none
PsExec do NOT work correct on Win7-64bit OS RRS feed

  • Question

  • HI,

    I JUST UPDATED MY COMPUTERS FROM XP TO WIN7 (YES, JUST NOW...)AND PSEXEC DIDN'T WORK AS EXPECTED (AS ON XP ).

    THE REGULAR COMMAND - "PSEXEC -i \\MARKLAP CMD" STARTS AN COMMAND PROMPT ON TARGET BUT WITH BLACK EMPTY WINDOW (NO I/O).

    I TRIED ANOTHER COMMAND - "PSEXEC -i \\MARKLAP NOTEPAD", THE SAME - THE PROCESS CREATED ON TARGET/REMOTE COMPUTER BUT WITHOUT GUI(JUST BLACK WINDOW) AND NO I/O.

    BUT IF I RUN - PSEXEC -i \\MARKLAP EXPLORER , ALL GOOD - EXPLORER GUI POP-UP CORRECTLY

    SO, IF THE TARGET(REMOTE) APPLICATION USES STD I/O IT DOESN'T WORK ON WIN7.

    I TRYED TO USE PSEXEC64(ON HOST) - THE SAME...

    ANY HELP? WHY IT DOESN'T WORK LIKE ON XP?




    Thursday, July 25, 2019 1:54 PM

Answers

  • Hello Mario,

    i checked - both computers were with UAC disabled.

    but

    i run the psexec with additional option "-s" as you proposed and this fix a problem - all remote application runs correctly ( with i/o redirection and without...) 

    Thanks for asking me to test this option!

    Can you please explane this? why for win7(as remote) we need to add "-s" option (and in XP as remote not) 



    Friday, July 26, 2019 5:25 AM
  • Hi Andrey,

    the problem is the new Windows 7 mechanism to provide session isolation... only an Administrator can easily open a program on the interactive desktop of another user, and you can easily understand that if you observe closely the command prompt opened on the remote desktop.. The label start with "Administrator.."

    So, if you use the -s parameters, the command prompt is started as Local system.

    If you use the other sintax I proposed, adding the -i if you want to be intercative
    psexec \\marklap  -i -u <domain\username> -p <Password> -h cmd.exe

    The -h parameters will cause the PSEXECSVC on the remote machine to perform a local logon as you provided the credential, and it will grab the elevated token or administrative token, and will use that to start the cmd.. infact, as you can see on the top left corner the cmd as been started by an administrator in this case, and if you ask who is the user running the cmd using whoami you will see that cmd is running under the context of the user you provided the credential for at an high level.

    So, it's up to you choose between running as local system remotely or a specific user.. If you are fine running as local system  the -s -i will do..

    Explorer.exe is a special case. It cannot be run "as administrator", so you can't use -s or -h to interact with it.
    https://social.technet.microsoft.com/Forums/windows/en-US/1798a1a7-bd2e-4e42-8e98-0bc715e7f641/unable-to-open-an-elevated-windows-explorer-window?forum=w7itprosecurity

    HTH
    -
    mario

    Sunday, July 28, 2019 9:18 AM

All replies

  • Generally, it works the same as on XP, but you have to take into account that starting from Windows Vista there is UAC (User Access Control) in the OS, which causes session separation and other amenities..

    So, first thing first I would go in the control panel in Windows 7 and disable UAC, just to understand if it is something related to UAC at all or not.

    Then what version are you running of PSEXEC? did you donloaded the latest suite from https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite or what?

    The command you are running "psexec \\marklap cmd":

    what OS is the PC where you are running this command and what OS is Marklap? are both Windows 7? or one of them is still XP?

    Thanks
    -mario

    Thursday, July 25, 2019 2:04 PM
  • BOTH COMPUTERS RUN WIN7, PREVIOUSLY THE TARGET/REMOTE WAS XP AND ALL WAS OK...

    THE PSEXEC IS THE LATEST

    PLEASE PAY ATTENTION I USING OPTION "-i" TO RUN THE PROGRAM ON TARGETS DESCTOP


    Thursday, July 25, 2019 2:18 PM
  • did you try turning off UAC on both machines? just for this test obviously.. UAC is really important and should never be turned off..

    Also, are this computer part of a Windows domain? if yes, the user on the first PC has administrative rights on the remote one?

