Windows operating system provides different ways to manage remote systems. Telnet, RDP, VNC are some of them. But these options are generally bound to a graphical user interface. If we prefer command line interface there is an alternative named Psexec.

Psexec is actually a toolset consisting of following tools.

• PSexec used to execute commands at remote or get a shell from a remote system
• PsFile used to list file and folders at remote system
• PsGetSid used to display security identifier for remote computer or user
• PsInfo used to get detailed information about the remote system
• PsKill used to kill process at the remote system according to name or ID
• PsList used to list processes in detail at the remote system
• PsLoggedOn used to list logged on users in the remote systems
• PsLogList used to list event logs resides on the remote systems
• PsPasswd used to change given user password on the remote system
• PsPing used to ping from remote system
• PsServervice used to list and manage Windows services on the remote system
• PsShutdown used to shutdown, log off, suspend and restart remote Windows system
• PsSuspend used to suspend and resume processes on the remote Windows system.
• PsUptime used to display remote system uptime

Most of the these tools are provided in 32 and 64 bit architecture. The binaries can be used accordingly.

Download

PStools is developed by Mark Russinovich and can be downloaded from following link

https://download.sysinternals.com/files/PSTools.zip

As writing this post latest version of PsTools was 2.45 .

Run Command Remote System

Most basic usage of the Psexec command is just running simply command on the remote system. In order to run command on the remote system we should provide user name and password with the command to be run on remote system. The syntax of the Ps exec is like below.

In this example we will run ipconfig command on the remote system where its IP address is 192.168.122.66 . The username is Administrator and password is 123456Ww .

As we can see the command is executed in the remote system without any problem.

Redirect Psexec Command Output

After running command on the remote system the command output will be printed into the current standard output which is our current shell. This output can be redirected into a file with > . If we have a lot of remote systems to run command this option will be very useful.

In this example the ipconfig command output is saved into file named 192.168.122.66_ipcopnfig .

Pass The Hash

In previous example we have provided the user password. The only option is not the clear text user password. We can also provide the hash value of the user token. Following example we provide the hash of the user token.

Copy Command From Local To The Remote System

Running commands on the remote system is very useful feature but there is another useful feature which will easy system administrators and pentesters jobs. Psexec can be used to copy command from local system to the remote system. We will use -c option in order to copy operation. Once the commands finished the remote instance will be deleted.

In this example we will copy the cmd.exe . After copy operation is finished cmd.exe will be started on the remote system.

As we can see we get a cmd shell on the remote system.

Run Command As System User

While running commands on the remote system the privileges and process owner will be the provided user. If we need to change the remote commands owner user to the System user we will provide -s option.

In this example we will use regedit.exe

Run GUI Application On the Remote System

Windows operating systems provides GUI by default. Psexec can be used to open GUI application on the remote system in the specified user console. User console simply means user desktop.

In this application we will start notepad.exe on the remote system. The remote system Administrator user can interact with this notepad.

We will get our local shell after the remote user closes the notepad. After close the exit code will be printed to the psexec console.

Create Interactive Shell On The Remote System

Upto now we have run commands remotely. After the execution of the command finished the remote system connection is closed. This is like sessioned connection. Psexec provides remote shell or command line. Psexec connects remote and give us a MS-DOS shell. In order to get a remote shell we will provide cmd.exe command in the remote system.

Psexec Tools

Up to now generally we provided commands to run remote systems. As a system administrator daily operations do not change frequently. Psexec toolkit provides some simple commands to run directly without adding command as parameter. We will look these tools below.

List File On the Remote System With PsFile

PsFile command can be used to to list or close opened files. The syntax is very similar to the PSexec command. In this example we will list files located at C:\Users\ on the remote system.

List SID’s On The Remote System With PsGetSid

SID is used to identify Windows users in a more detailed fashion. We can list provided users SID with PsGetSid command like below.

Get Remote System Information With PSInfo

PsInfo is a tool used to get remote system information like Uptime, Version, Windows variant etc.

Following information about the remote system is provided by PsInfo

• Uptime shows how many days and hours the system is running
• Kernel Version shows operating system kernel
• Product Type shows the version of the operating system
• Product Version
• Kernel Build Number
• Registered Organization
• Registered Owner
• IE Version shows Internet Explorer version
• System Root show where is operation system is installed
• Processor shows processor or thread count
• Processor Speed
• Processor Type` shows detailed processor version and name
• Physical Memory
• Video Driver shows currently loaded driver name

List Process At The Remote System With PsList

Processes running on the remote system can be easily listed with PsList command.

The output will provide following information about remote system processes.

• Name is the executable file name
• Pid is the processes ID which identifies processes
• Pri is priority which effects process performance in heavyload times
• Thd is thread number
• Hnd is opened file handler count
• CPU Time is total used CPU resource as time
• Elapsed Time is time from start of the process.

Kill Process At The Remote System With PsKill

Processes running on the remote system can be easily killed with the PsKill command. In order to kill process we should provide the process id or process name as argument. We will kill remote process with process id 2064 .

We get message saying Process 2064 on 192.168.122.66 killed....

List Event Logs On The Remote System With PsLogList

Remote system logs can be dumped into local system easily with PsLogList command. If we use this command without any extra parameter it will dump all event logs from remote system which will fill out command line. So for the example we will limit for last 5 minutes event logs with -m option.

Change Password On The Remote System With PsPasswd

Remote system users passwords can be changed easily with PSPasswd command. In this example we will change user Administrator password to the 123456Aa .

Ping With PsPing

Another useful tool is PsPing which will create ICMP packets to ping . This command will run local system.

Manage Service On The Remote System With PsService

PsService command is used to list, start, stop services on the remote system.

List Services

We can list remote service with query option.

Start Service Remotely

Remote service can be started with start option. In this example we will start the service named ALG service.

After service started the information about the service is printed.

Stop Service Remotely

We will stop the ALG service in the following example.

Shutdown, Reboot, Suspend Remote System With PSShutdown

Remote system can be shut down with PSShutdown command like below.