Psexec.exe: A Powerful tool for IT Admins

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] so [Music] so [Music] hello my name is will vanderpool and this channel is dedicated to it students i.t professionals and anyone who enjoys learning technical subjects [Music] we are going to be looking at a powerful tool for admins called ps exec all right so who needs to learn ps exact well i t students if you're a help desk if you're an i.t professional and you have never used this utility you need to watch this video if you're an id professional who has used this utility but really didn't understand how it worked you need to watch this video and anyone who wants to raise their technical skills what can ps exec do so first and foremost ps exec can be used on a local machine running utilities or programs with system account remember system account is more powerful than the local administrator and there are times in troubleshooting or examining that local machine that you need more rights than a local administrator ps exec can give them to you ps exec can allow me to execute a command line program on one or many hosts remotely and send the results back to my administrative console what that means is psxep can create remote shells i can come over to server 1 from my admin station run cmd and redirect all the output back to my administration station so from the administration workstation i can actually run any kind of command line tool on server one and see the results i can actually do the same thing with powershell again execute powershell on my remote device send the results to my powershell on my admin station i can execute ps exact within a batch file or a powershell script and i can silently install applications on remote host one or many using ps exact and there's much much more all right mr vanderbilt you've convinced me so how do i install ps exec the simplest way is now it's available under the system terminal suite under the microsoft store so go to the microsoft store install the app you've got all of the system terminal suite and ps exact you can simply go to assist internals and you get to the microsoft system internals website go to downloads and you can actually download the entire suite of tools and put them on say a network file share you can also download them to your admin workstation say in c backslash tools extract all the tools in a local directory you'll want to go ahead and add this new local directory into your environmental variables so at the command prompt you can execute any tool you want now when you download these tools to your local admin station you've just created a new folder and you've extracted the files and put them in this folder we have to add this to our system environmental variables so i'm going to go to my workstation i'm going to go windows x and i'm going to go to system and i'm going to come down to advanced system settings and this is our old control panel system applet and i'm going to go to environmental variables up here are the environmental variables related to you as you log on your profile down below are system environmental variables and that's where we want to go we're going to go path we want to add this new directory to our path so we're going to go edit and i'm going to say i want to add a new directory in this case i would put what i've got here see colon backslash tools now that i've added this new directory i can save and then when i open up a command prompt i can execute those utilities at any command prompt on this workstation now whether you're on a domain or a work group we also have to make sure that our firewall is opened at file and print sharing tcp port 445. let's do that i'm going to start by clicking on my windows start button and i'm going to type in firewall cpl and that's going to launch an old control panel firewall app that allows us to open or check our firewall we're going to allow an app or feature through the windows defender firewall click and scroll down to get to file and print sharing here i see that it's checked and i can see that if i'm on my private network which is my home network i've got it checked which allows it to be open here we do not want to leave that port open on a public network so at starbucks you don't want this open on a domain you'll probably have this open already but if it's not you may have to do that through group policies you hit the change settings and you can go in and modify that so make sure that your firewall is open on port 445. now make sure that you open up your firewall both on the local machine and the remote host that you're working with with every video that we produce we include video notes and powerpoints as a free download so in our video description there are links to those video notes and powerpoints we're going to have a lot of additional details and options and information that we just won't have time to cover in this video so if you want more information check out our free downloads so what exactly is ps exact first is a console utility that means it's command line it's a self-extracting executable that does not require any installation on the local pc or the remote pc ps exec is about remote administration it's a powerful tool to configure troubleshoot install uninstall on remote devices ps exec can be used on a domain or work group host it was written by mark rosanovic who's cto of azure so here's the secret sauce to ps exact ps exec creates and installs a temporary service on windows whether that's locally or remotely it's from that service that it can do all these powerful things so here's an example you see process explorer and you can see ps exec svc.exe and you can see it's running tracer on the remote host and redirecting the output of tracer back to my workstation one of the sweetest parts of ps exec as it does its magic it leaves no mess not locally or on the remote station when we terminate ps exec it terminates all processes threads and functions on both the remote and local host and leaves a clean station when it's done let's start by using ps exec on the local machine it's still going to create a service remember that the service is what gives it the power to do so many things that we want ps exec to do so even on the local machine it's going to create that service i've got process explorer up and these pink processes are services the last one that was created is this sbchots.exe so we will see this new service right below that it will be green because it will launch a new service and we'll see the psexe svc.exe new service start right there now look at my command line i've got ps exact and notice i have no computer name there i don't i'm not telling it to go to this computer anytime you leave out a computer ps exec assumes you want to run it locally so ps exact minus s which means i want to run it with system account minus i is interactive and i'll explain that and then we're going to launch regedit so let's go ahead we'll hit enter and over here you can see the green newly created services x e s v c service and i see regedit right below it i see a child process regedit now this launches regedit with system rights this is very dangerous but there are times that you need to go into the registry with the system account if you go to hkey local machine you can see i can actually look at the sam something that you normally cannot do with even administrative rights now take a look back to my command prompt you'll see that my prompt is just sitting there there's no prompt symbol it's just kind of floating in the black space that's because ps exec is still running if i do a control c notice it's terminating the process you see it turn red and it will exit out regedit and basically it eliminates the service the command that it started and cleans up my processes threads functions and puts me back to a prompt now look at the error code that was presented it said regedit exited with error code 0. error code 0 is ps execs way of saying that it successfully did what you asked it to do when you see error codes when you're using ps exact nine times out of ten they are the result of the command or program that you're executing not ps exact one error code that is the result of psx is error code 0 successful now if i want to run ps exec and some commands against multiple computers on the network i would start with ps exact backslash backslash in this case server 1 comma server 2 comma server 3 and it will run across each of those remote hosts or i could do this let's look at the syntax and you can see here you can also rather than put all the computer names with a comma you can point it to an at file name a text file with a list of computers in that text file and it will execute it against each of those computers in that list notice my example below i'm going to use one of the most powerful features of ps exec i've got psx backslash and i've got an ip address rather than a computer name that's fine minus i minus s s system account minus u this gives you the ability to use alternative credentials you can impersonate someone else and in this case i'm in a work group and i need to impersonate the administer of this computer that i'm going to access remotely now john is a member of the admin group on this remote computer that sometimes works i find it better when i'm in a work group to use the built-in administrative account that's more effective now here's my two computers this is my admin workstation john's logged on over here is my remote computer and i've left process explorer so we can watch that service created and it execute the program that we desire and then it redirects the output of that command back to my administrative workstation all right so let's take a look i've got ps exact backslash backslash 192.168.0.135 here i'm using the ip address then i've got a minus s minus i minus u and notice i just put them all together in one option because i use you i have to give a username in this case the built-in local administrator account on my remote device it's going to prompt me for the password what do i want to do over there i want to launch cmd so i'm going to come over here and hit enter notice it's prompting me for a password we're going to see our service created over here on our remote device and it should launch cmd as a child process and there it is it created the service and the cmd as a child process and so now if you notice i got a prompt again it's running cmd over here it's redirecting its output back to my my console so now everything that i do here at my workstation is reflective of over there so i'm gonna do an ipconfig which is the ip address of my remote station i'm actually working on my admin station on this pc remotely so let's think about what we did we used a utility that was on the remote station we asked ps exec to go across the network use its service to run the program that was already there and it did it launched cmd and then redirected its output back to our console so that's what we did the command and utility was on the remote let's terminate this we'll see the service on the remote turn red indicating it's terminating it will clean up everything that it created and then we'll get a error code zero i'm going to come over here do control c and you can see it's cleaning up everything the ps exe svc will eventually go away and our prompt comes back now let's do the same thing with powershell notice i'm in a powershell prompt and so i've did basically the same thing except this time with the administrator account i'm going to go over and launch powershell let's hit enter password and here we see the service created we now see a child process called powershell our prompt is back powershell that we see on our console is being redirected from our remote host we could run powershell right here and it's running on the remote host now let's take a programmer utility on my admin station copy it to the remote computer and then have ps exec execute it on that remote computer and then send its results back so i have ps exact my computer minus s i and u administrator notice the minus c that tells ps exact that i need to copy this tool to the remote and in this case it's on my local hard drive here let me click it open and you can see under c drive under tools i've got a utility way down here called who is ip and this whois ip.exe is the utility that i wanted to copy over to my remote and then execute it and i'm going to ask it to find who does www.techsavvyproductions.com belong to we'll come back over here hit enter password starting the service on the remote it's going to copy that utility or program over to our remote computer and execute it and redirect its output back to our station and there's the output or the result of that request so here i want to install the vlc media player on my remote desktop my remote host silently so there's no user interaction it just goes in i had to do a little bit of research look up how to install vlc silently and basically you can see on my notepad all it required was the name of the executable forward slash capital s and that was all i needed to do so i'm going to use this ps exec the computer minus s minus i minus u administrator minus c which means we're going to copy this installer over to my remote computer and then use the s argument so that it installs silently so here in my tools directory i have vlcwin32.exe here in my console i've got ps exact the computer minus s minus i minus you administrator minus c copy this installer over to the remote host and then use the forward slash capital s switch let's hit enter now notice the error message remember error messages are rarely have anything to do with ps exact in this case it said the path is not right i'm looking at my path and i forgot tools not tools so here i've added the tools not tool in my directory go to end and i'm going to hit enter password and we'll try it again it's connecting to that computer and what we should see is vlc it should create the service start the installation of elc and we should see a shortcut pop up on the desktop again another error message we know this has probably nothing to