Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


July 2004

PsExec

Execute processes on a remote system and redirect output to the local system
From the July 2004 Edition
of Windows IT Pro
Mark Russinovich
Windows Power Tools
InstantDoc #42919
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Products / Software Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

PsExec Security
You should be aware of several ways in which PsExec interfaces with Windows security. By default, the process you execute on the remote system impersonates the account from which you run PsExec on the local system. Impersonation is somewhat restricted from the perspective of security—the remote process doesn't have access to any network resources, even those that your account typically would be able to access. If the account in which you're running doesn't have local administrative privileges on the remote system, the process you want to run requires access to network resources, or you want to run a process in a different account, then use PsExec's -u switch to provide an alternative account name. For example, you could enter the command

psexec \\remote

-u remote\administrator

-p adminpass ipconfig

to run Ipconfig under the Administrator account on the remote machine. Use the -p switch to enter the password for the account you specified with the -u switch. If you omit the -p switch, PsExec prompts you to enter the password (for security reasons, PsExec doesn't echo the password you enter to the screen).

If you specify alternative credentials, the remote process runs with those credentials and will have access to network resources that the alternative account can access. To run in a different account, PsExec must use that account to log on to the remote system. PsExec therefore requires the password on the remote system and sends the password in clear text from the local system. You need to be aware of this fact if unauthorized network sniffers could intercept traffic between the local and remote system.

You can also run the remote process in the System account, under which Windows services and core Windows processes, such as Winlogon and the Local Security Authority Subsystem Service (LSASS) are executed. The System account has powerful privileges. Some file-system and registry resources have default security settings that permit access only from the System account—examples are the HKEY_LOCAL_MACHINE\SAM registry subkey and the \System Volume Information directory that's present on each volume of all Windows 2000 or later systems.

For example, if you've ever been curious about the contents of the SAM subkey, which appears empty in regedit because regedit can navigate the subkey only under the System account, you can use PsExec similarly to the way you use the Runas command (which is available on Win2K and later) to run regedit under the System account. The command is this:

psexec -s -i

c:\windows\regedit.exe

Note that the command doesn't include a remote computer name and does include the -i (interactive) switch. When you enter the command, regedit will appear on your desktop running in the System account, and you'll be able to look inside the HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SYSTEM subkeys. The -i switch is what causes regedit to appear on the console desktop, and it's typically useful only when you want to run a GUI application on the local system where you can interact with it.

A last security note relates to viruses. Several viruses use PsExec to propagate within a network, and as a result, several major antivirus products flag PsExec as a Trojan horse program or a worm. Remember that PsExec works on remote systems only if it runs within an account that has administrator group membership on the remote system. In other words, unless the account from which you run it has administrative access to a remote system, PsExec won't be able to execute a process on the remote system. In addition, PsExec's functionality can be achieved in other ways; thus, PsExec is only a convenience for virus writers, who could otherwise easily implement the functionality that PsExec provides.

Inside PsExec
PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system.

The Psexesvc service creates a named pipe, psexecsvc, to which PsExec connects and sends commands that tell the service on the remote system which executable to launch and which options you've specified. If you specify the -d (don't wait) switch, the service exits after starting the executable; otherwise, the service waits for the executable to terminate, then sends the exit code back to PsExec for it to print on the local console.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I'd forgotten about PSExec until Mark's article reminded me. I encountered an odd problem in that any command executed, e.g. ipconfig, on a remote machine returns, "PsExec could not start cmd on remotecomputername
The directory name is invalid."

Seems kind of odd in that every other remote tool we use works just fine. I've been unable to find any additional information about this error. Any ideas?

JC Warren July 08, 2004

We have been using PSEXEC for several years. It allows us to have a central scheduler PC run overnight batch jobs on several different machines. It given us the bases for applying security patches to our PC, atleast until we finish implementing Altiris. Want to say a HUGE thank you to Mark for all his little utils that have save my butt on more than one occasion. CHEERS

VoyageurX July 15, 2004 (Article Rating: )

When I tried to use the PSEXEC command like "psexec -s -i c:\winnt\regedit.exe" to run REGEDIT under the System account,what returned jsut like "psexec /?".I was confused,any ideas?

JunLiu August 19, 2004 (Article Rating: )

Amazing tool!

Anonymous User February 02, 2005 (Article Rating: )

For those having problems getting the PSTools to run on the remote server due to security warnings/access denied/etc., here are a couple of tips, at least for Windows XP servers:

- on the server turn off "simple file sharing"
- create a user on the server with the same login name and password as the person who will be running psexec.
- add that user to the Administrators group on the server

Very important (!):
- Now that you have changed the security on the server, open Computer Management and force all sessions from this user to close (logging off doesn't always do it). Now the server will see the user connect again and use the new security settings.

- Steve Yates
- Too err is human. To moo, bovine.

~ Taglines by Taglinator - www.srtware.com ~

Anonymous User February 10, 2005 (Article Rating: )

I kept getting ACCESS DENIED errors, after much googling, found that the local user account you are running psexec from cannot have a blank password. Windows wont let you run anything remotely if the account the request comes from has a blank password.

Anonymous User February 22, 2005 (Article Rating: )

I loved this little utility that does all.

what does mean when I get the following error:
Defrag.exe exited on computername with error code 0?

almassud@hotmail.com
thanks

Anonymous User February 24, 2005 (Article Rating: )

Usually error code zero means no error occurred. Anything above zero is an error.

Anonymous User February 25, 2005 (Article Rating: )

Does anyone know how to get around this problem:
When using psexec to run a batch file or a cmd session, if you use SET /P to set an environment variable it only uses the first letter instead of the whole line.

Example code:
psexec \\remote cmd.exe
set /p username=Enter DB Username:

Enter DB Username: Glen

'len' is not recognized as an internal or external command,
operable program or batch file.

set username
username=G


Any help or suggestions are appreciated.



Anonymous User February 28, 2005

Some of the CRLF's got left out of my last post

there is supposed to be newline between "cmd.exe" and "set" and between "set username" and "username=G"

Anonymous User February 28, 2005

 See More Comments  1   2   3   4   5   6   7   8 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path To Read More About PSExec
"PsExec to the Rescue"

"JSI Tip 4141. PsExec freeware executes programs remotely"

"PsExec, User Account Control and Security Boundaries"

"How can I start a process or program as the local system account?"

"How can I run a Control Panel applet or snap-in configuration as another user from the command line?"

"Got questions about scripting?"

"How can I monitor registry activity during logon and logoff?"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

New Microsoft/Yahoo! Deal? No

On Sunday, the Times of London reported that Microsoft had renewed talks with failing Internet giant Yahoo! and would manage its search engine for 10 years, while Yahoo! would retain control of its email, messaging, and content services. This report ...

How can I stop and start services from the command line?

...
Related Articles The Trick to Accessing Remote Files with Explorer.exe
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events SQL Server 2008 – Can You Wait? | Philadelphia

SQL Server 2008 – Can You Wait? | Atlanta

SQL Server 2008 – Can You Wait? | Chicago

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing