login      my ps      about      contact  



home instructor-led training online training blogs


CraigBlog » PsExec - How Do They *Do* That?

PsExec - How Do They *Do* That?

CraigBlog

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Navigation

Archives

I was over at SysInternals yesterday, downloading a new version of the most excellent Process Explorer, and I had a bit of a look around to see what else was cool. The answer, of course, is...everything. But I was particularly impressed by PsExec, a tool that gives you telnet-like shell connectivity to another machine without having to install anything on the remote machine!! I just run

psexec \\avalon cmd.exe

and like magic I have a command prompt that displays on my local machine that is actually executing commands over on the remote machine (avalon in my example). I repeat: without having to install anything on the remote machine. You can launch GUI applications, but they show up on the remote machine. Regardless, it's still killer for command-line guys like me.

I love it, but how the hell do they do that?

Posted Jun 15 2004, 04:01 PM by craig-andera

Comments

Keith Brown wrote re: PsExec - How Do They *Do* That?
on 06-15-2004 3:46 PM
Here's how it probably works: They call CreateService on the target machine, pointing the image back through a file share to your copy of PSEXEC.EXE (I've never tried wiring up a service to an EXE image on a shared drive, but if that doesn't work, they could just as easily copy the EXE to the remote machine in a temp directory). Then they call StartService to start the server running. To redirect a command prompt, all you really are doing is tying a socket to a command interpreter, which is super easy to do (check out rootkit.com for examples ;-) This wouldn't work if you weren't using SMB (for example, on a hardened web server where you've removed the client and workstation services). Now Craig will have to run NetMon and tell me if I was even close! Keith
Keith Brown wrote re: PsExec - How Do They *Do* That?
on 06-15-2004 3:53 PM
One thing I forgot to mention: a service can delete itself. This is a tricky way to bootstrap something like this (cmdasuser.exe used to do this). When a service deletes itself (deletes its service entry from the registry by calling DeleteService), as soon as the service process terminates, the SCM removes the registry key for the service. They might also be using the trick of having their service simply launch a raw copy of the same EXE image and terminate immediately so that they reduce the window of time in which a service appears on the remote system. I used to play this game with cmdasuser as well. The ability to do this should scare anyone who runs as a network admin all the time! Malware can play these sorts of games just as easily as PSEXEC can. Keith
Craig wrote re: PsExec - How Do They *Do* That?
on 06-15-2004 5:39 PM
Between the time I posted and the time I read your post, Keith, I came to much the same conclusion (helped along by a few clever observations from my wife...I can't get away with anything around here). However, my assumption is that they push the service exe to the remote machine via (say) the C$ file share, rather than pulling it from the source machine. Checking... Yep, the service winds up in C:\windows\system32 on the remote machine, which suggests to me that it pushes it via the winnt$ share. It looks like the service deletes both the service entry and the executable when the task finishes. Which certainly is scary, but is also quite clever. I haven't run netmon yet, but one thing I'd be curious about is to see whether there's any attempt at channel encryption. I really doubt it, which would be disappointing, but unsurprising.
Jay wrote re: PsExec - How Do They *Do* That?
on 06-16-2004 8:34 PM
Why do programmers have to come up with elaborate solutions and conclusions when the answer is right in front of you: gnomes. I would now like to apologize to craig for that last comment.
Craig wrote re: PsExec - How Do They *Do* That?
on 06-17-2004 4:56 AM
Fool! It's pixies, not gnomes. :)
Jeremy Cross wrote re: PsExec - How Do They *Do* That?
on 11-30-2004 3:29 PM
psexec.exe has payload inside as a binary resource, according to:

http://www.ntkernel.com/articles/psexec.shtml
Shirly wrote re: PsExec - How Do They *Do* That?
on 05-28-2005 1:53 AM
PSExec is really a magic tool.
But there is an issue when I tried to use cmdasuer.exe.Can I use cmdasuser.exe existing on remote computer?I means, I have two computer, one computer has cmdasuser.exe, and on the other computer,I mapped a Network drive to the position where the cmdasuser.exe exists, and try to run the cmdasuer.exe, but failed.
I used a command like "cmdasuser localsystem", but I got an error "StartService failed: The system cannot find the path specified".

Anybody know this, please reply my comments.

Thanks in advance.




Craig wrote re: PsExec - How Do They *Do* That?
on 05-28-2005 4:02 AM
I'm not quite sure why they won't work together, but you shouldn't need cmdasuser: psexec has a pair of switches (-u and -p) that let you set the username and password to login with on the remote computer.
shirly wrote re: PsExec - How Do They *Do* That?
on 05-29-2005 7:36 PM
Craiq, thanks a lot. It is very kind of you to answer my question so quickly.
but using the way what you have said will run the exe or something else on the remote computer which has the exe, e.g. cmdasuser.exe exists on computer A,using PsExec.exe which exists on computer B, run PsExec.exe will start the cmdasuser.exe on A, but I want to see it on computer B. Maybe it is strange but it is what I need.
Craig wrote re: PsExec - How Do They *Do* That?
on 05-30-2005 3:29 AM
I don't understand. If you want to run cmdasuser on the local computer, why not just run it? Why do you need psexec at all?
Aeria wrote re: PsExec - How Do They *Do* That?
on 01-10-2006 6:29 PM
you could probably also use the -c switch pointing at where you have the cmdasuser.exe sitting. We (the IT staff at a small company) use this to install a quick vnc server on a machine so that we can take a look. Especially handy for older machines that we didn't put it on.

