblocking a file that wasn’t downloaded from a trusted source. | You might run a tampered or malicious file. | Re-download the tool from the official Sysinternals site and delete the untrusted copy. |
| Adding unsafe files/folders to Defender exclusions. | Defender won’t scan malware or unwanted apps in the excluded folder. | Remove the exclusion via Windows Security > Manager settings > Exclusions. |
| Allowing unverified apps through Controlled Folder Access. | Apps may gain access to sensitive folders without oversight. | Go to CFA settings and remove the app/s from the allowed list. |
Additional considerations
Keep the following key points in mind to ensure smooth execution of Sysinternals tools on Windows 11:
Run as administrator
Some tools (like Autoruns, ProcMon, and PsExec) require elevated privileges to function properly. Right-click the file and select Run as administrator. Without admin rights, the tool might partially work or silently fail.
File integrity
Corrupted downloads, incomplete extractions, or unofficial sources can cause unexpected behavior. If a tool doesn’t run or triggers unexpected errors, re-download a fresh copy from the official Microsoft Sysinternals site.
Antivirus & EDR
Third-party antivirus programs or Endpoint Detection and Response (EDR) solutions may block or sandbox Sysinternals tools. Check the security logs for alerts, or temporarily disable the software for testing if permitted.
Use the full suite in a trusted location
For convenience and fewer restrictions, consider extracting the full Sysinternals Suite to a trusted local folder. Applying folder-level exclusions in Microsoft Defender can prevent unnecessary blocking.
Fix the Sysinternals tool error in Windows 11 for reliable execution
Sysinternals tools are powerful system utilities, but they can be blocked by modern Windows 11 security features such as SmartScreen, Smart App Control (SAC), and Microsoft Defender.
In many cases, restoring functionality safely involves unblocking the file, adjusting or disabling certain security features (when appropriate), or explicitly allowing the tool through protected layers. Be sure to run tools with administrator privileges when required, as some may not function correctly without elevated permissions.
Related topics:
