Pstools User Guide

Psexec computername -u User -p Password ipconfig That command would produce output similar to the following: If you want to pass the output of a command into another command, or you wanted to redirect the output into a file, you would normally just do something like command.exe output.txt, and the same thing happens with PsExec. I enjoy running PsTools Suite. All the tools are awesome. My favorite are PsExec, PsPasswd, and PsShutdown. Some times it takes me 1 or 2 tries before I get a complex command to work. However, I do not have that problem anymore. The other day I found a front end GUI for PsTools. This GUI for PsTools is made by David Pront. Hm I feel a little silly:) I had assumed the user would have to have elevated permissions, but of course the local policy has to permit it in the first instance. – ljs Dec 30 '11 at 16:00 many antivirus programs will block psexec as well.

If there was a command-line utility that could compete with robocopy in terms of usefulness, it’s PsExec. The Sysinternals PsExec utility is as ubiquitous as they come in an IT admin arsenal. This tool allows administrators to remotely run commands just as if they were on the local computer.

To cover the PsExec tool in depth, it was fitting to cover this coveted tool in an ATA Ultimate Guide. In this guide, you will learn what psexec is, what it’s capable of any many examples of how to use this useful tool.

What is PsExec.exe?

If you’re new to IT or perhaps haven’t had the need to run commands and tools on remote computers, you might not know what psexec is.

PsExec or psexec.exe is a command-line utility built for Windows. It allows administrators to run programs on local and more commonly remote computers. It is a free utility part of the Sysinternals pstools suite built by Mark Russinovich many years ago.

It was built to replace tools like telnet that forced you to open up ports and introduce security vulnerabilities. Nowadays, we have other options like PowerShell Remoting and the Invoke-Command PowerShell cmdlet but PsExec still has its place.

PsExec allows full interactivity for console application without having to install any software. As you’ll see through this Ultimate Guide, PsExec can launch interactive command prompts, run as local system on remote computers, run commands on multiple computers at once and more.

It supports all versions of Windows since Windows XP. That means, that yes, PsExec on Windows 10 is a thing too. It’s a simple tool to run that works on nearly everything but don’t confuse its simplicity with its capabilities!

Prerequisites

You simply need to be running a modern Windows operating system for PsExec to run on your local computer. However, you’re going to want to run psexec against remote computers. To do that, you’ll need to ensure a few items are in place.

List

If you don’t have these items in place now or unsure, don’t worry. In the next section, we’ll cover how to write some PowerShell to test your remote computers.

  • A modern Windows computer (local)
  • File and Printer Sharing open (remote computer, TCP port 445)
  • The admin$administrative share available (remote computer)
  • You know a local account’s credential (remote computer)

As of this writing, PsExec is at v2.2 and will be the version you’ll be learning about in this article.

Installing PSexec (With Remote Computer Setup)

Technically, you don’t install PsExec since it’s just a command-line utility but close enough. Since no installation is necessary, you simply need to download and extract it from the PsTools zip file. PsExec isn’t available as a standalone utility and is part of the PsTools suite of tools.

Downloading PSExec

You can either extract the ZIP file manually or here’s a handy PowerShell snippet to download and extract PsExec from its pstools ZIP file. Note that this removes all of the other PsTools tools. Many are still handy but we’re not going to cover those in this article.

Remote Computer Configuration

Once you have PsExec downloaded, you’ll then need to ensure any remote computer you’re going to run it on is open. PsExec has simple requirements; File and Printer Sharing enabled and the admin$ administrative share available.

You could go to all of the remote computers, open up the Windows Firewall applet, go to Allowed Apps and enable File and Printer Sharing on all computers as you see below.

Note that File and Printer Sharing is a known security risk so ensure only the Private firewall profile is enabled.

Or you could visit each computer and run the netsh utility to open it up via:

Or you could use PowerShell’s Set-NetFirewallRule cmdlet to do it.

If you’d rather not visit each computer, you have PowerShell Remoting available and you’re in an Active Directory domain, you could also open up the firewall on many computers at once using the Invoke-Command cmdlet.

Using PsExec

Before you can run, you need to walk. If you’ve never used PsExec before, you’re in for a treat! Be sure to read this section first to get your feet wet to learn the basics before jumping in the deep end later in this article.

The first time you run PsExec on a new system, you will immediately see the PsExec license agreement come up. You’ll have to click on the Agree button to begin using it.

If you’d like to prevent the license agreement from being displayed, you can silently accept it using the /accepteula switch as shown below.

You’ll learn a few tricks at silencing this EULA popup on local and remote computers later in the article.

Finding Help

When exploring PsExec, you shouldn’t use any switch at all. When you simply run psexec with no switches, it will return all options and a brief explanation of what each does. All of the options are in the below table for your convenience.

Running a Simple Remote Command

At its most basic, PsExec requires two parameters: a computer name and a command to run. If you have a command to run on the remote computer that doesn’t require any arguments like hostname, you can simply add it after the computer name.

Note that if you don’t specify a full file path, the command to run must be in the user or system path. Also, if you have a program with spaces in the name, you can always enclose the program in spaces such as “my application.exe”.

You can see below that to execute the hostname command on the CONTOSODC1 computer, you define it’s UNC path followed by the command. PSExec will then connect to the remote computer securely, execute the command and return the output. In this case, the hostname command returned the hostname of the computer which is CONTOSODC1.

If the command isn’t cmd or another console, PsExec will quickly exit the remote session and return the exit code the remote process returned.

Note: The error or exit code returned from psexec is not coming from PsExec itself. Instead, it’s coming from the command that psexec executed on the remote computer.

How PsExec Works on Remote Computers

PsExec goes through a few steps to execute programs on remote computers.

Definition
  1. Create a PSEXESVC.exe file in C:Windows.
  2. Create and start a Windows service on the remote computer called PsExec.
  3. Execute the program under a parent process of psexesvc.exe.
  4. When complete, the PsExec Windows service will be stopped and removed.

When the process doesn’t work 100% correctly you may have to manually remove the service using the sc command.

Running a Simple Local Command

Pstools user guide list

Even though PsExec is best known for running commands on remote computers, you can also run commands locally.

You can run commands locally by simply not providing a computer name like below.

Why would you do this? One reason would be to execute commands as the local SYSTEM account. You can use the -s switch to run any command as SYSTEM locally or remotely as you’ll learn more about later.

Take a look at the short video below. Notice that you simply need to provide the -s switch along with the command interpreter executable for psexec to launch a new command session as NT AUTHORITYSYSTEM.

PsExec Commands (Getting More Advanced)

Once you’ve got the basics down, you can then start learning more advanced techniques in psexec. PsExec can do a lot more than just run a single command on a single computer.

Running commands on multiple computers

PsExec isn’t just limited to running commands on one remote computer at a time. This tool also has support to copy programs and run commands on multiple computers at once.

You can run PsExec on multiple computers at once a few different ways.

Comma-separated Computer Names

Typically when running a command on a single remote computer, you will specify a single computer name like REMOTECOMPUTER. You can also specify multiple computers separated by commas like below.

All Computers in an Active Directory Domain

If you’re running PsExec on an Active Directory domain-joined computer and you’d like to blast out a command execution on all computers in that domain, use a wildcard.

PsExec will search your entire Active Directory domain and attempt to run a command on every computer. Below is example syntax on how PsExec will attempt to connect to every computer on the domain the executing computer is a part of and run the hostname command.

Note that if you use an asterisk to find all computers in a domain while the local computer is part of a workgroup, you will receive the error A system error has occurred: 6118.

Using a wildcard forces PsExec to essentially run the command net view /all to first find all computers in the domain. This is an outdated way to find computer information due to its dependency on NetBIOS.

Reading from a File

Another way you can run commands on multiple computers at once is to use a text file. Using the syntax @<filename.txt>, PsExec will read every line in the text file as if it were a computer name. It will then process each computer individually.

Below you can see an example of using PowerShell to create a text file of line-delimited computer names and using that as input for psexec.

Copying local programs to the remote computer

Guide

Using the -c switch, psexec will copy any local program to the remote computer prior to execution.

Perhaps you have an EXE on your local computer in a C:Tools folder and would like to run it on a remote computer. You can do so using the following syntax:

When you use the -c switch and don’t specify an executable file, PsExec will still copy the file but you’ll receive an error stating system cannot find the file specified. This happens because PsExec will always attempt to run the file you copy.

If you need to copy files to remote computers prior to using PsExec, use the Copy-Item PowerShell cmdlet instead.

Running Remote Processes under Alternate Credentials

Another popular use case of PsExec is to run commands under alternative accounts. By default, PsExec will attempt to connect to the remote computer under your currently-logged-in account. More specifically, it will impersonate your account on the remote computer.