There is alot more to this that just using the command line on another computer, though it certainly would be enough.
tikwi wrote re: PsExec - How Do They *Do* That?
on 09-07-2006 7:38 AM
I cant even get it to work ! i put the commands exactly as they are but nothing !
Mark wrote re: PsExec - How Do They *Do* That?
on 10-20-2006 1:38 AM
I thought nothing had happened first time i tried it, but later realised the command prompt was now on the remote machine.
echo %computername% will confirm.
I was a bit dissapointed that when i ran mspaint as a test it didnt spring up on the remote machine(although it was showing as a process in task manager ) so whats the idea there?
I did manage to use it to start the SMS software inventory on the CEOs machine, rather than disturb him, which was good :)
Craig wrote re: PsExec - How Do They *Do* That?
on 10-20-2006 2:38 AM
The reason it didn't show up on the remote machine is that you must have started it in a noninteractive window station.
Anu wrote re: PsExec - How Do They *Do* That?
on 11-07-2006 12:22 PM
Hi
I am trying to access a word file on a remote machine. i get "systen could not start z: on abc-3-1 system canot find path specified. Although.. i am authenticated correctly when i issue the pw
i issue the cmd:

psexex \\abc-3-1 -u:domain\user1 -p pwsd z:\test.doc
Craig wrote re: PsExec - How Do They *Do* That?
on 11-07-2006 12:39 PM
Z is a mapped drive, I assume? That's not necessarily going to exist on the remote machine. Try using the UNC path (\\server\share) instead.
Anu wrote re: PsExec - How Do They *Do* That?
on 11-07-2006 2:55 PM
Thanks Craig..
But i do need to access the drive on the remote machine
Teh case is map two clients to a common share that be [z] and the try to open the same file remotely
Craig wrote re: PsExec - How Do They *Do* That?
on 11-08-2006 4:13 AM
Then you'll need to do it some other way - it doesn't look like the login that psexec gives you is giving you access to the user's full environment.

You can either switch from using a drive letter to using UNC paths or try to figure out how drives get mapped - maybe it's stored in the registry somewhere.
Peter wrote re: PsExec - How Do They *Do* That?
on 11-22-2006 11:32 PM
What I am having an issue with is when a limited account issues the psexec. I get access is denied, but Admin works.

What are the permissions required on the host?

Both are Win2003.
Craig wrote re: PsExec - How Do They *Do* That?
on 11-23-2006 6:50 AM
I have no idea. Have you tried contacting SysInternals?
Swarup Modak wrote re: PsExec - How Do They *Do* That?
on 03-12-2007 8:36 PM
I have a foxpro exe at linux server. Which I would like to run at third computer from my computer. Which command I should use?

Presently I have applied in the way but not working:
psexec \\10.2.1.175 \\10.2.1.6\hngroot\sales\hobakcup\ho.exe smodak ellora

PsExec could not start \\10.2.1.6\hngroot\sales\hobackup\ho.exe on 10.2.1.175: Access is denied.

I have full Administrative Right.
Bouncy wrote re: Swarup Modak
on 03-27-2007 12:46 AM
By default, the process you execute on the remote system impersonates the account from which you run PsExec on the local system. Impersonation is somewhat restricted from the perspective of security—the remote process doesn't have access to any network resources, even those that your account typically would be able to access. (http://www.windowsitpro.com/Windows/Articles/ArticleID/42919/pg/2/2.html)
michael wrote re: PsExec - How Do They *Do* That?
on 10-08-2007 4:57 AM
Found a state in which the "Access denied" also occurs: In some circumstance the psexecsvc in C:\Windows won't be deleted on the remote machine after finishing.

The next attempt to connect fails because the pstools can't create this file.

greets
Henk Jonckheere wrote re: PsExec - How Do They *Do* That?
on 10-10-2007 6:56 AM
Hi all,

I'm looking for a way to remotely collect system information from our servers world wide.

What I' looking for right now is a tool to substract the 'ipconfig /all' information from remote servers without needing the 'Administrative' access rights.

So, I tought this could be accomplished using the '-s' parameter hereby using the local 'SYSTEM'. But I still receive the 'Access is denied' error message. When I put myself in the 'Administrators' group, the access is granted and the output is shown correctly on the screen.

Can anyone explain why the '-s' parameter does not give the expected result?

Thanks in Advance.

J wrote re: PsExec - How Do They *Do* That?
on 07-03-2008 7:22 PM

You can't use the -s switch in that way because it uses the system account only as what user the service runs as. You still need admin rights to create the service that will then run as system.

Nishad wrote re: PsExec - How Do They *Do* That?
on 07-18-2008 5:58 AM

Hi, I am a beginner with the tool psexec.

want to copy n run a vbscript file from my location to a remote PC.

I have used command listed belol

psexec \\yourPC -c test.vbs

But its throwing an error.

Where I have to store test.vbs?

To which location this file is gettin copied in remotePC.

pls help me....

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation