How to REALLY hurt yourself with PSEXEC - Deleting the Undeletable Registry Key and More
A while back I installed some crazy open source network adapter virtualization software. Don't ask. It was a bad idea and I happily clicked Yes Yes Yes, Oh Yes, I Know, Hurt Me, Warning, Sure, Absolutely, Next, Next, Finish without a thought.
Later, things started acting wonky so I uninstalled it. Unfortunately, their uninstaller didn't so much "uninstall" the program as it "uninstalled the uninstaller then left everything around chilling." This left my system in a really weird state with half-connected phantom network adapters and I was getting some weird hangs. Each time I uninstalled these 7 (!) phantom network adapters, they'd be back on a reboot. Clearing removing them with the Device Manager UI wasn't working for me.
At this point it was either time for a repave of the machine (basically a complete reinstall since I got it into a bad state) or running around in the registry and deleting these phantom adapters. Since I'm supposed to be technical, and since I was ready to reinstall it wouldn't hurt if I messed up the system, I fired up regedit.exe. I ran it as Administrator so I could have (I thought) the ability to delete anything.
I searched for the brand of the adapter I was wanting to delete, and when I started deleting stuff I was getting smacked with
"Access Denied." What?!? I'm the all powerful Administrator! sudo make me a sandwich!
Administrator isn't all powerful. There are other, deeper users like SYSTEM that have access to things Administrator (rightfully) doesn't. Considering that I am trying to removing low level network stuff it was good that I was being stopped.
That said, what's the best way to motivate an engineer? Tell him something isn't possible. I hate getting Access Denied. Deny this, I say! So I turned to the SysInternals Tools, specifically PsExec.
If there was one tool that really "takes the safety off the gun," it's PsExec. You can hurt yourself and your system with PsExec in ways where you'll not realize until it's too late. There aren't enough words with big enough fonts and scary enough evocative stock photography to fully express how dangerous this tool is.
That said, here's cheerfully how to use it! Woohoo!
psexec -s -i regedit.exe
This has to be run as an Administrator. It This line says, "run this command as the SYSTEM account and let the process interact with the desktop." If I look at the Task Manager after running this command, check out regedit.exe:
_3.png "Oy! Scary! See that RegEdit is running as SYSTEM")
At this point, I was able to delete basically anything in the registry. One other way I could possibly delete keys that I couldn't as regular Administrator would be to launch Windows into Safe Mode and try editing from there.
Other awesome things you can do with PsExec include running processes remotely (which is kind what it's doing when I run it as SYSTEM, just all on on machine.) with a Service that gets automatically installed remotely and then runs the processes.
Here's how they do it (it's not a secret):
PsExec allows redirects of the input and output of a remotely started executable through the use of SMB and the hidden $ADMIN share on the remote system. With this share, PsExec uses the Windows Service control Manager API to start the PsExecsvc service on the remote system which creates a named pipe that PsExec communicates with. This named pipe is what allows for input/output redirection back to the system that launched PsExec.
For example:
psexec.exe \\REMOTECOMPUTER –i –u DOMAIN\username –p Password –d yourexe.exe
It's useful to remotely execute things, but it's even more useful to "terminal" (not quite like ssh) into systems like this:
psexec \\remotecomputer cmd.exe
Which means you can run commands on that remote computer as if you were there, in a SSHy way.
C:\>hostname
HANSELMANLAPTOP
C:\>psexec \\REMOTECOMPUTER -u DOMAIN\Administrator cmd.exe
C:\>hostname
REMOTECOMPUTER
Powerful but really useful stuff for when you really don't feel like RDP'ing (Remote Desktop'ing) into a machine to simply run a command.
Be careful out there!
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
Chuk Goodin
XP:
at hh24:mm /interactive %comspec%
(where hh24:mm is one minute from now expressed in military time)
Vista/7/etc:
sc create NaughtyCommandService binpath= "cmd.exe /k start" type= own type= interact
sc run NaughtyCommandService
sc delete NaughtyCommandService
All joking aside, great article.
Another thing I do is before every install of a software I ask myself: is this a safe install and it won't mess up my system if something goes wrong. If not, I do an impromptu image and come back after 20 minutes when the image is done. A network adapter virtualization software seems to fit this criteria.
Of course you know better.
Better be safe than sorry.
DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.
The above scenario has several downsides: first, if you're not already attached to a share on that computer's system, using secure authentication, YOUR USERNAME AND PASSWORD WILL BE SENT AS PLAIN TEXT ACROSS THE NETWORK WHEN CONNECTING TO $ADMIN.
REPEAT: DO NOT USE PSEXEC AS AN SSH TOOL.
Unless you want to get fired and put your network at risk. Your choice.
-Gabe
http://blogs.msdn.com/b/microsoft_press/archive/tags/sysinternals/
Gabe - Thanks for your comment and for our follow up emails. I'll try to do a post on better ways, and PowerShell, soon.
psexec \\computer1 cmd delete *.*
will erase your system32 directory. which is awesome.
Comments are closed.