Using the -u and optional -p switch allows you to connect to the remote computer with an alternative user account. PsExec will then encrypt both the username and password and send them to the remote computer for authentication.

For example, if you’re in a workgroup, you’ll always need to specify the username to authenticate to the remote computer as.

If both computers are a member of Active Directory, be sure to preface the user account with the domain name.

Note that when you do not use the -u switch, psexec impersonates your logged-in account on the remote computer. It will not have access to any network resources.

Running Processes as the LOCAL SYSTEM Account

One of the most useful features of running PsExec under an alternative account is using the -s switch. This switch allows PsExec (and your remotely-executed application) to run under the remote (or local) computer’s LOCAL SYSTEM account.

Notice below I didn’t include a remote computer name. PsExec will just as gladly run on the local computer as well. In this instance, I’m using the -s option to tell PsExec to launch a local command prompt as the LOCAL SYSTEM account.

To run a command prompt as LOCAL SYSTEM on a remote computer, add the computer name to the reference like below:

Launching GUI Applications Remotely

Another useful PsExec switch is -i. By default, PsExec does not allow the remotely-executed command to bring up any windows on the remote computer. This is helpful because if you’re executing commands remotely, you’re not going to see the screen anyway.

But perhaps you need to bring up programs for your users. You personally won’t be using the application but an end-user will. In that case, use the -i switch.

Maybe you need to bring up a notepad window on a remote computer. Not a problem. Run notepad.exe with the -i switch and PsExec will open up Notepad.

Be sure to also use the -d switch to disconnect when the interactive window is brought up though. By default, PsExec will wait for the process it executed to complete. If the remote process (Notepad in this case) is kept running, PsExec will never return control.

Using the -d switch with -i will tell PsExec to not wait for the remote process to finish. Instead, it will disconnect and return control to you as soon as the remote process is executed.

Redirecting Output

Psexec will rely any output sent from the remote process to your local session. Typically, this output will go directly to your local console. But if you’d like to redirect it, you can do so using typical redirection operators.

For example, if you’d like to run a command and silence all output, you could redirect output and errors to null using ^> nul ^2^&1.

Note the special characters are escaped with a hat. ( ^).

PsExec Use Cases

Once you’ve learned how to use psexec, you’ll inevitably come across various specific use cases. In this section, you’ll learn some real-world use cases and examples using psexec.

Launching a Remote Command Prompt (psexec cmd)

One of the most common use cases is launching PsExec as an interactive command prompt. PsExec doesn’t just run commands remotely. It can also send command output back to your console. Because of this, it can make a great telnet (if anyone is still using that) or perhaps PowerShell Enter-PSSession replacement.

To launch a remote command, specify the remote computer name and run the cmd application. Cmd is the Windows command interpreter. Since PsExec supports interactive use, it will gladly return a flashing cursor and a prompt.

At this point, the world is your oyster. You can run commands on your local computer via this “nested” command prompt and they will be executed on the remote computer.

To exit from the command prompt, type exit. PsExec will stop the cmd process on the remote computer and return focus to the local computer.

Do NOT use Ctrl-C to close out of an interactive cmd session. Always use exit. If you use Ctrl-C, the psexec session will remain running on the remote computer.

Installing Software Remotely

You can use PsExec as a poor-man’s software deployment tool. Perhaps you have an MSI installer that you need to run on one or more remote computers called setup.msi. This installer needs to be copied to the remote computers and then executed with the msiexec.exe utility with a few switches.

Below is an example of how you could use PsExec to remotely deploy software. This example copies setup.msi to the remote computer then launches the MSI installer interactively on as the SYSTEM account.

Accepting the EULA without the /accepteula switch

As mentioned earlier, the first time PsExec runs, you’ll have to accept a EULA. You could use the /accepteula switch but you could also “stage” it in the registry.

When launched for the first time, PsExec creates a registry key at HKCUSoftwareSysinternalsPsExec. Instead of that registry key, it creates a registry value called EulaAccepted with a DWORD value of 1.

Using your favorite method to modify the registry on remote computers, you simply need to create this key/value on computers you’d like to run PsExec on. Once created, no need to run /accepteula!

Marrying PowerShell and PsExec

Before PowerShell, all we had was PsExec. Now, we have options. PowerShell can replace PsExec in many situations but complement it in others.

Building Computer Names with PowerShell

Instead of using * to find all computers in the domain, you can use PowerShell instead. By using PowerShell, you can not only pick certain computers but you don’t have to use the firewall-prone net view /all behavior.

