Scott Hanselman

How to REALLY hurt yourself with PSEXEC - Deleting the Undeletable Registry Key and More

August 20, 2011 Comment on this post [19] Posted in Tools
Sponsored By

A while back I installed some crazy open source network adapter virtualization software. Don't ask. It was a bad idea and I happily clicked Yes Yes Yes, Oh Yes, I Know, Hurt Me, Warning, Sure, Absolutely, Next, Next, Finish without a thought.

Later, things started acting wonky so I uninstalled it. Unfortunately, their uninstaller didn't so much "uninstall" the program as it "uninstalled the uninstaller then left everything around chilling." This left my system in a really weird state with half-connected phantom network adapters and I was getting some weird hangs. Each time I uninstalled these 7 (!) phantom network adapters, they'd be back on a reboot. Clearing removing them with the Device Manager UI wasn't working  for me.

At this point it was either time for a repave of the machine (basically a complete reinstall since I got it into a bad state) or running around in the registry and deleting these phantom adapters. Since I'm supposed to be technical, and since I was ready to reinstall it wouldn't hurt if I messed up the system, I fired up regedit.exe. I ran it as Administrator so I could have (I thought) the ability to delete anything.

I searched for the brand of the adapter I was wanting to delete, and when I started deleting stuff I was getting smacked with
"Access Denied." What?!? I'm the all powerful Administrator! sudo make me a sandwich!

Administrator isn't all powerful. There are other, deeper users like SYSTEM that have access to things Administrator (rightfully) doesn't. Considering that I am trying to removing low level network stuff it was good that I was being stopped.

That said, what's the best way to motivate an engineer? Tell him something  isn't possible. I hate getting Access Denied. Deny this, I say! So I turned to the SysInternals Tools, specifically PsExec.

If there was one tool that really "takes the safety off the gun," it's PsExec. You can hurt yourself and your system with PsExec in ways where you'll not realize until it's too late. There aren't enough words with big enough fonts and scary enough evocative stock photography to fully express how dangerous this tool is.

That said, here's cheerfully how to use it! Woohoo!

psexec -s -i regedit.exe

This has to be run as an Administrator. It This line says, "run this command as the SYSTEM account and let the process interact with the desktop." If I look at the Task Manager after running this command, check out regedit.exe:

Oy! Scary! See that RegEdit is running as SYSTEM

At this point, I was able to delete basically anything in the registry. One other way I could possibly delete keys that I couldn't as regular Administrator would be to launch Windows into Safe Mode and try editing from there.

Other awesome things you can do with PsExec include running processes remotely (which is kind what it's doing when I run it as SYSTEM, just all on on machine.) with a Service that gets automatically installed remotely and then runs the processes.

Here's how they do it (it's not a secret):

PsExec allows redirects of the input and output of a remotely started executable through the use of SMB and the hidden $ADMIN share on the remote system. With this share, PsExec uses the Windows Service control Manager API to start the PsExecsvc service on the remote system which creates a named pipe that PsExec communicates with. This named pipe is what allows for input/output redirection back to the system that launched PsExec.

For example:

psexec.exe \\REMOTECOMPUTER –i –u DOMAIN\username –p Password –d yourexe.exe

It's useful to remotely execute things, but it's even more useful to "terminal" (not quite like ssh) into systems like this:

psexec \\remotecomputer cmd.exe

Which means you can run commands on that remote computer as if you were there, in a SSHy way.

C:\>hostname
HANSELMANLAPTOP
C:\>psexec \\REMOTECOMPUTER -u DOMAIN\Administrator cmd.exe
C:\>hostname
REMOTECOMPUTER

Powerful but really useful stuff for when you really don't feel like RDP'ing (Remote Desktop'ing) into a machine to simply run a command.

Be careful out there!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
August 20, 2011 2:23
Thanks, I could have totally used this the other day.
August 20, 2011 2:38
/me bows before Your l337ness.
August 20, 2011 2:45
Rather than reinstalling the system or messing around in the registry, you could do a system restore... I thought it was useless, until it saved my day after a nasty malware infection.
August 20, 2011 3:16
Good point, Thomas, although for me, literally MONTHS passed with the issue and I didn't want to go that far back in time.
August 20, 2011 3:57
Of course, if you are using a modern version of Windows you really should just use the included WinRS.exe if you want a remote shell, that's what the RS stands for after all. Or, if you are a PowerShell sort, use Enter-PSSession, both are built on top of the same WinRM infrastructure.
August 20, 2011 4:00
Excellent post! PsExec is amazing, used it a lot back in my pen-testing days. So did you excise the demons from your machine?
August 20, 2011 4:25
If for some reason you don't have the ability to download psexec, you can also accomplish this with nothing more than admin rights and a spirit of reckless disregard:

XP:

at hh24:mm /interactive %comspec%


(where hh24:mm is one minute from now expressed in military time)

Vista/7/etc:

sc create NaughtyCommandService binpath= "cmd.exe /k start" type= own type= interact

sc run NaughtyCommandService

sc delete NaughtyCommandService
August 20, 2011 5:12
Currently using psexec to gac stuff on remote machines from a unc seems like a pretty standard use for this tool, very usefull indeed allowing us to have a repository of strongly named assemblies and to remove and replace at will remotely without all that tedious messing about with rdp :)
August 20, 2011 5:44
psexec sounds like it emulates the old 'net admin' command. Of course, when that disappeared, I just used at.exe for remote execution. Tricky to work with, but it did the job.
August 20, 2011 8:31
I'm disappointed. After reading the title, I thought you have REALLY hurt yourself with PSEXEC ;)

All joking aside, great article.
August 20, 2011 8:54
What happened to the good advice of keeping recent backups? I use TrueImage which images my c: drive every day through its scheduler and I keep a rorating last x copies. Worst case is a I lose same days work.

Another thing I do is before every install of a software I ask myself: is this a safe install and it won't mess up my system if something goes wrong. If not, I do an impromptu image and come back after 20 minutes when the image is done. A network adapter virtualization software seems to fit this criteria.
Of course you know better.

Better be safe than sorry.

August 20, 2011 9:37
Hey, I do a fair amount of windows automation, and I just want to say: TAKE IT ALL BACK. I cannot tell you what a horrible idea you are promoting above does. Repeat after me:

DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.

The above scenario has several downsides: first, if you're not already attached to a share on that computer's system, using secure authentication, YOUR USERNAME AND PASSWORD WILL BE SENT AS PLAIN TEXT ACROSS THE NETWORK WHEN CONNECTING TO $ADMIN.

REPEAT: DO NOT USE PSEXEC AS AN SSH TOOL.

Unless you want to get fired and put your network at risk. Your choice.

-Gabe
August 20, 2011 22:06
Greetings, everyone. Microsoft Press's big book on the Sysinternals tools, Windows Sysinternals Administrator’s Reference, by Mark Russinovich and Aaron Margosis, is now out. And it covers PSEXEC. :-)

http://blogs.msdn.com/b/microsoft_press/archive/tags/sysinternals/

August 22, 2011 16:26
Have you ever tried using uninstaller products like Revo Uninstaller Pro? I'm sure there must be others but I know Revo has a install monitor feature so it does a better job of uninstalling.
August 22, 2011 18:24
Would Revo Uninstaller have taken care of this?
August 22, 2011 20:52
Justin - I'm not sure, but I'd be surprised if it could. These were low-level network adapters that were simply "left over" from the previous bad installer. I'm not sure how Revo could know that.

Gabe - Thanks for your comment and for our follow up emails. I'll try to do a post on better ways, and PowerShell, soon.
October 11, 2011 23:54
if you use psexec remotely, make sure you always specify working directory

psexec \\computer1 cmd delete *.*

will erase your system32 directory. which is awesome.

October 30, 2012 20:26
Seems like the most straightforward way to deal with this is to Take Ownership of the relevant registry sub-tree, grant Admin permissions, and then delete the subtree.
December 12, 2012 7:09
Thank you for sharing! -s saved my day with some stubborn remote reinstalls
ldq

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.