do with ps exact so we've either got i put in the wrong password or something else is not right to troubleshoot this command line we'll try it again now we see the vlc32.exe and we can see the cpu usage on that is pretty high and there's our shortcut you just installed your first application remotely there are some very interesting command line options with ps exec look up here where it says process performance options if i'm going to run a utility or tool or whatever against a server and it's a production server and i know that what i'm asking to do is pretty intensive i can specify minus a what cpu core i want this to run on remotely so if i want to limit to one core and not overwhelm the server i can specify a core or two cores or above it i can specify a priority i can run it in a low priority or below normal priority let's take a look i've got ps exec i'm going to run cmd on the remote host and this time i've added some new switches minus a so i've asked it to run it on the remote using cpu core number one and i've added minus low so it runs it at priority of very very low priority so as the process goes into the scheduler it runs at a very low priority let's execute it and let's go over with process explorer and see if it really work now when i executed it it said access denied so i went back and looked at my command line and i resituated my minus a1 minus low prior to the minus s i and u and that worked fine now that executed over here i can see my cmd is being run under the service i'm going to right mouse click and go to priority and i can see it's running in idle priority very very low let's look at affinity and i can see it's running in cpu core number one only so you can see the tremendous power and control that you can have over this remote execution let's look at two more options with ps exec i can launch the service on the remote computer and execute a program or tool or whatever in most cases the service will remain in that remote computer until the command that you've asked it to execute is finished or you do a control c but there are times when i want that service just to terminate go ahead and execute whatever we ask it to do then terminate the service another one is minus r minus r allows us to rename that service that's created on the remote computer any name that we want so let's take a look at those two options so let's look at my command line ps exec the computer now i'm using the minus d i'm telling it to launch cmd and terminate do what you need to do and then get out of there and then i'm also using minus r and i'm saying name that service mrv let's hit enter come over and hit enter password we should see the service launch mrv and it should terminate there it is real quick there's mrv.exe it launched cmd and it should exit out notice it said cnb started on this computer with process id 3784. there it's executing now once that service terminates notice that it pushed the cmd.exe down below explorer.exe now the disadvantage to this is that this cmd that's running on this computer one cannot be seen by the user over here and it won't go away until they reboot there's one more important concept with ps exec that we have to understand and that we have to understand some windows architecture you'll notice on this diagram i have three sessions session zero it's got win stations and it's got desktops i've got session one it's got win station zero it's got three desktops when session two wins when station zero and it's got four desktops it's very important to understand this when we boot up all our services and our protected processes are launched under session zero there is no ui that you will ever interact with anything that runs in session zero is hid hidden from view there's no ui to those services and processes session one is where the user actually logs onto and notice they have three desktops when log on that's when you do a control delete you get the screen that's the win log on desktop you also when you have a screen saver with a password that becomes the second desktop and the third desktop is the default and that's the one you're comfortable with that's where you see your applications your start button and all of those kinds of things then we have session two this is very interesting when you remote desktop into a computer you come in on session two and notice you have a few desktops if you remote into a virtual machine you are session two so the only person to get session one is the logged on interactive user who's logged on with a keyboard mouse etc if you remote desktop your session two if you're remoting into a virtual machine you're session two so why is all that important because ps exec allows you to execute a program in any one of these sessions let's come back and look at our syntax you can see the minus i and then we have the session in brackets ps exact allows you to run a tool program utility on a remote host running in any session i so desire so for example with my two virtual machines i know that running a virtual machine i'm in session two if i want to run that cmd and it to pop up so that the user on that virtual machine can see my cmd shell then i'm going to have to run it so it shows up in session two now if i leave it blank i just minus i it's going to always start in session 0. it won't be seen by the user it's not visible it works fine it redirects it back to my in most cases i don't want the user to see what i'm doing but if i did want to run a gui application so that the user could see it then i would have to know what session they're in and then specify minus i the session and voila they can see it now look at my remote machine and you can see under explorer i've got a column here called session it shows me all my processes running on my remote host and i can see everything from explorer down is in session two which makes perfect sense this is a virtual machine now i'm going to come over here to my command line is aps exact the computer minus i and i'm going to say session 2 and i'm going to run it under system and alternative credentials and i'm going to put administrator and run cmd if this works correctly cmd should pop up in his session visible now when i executed it gave me a number of errors and i had to go back and readjust the sequence of switches and arguments minus s minus i session two minus u and then it worked we're now connecting we should see and here you can see it popped up on the screen the user can see it because i specifically said i want you to run the cmd in session two which is the same session the user is logged on voila now i deliberately left errors in the video so you could see the mistakes i made and the process that i went through to correct them plus it allowed you to see some of the error messages this is a great utility and if you learn to use it you will use it a lot [Music] so [Music] [Music] you

Info

Channel: TechsavvyProductions

Views: 97,671

Rating: undefined out of 5

Keywords:

Id: _1EjYCvRx4g

Channel Id: undefined

Length: 25min 50sec (1550 seconds)

Published: Wed Apr 27 2022