You can use PowerShell to create a string containing all computer names separated by a comma. You can then pass that string to PsExec which will merrily process each one like you typed each one manually.

You can see below an example of using the Get-AdComputer cmdlet part of the ActiveDirectoryPowerShell module.

Enabling PowerShell Remoting Remotely

If you have remote computers you’d rather use PowerShell Remoting with instead of PsExec, you can use PsExec to enable them.

By running Enable-PSRemoting or the winrm.cmd batch file on remote computers, you can quickly turn on PowerShell Remoting across many computers at once.

Below you can see an example of calling the winrm.cmd batch file on a remote computer running as the SYSTEM account. Because the output from that command isn’t needed, it’s silenced with 2>&1> $null.

PsExec Error Messages

It’s worth mentioning again upfront that most error codes you see returned from PsExec are from the remote process; not from PsExec. But it’s helpful to have an understanding of these error codes and what they might mean.

If you’d like a reference on all Windows error codes, I recommend checking out this exhaustive list of Windows error codes.

Below is a list of common error codes you may see returned by PsExec.

Your Feedback

ATA Ultimate Guides are big. There’s a lot of information in these and I’m bound to miss a thing here or there or make a mistake. If you notice anything wrong or think something should be added to this guide, please let me know via the comments. I’d be happy to credit you in the post.

Credits

  • Thanks to Mathias (comments) for numerous feedback.
User
Learning has never been so easy!

Microsoft Active Directory is a core component of your infrastructure, controlling everything from security settings to Group Policy to user authentication. Each user’s Active Directory account controls their access to network drives and other resources, as well as their Windows settings and computer configurations.

To thwart attacks, most organizations set up an account lockout policy for user accounts: As soon as the bad password count for particular user is exceeded, their Active Directory account gets locked. If your audit policy is enabled, you can find these events in the security log by searching for event ID 4740.

To effectively troubleshoot account lockouts, you must enable auditing at the domain level for security events and change some of the settings for the Security event logs as described in the “Active Directory Audit Quick Reference Guide” (link below).

This how-to is extended version of previously posted Account Lockout Troubleshooting Guide by Netwrix from Feb 16, 2016:
https://community.spiceworks.com/how_to/113387-account-lockout-troubleshooting

9 Steps total

Step 1: Microsoft Account Lockout and Management Tools

Microsoft’s Account Lockout and Management Tools include AlTools.exe. Download the AlTools package and install it on your domain controller.
https://www.microsoft.com/en-us/download/details.aspx?id=18465
This package includes the following tools:
* LockoutStatus
* EventCombMT

Step 2: LockoutStatus Tool

This tool displays information about locked-out accounts, including user state and lockout time on each domain controller, and enables you to unlock any account by right-clicking on it. To use the tool:

Run LockoutStatus.exe → From the File menu, select the target → Specify values for Target User Name and Target Domain Name → Click OK.

Step 3: EventCombMT Tool

This tool gathers specific events from several different servers to one central location. To use the tool:

Run EventCombMT.exe → Right-click on Select to search→ Choose Get DCs in Domain → Select the domain controllers to be searched → Click the Searches menu → Choose Built In Searches → Click Account Lockouts → For Windows Server 2008 and above, replace the Event ID field values with 4740 → Click Search.

The output directory will contain the log files for all domain controllers where events with the specified event IDs were found.

Step 4: PowerShell

To filter the event log for events related to a certain account, use this command:

Get-EventLog -LogName Security | ?{$_.message -like '*locked*USERNAME*'} | fl -property *

Alternatively, you can use the PowerShell script from How to Find Account Lockout Source:
https://www.netwrix.com/how_to_find_account_lockout_source.html

Step 5: Netlogon

This Windows Server process authenticates users and other services within a domain, so checking its log can help you investigate persistent lockout incidents. However, the Netlogon logging process can slightly degrade system performance, so be sure to disable it once you have captured the events you need.

To enable Netlogon logging, run the following command:
nltest /dbflag:2080ffff → OK

Then restart the Net Logon service. Activity will be logged to %windir%/debug/netlogon.log.

To parse the Netlogon logs, use the following batch script:

type netlogon.log |find /i '0xC000006A“ > bad_password.txt
type netlogon.log |find /i '0xC0000234“ > user_locked.txt

Note that Netlogon logging might affect your system performance. To disable it, run the following command:
nltest /dbflag:0

Step 6: Netwrix Account Lockout Examiner (free tool)

Instead of bushwhacking through cryptic logs and system events, you can use Netwrix Account Lockout Examiner to quickly pinpoint the source of an account lockout.
https://www.netwrix.com/go/ale

To report on all locked, unlocked and manually added accounts, install Netwrix Account Lockout Examiner, defining an account with access to the security event logs during setup. Then take the following steps:

1. From the Netwrix Account Lockout Examiner console, navigate to File → Click Settings → Go to the Managed Objects tab → Click Add → Specify values for the Domain and Domain Controllers fields → Close the settings window.
2. To determine the reason for a lockout, either click the arrow next to the Examine button to get information all the workstations in the specified domain, or click the Examine button to specify a specific workstation.

Step 7: Common Root Causes for Account Lockouts

• Persistent drive mappings with expired credentials
• Mobile devices using domain services like Exchange mailbox
• Service Accounts using cached passwords
• Scheduled tasks with expired credentials
• Programs using stored credentials
• Disconnected Terminal Server sessions
• Active Directory replication issues
• Misconfigured domain policy settings
• Malicious activity, such as password spraying attacks

Step 8: Troubleshooting

• Persistent drive mappings with expired credentials
 Use wmic /netuse

• Mobile devices using domain services like Exchange mailbox
 Use the Get-ActiveSyncDeviceStatistics PowerShell cmdlet.

• Scheduled tasks with expired credentials
 Check Windows task scheduler for tasks that are configured to run using the problematic account.

• Applications or services using cached passwords
 Check for a service, tool or application that is trying to run using outdated credentials.
 Use Process Hacker or Process Monitor to see the credentials for active processes.

• Programs using stored credentials
 Run the following command:
rundll32 keymgr.dll, KRShowKeyMgr
 Alternatively, if you are on Windows Server 2008 or above, run the netplwiz application, go to the Advanced tab and then click Manage Passwords.

 NOTE that passwords from the SYSTEM context can’t be seen in the normal Credential Manager. To check for these:
1. Download the Microsoft tool PsExec.exe and copy it to C:WindowsSystem32.
2. From a command prompt run: psexec -i -s -d cmd.exe
3. In new CMD window, enter the following: rundll32 keymgr.dll, KRShowKeyMgr
4. Remove items that appear in the list of Stored User Names and Passwords.

• Disconnected Terminal Server sessions
 Check for a session with outdated credentials. To kill a RDP session, run following commands at the command prompt:
1. net use server_ip /USER:name password
Replace server_ip, name and password with the necessary credentials. This logs you in to the remote server without using RDP.
2. query session /server:name
Replace “name” with the server’s name. You get the session ID here.
3. reset session id /server:server_ip
This terminates the active session on your remote server.

• AD replication issues
Password updates might not have replicated to all domain controllers. To force replication, run following command on your DC:
repadmin /syncall /AdeP

• Firewall logs, ISA server logs
If your RD gateway server is exposed to the internet, lockouts may indicate brute-force attacks.

• Improperly closed app virtualization session (such as XenApp)
Check and manually stale logoff session

Step 9: Other possible lockout causes

• AD Federation Services — Check for the following:
 - New password was not replicated to ADFS
 - Brute force and denial of service attacks on ADFS

• DCOM objects — Sometimes a computer requires a restart after a user password is changed in order to apply the setting to DCOM objects that are using those credentials.

• RADIUS server is authenticating WiFi access against AD and the user has an incorrect password.

• Web application is authenticating by attempting to bind to LDAP against a DC and the user's browser has a bad password saved in the Password Manager vault.

User Guide Ipad

Persistent account lockout incidents require prompt investigation. Often, you have to track down the IP address or device name of the source of the lockout. Some common issues can be resolved by checking credential manager, unlocking the account via PowerShell or simply updating your PDC emulator.

This how to is based on original https://www.netwrix.com/account_lockout_quick_troubleshooting_guide.html

Published: Jan 17, 2020 · Last Updated: Mar 04, 2020

User Guide Definition

References

  • [Best Practices] Account Lockout Best Practices
  • [Best Practices] Password Policy Best Practices
  • [Free Tool] Netwrix Account Lockout Examiner
  • [Guide] Account Lockout Troubleshooting Quick Reference Guide
  • [Guide] Active Directory Audit Quick Reference Guide

0 Comments