    If you run psexec \\marklap -s cmd.exe does it works?

    HTH
    -mario

    Thursday, July 25, 2019 2:26 PM
  • yes, they are on same domain. yes, running with admin rights.

    i will check the issue with turning UAC off and check the results of command with "-s" option.

    thanks

    Thursday, July 25, 2019 2:30 PM
  • Hello Mario,

    i checked - both computers were with UAC disabled.

    but

    i run the psexec with additional option "-s" as you proposed and this fix a problem - all remote application runs correctly ( with i/o redirection and without...) 

    Thanks for asking me to test this option!

    Can you please explane this? why for win7(as remote) we need to add "-s" option (and in XP as remote not) 



    Friday, July 26, 2019 5:25 AM
  • Well, the -s option as you can see from the help menu, runs the process using the Local System account, which is an administrator on the remote machine and can interact with every session. In htis case because you have not used the -i parameter to indicate a specific session, it runs in session 0, as now on WIndows 7 there is "session isolation". Session 0 is used for windows service.

    Because you are running in the originating machine as a local admin, but with the low permission token, this token is used to impersonate you during the logon phase to the remote machine, but when you try to start cmd you no longer have the administrative token because you didn't sent your username and password and Psexec cannot reuse them to obtain an admin token to start cmd.exe.. 

    You can use other parameters to obtain this result if you need to run in the context of your user, by example specifying username and password via the -u and -p parameters, and then you can use the -h parameter to run your cmd elevated.

    So, if you are ok running the cmd in the context of the local system account you can simply go on this way using the -s parameters.. a way to verify under which context you are running is to issue the whoami command when the console session is open.

    If you nee to operate as your admin account, you will need to pass these parameters:

    psexec \\marklap -u <domain\username> -p <Password> -h cmd.exe

    This has all to do with the "session isolation" and with the "split token" introduced in Windows Vista and improved in windows 7..

    HTH
    -mario


    • Edited by mariora_ Friday, July 26, 2019 7:28 AM
    Friday, July 26, 2019 7:26 AM
  • Hi Mario, 

    Yes , I use "-i" option...

    my original script (for XP remote targets) was -  "PSEXEC -i \\MARKLAP CMD"

    and now i should use "PSEXEC -s -i \\MARKLAP CMD" (for Win7 remote targets).

    I tested this command (with "-s -i" options) both on XP remote targets and on Win7 remote targets - it works correctly for both of them.

    I still think that the problem is in some i/o redirection, because when i run just -i option (for Win7 remote target) it is starts the task on remote (so no problem with admin account). But if this task is "cmd" or "notepad" (with i/o redirection) the window is empty black pattern, but if the task is "explorer" - all good, it run correctly.

    Thanks for support

    Regards,

    Andrey

    Sunday, July 28, 2019 5:23 AM
  • Hi Andrey,

    the problem is the new Windows 7 mechanism to provide session isolation... only an Administrator can easily open a program on the interactive desktop of another user, and you can easily understand that if you observe closely the command prompt opened on the remote desktop.. The label start with "Administrator.."

    So, if you use the -s parameters, the command prompt is started as Local system.

    If you use the other sintax I proposed, adding the -i if you want to be intercative
    psexec \\marklap  -i -u <domain\username> -p <Password> -h cmd.exe

    The -h parameters will cause the PSEXECSVC on the remote machine to perform a local logon as you provided the credential, and it will grab the elevated token or administrative token, and will use that to start the cmd.. infact, as you can see on the top left corner the cmd as been started by an administrator in this case, and if you ask who is the user running the cmd using whoami you will see that cmd is running under the context of the user you provided the credential for at an high level.

    So, it's up to you choose between running as local system remotely or a specific user.. If you are fine running as local system  the -s -i will do..

    Explorer.exe is a special case. It cannot be run "as administrator", so you can't use -s or -h to interact with it.
    https://social.technet.microsoft.com/Forums/windows/en-US/1798a1a7-bd2e-4e42-8e98-0bc715e7f641/unable-to-open-an-elevated-windows-explorer-window?forum=w7itprosecurity

    HTH
    -
    mario

    Sunday, July 28, 2019 9:18 AM
  • Hi Mario,

    Thank you!

    Tuesday, July 30, 2019 8:46 AM