How to REALLY hurt yourself with PSEXEC - Deleting the Undeletable Registry Key and More

August 19, '11 Comments [19] Posted in Tools

Sponsored By

A while back I installed some crazy open source network adapter virtualization software. Don't ask. It was a bad idea and I happily clicked Yes Yes Yes, Oh Yes, I Know, Hurt Me, Warning, Sure, Absolutely, Next, Next, Finish without a thought.

Later, things started acting wonky so I uninstalled it. Unfortunately, their uninstaller didn't so much "uninstall" the program as it "uninstalled the uninstaller then left everything around chilling." This left my system in a really weird state with half-connected phantom network adapters and I was getting some weird hangs. Each time I uninstalled these 7 (!) phantom network adapters, they'd be back on a reboot. Clearing removing them with the Device Manager UI wasn't working for me.

At this point it was either time for a repave of the machine (basically a complete reinstall since I got it into a bad state) or running around in the registry and deleting these phantom adapters. Since I'm supposed to be technical, and since I was ready to reinstall it wouldn't hurt if I messed up the system, I fired up regedit.exe. I ran it as Administrator so I could have (I thought) the ability to delete anything.

I searched for the brand of the adapter I was wanting to delete, and when I started deleting stuff I was getting smacked with
"Access Denied." What?!? I'm the all powerful Administrator! sudo make me a sandwich!

Administrator isn't all powerful. There are other, deeper users like SYSTEM that have access to things Administrator (rightfully) doesn't. Considering that I am trying to removing low level network stuff it was good that I was being stopped.

That said, what's the best way to motivate an engineer? Tell him something isn't possible. I hate getting Access Denied. Deny this, I say! So I turned to the SysInternals Tools, specifically PsExec.

If there was one tool that really "takes the safety off the gun," it's PsExec. You can hurt yourself and your system with PsExec in ways where you'll not realize until it's too late. There aren't enough words with big enough fonts and scary enough evocative stock photography to fully express how dangerous this tool is.

That said, here's cheerfully how to use it! Woohoo!

psexec -s -i regedit.exe

This has to be run as an Administrator. It This line says, "run this command as the SYSTEM account and let the process interact with the desktop." If I look at the Task Manager after running this command, check out regedit.exe:

Oy! Scary! See that RegEdit is running as SYSTEM

At this point, I was able to delete basically anything in the registry. One other way I could possibly delete keys that I couldn't as regular Administrator would be to launch Windows into Safe Mode and try editing from there.

Other awesome things you can do with PsExec include running processes remotely (which is kind what it's doing when I run it as SYSTEM, just all on on machine.) with a Service that gets automatically installed remotely and then runs the processes.

Here's how they do it (it's not a secret):

PsExec allows redirects of the input and output of a remotely started executable through the use of SMB and the hidden $ADMIN share on the remote system. With this share, PsExec uses the Windows Service control Manager API to start the PsExecsvc service on the remote system which creates a named pipe that PsExec communicates with. This named pipe is what allows for input/output redirection back to the system that launched PsExec.

For example:

psexec.exe \\REMOTECOMPUTER –i –u DOMAIN\username –p Password –d yourexe.exe

It's useful to remotely execute things, but it's even more useful to "terminal" (not quite like ssh) into systems like this:

psexec \\remotecomputer cmd.exe

Which means you can run commands on that remote computer as if you were there, in a SSHy way.

C:\>hostname
HANSELMANLAPTOP
C:\>psexec \\REMOTECOMPUTER -u DOMAIN\Administrator cmd.exe
C:\>hostname
REMOTECOMPUTER

Powerful but really useful stuff for when you really don't feel like RDP'ing (Remote Desktop'ing) into a machine to simply run a command.

Be careful out there!

« Hire and Pay a Designer and Be Happy | Blog Home | Summer 2011 Stats - Tailoring your Blog ... »

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About Newsletter

Sponsored By

Hosting By

Comments [19]

Share on: Twitter, Facebook, Google+ or use the Permalink

Friday, August 19, 2011 10:23:09 PM UTC

Thanks, I could have totally used this the other day.

Chuk Goodin

Friday, August 19, 2011 10:38:26 PM UTC

/me bows before Your l337ness.

tehp.blogspot.com

Friday, August 19, 2011 10:45:07 PM UTC

Rather than reinstalling the system or messing around in the registry, you could do a system restore... I thought it was useless, until it saved my day after a nasty malware infection.

Thomas Levesque

Friday, August 19, 2011 11:16:24 PM UTC

Good point, Thomas, although for me, literally MONTHS passed with the issue and I didn't want to go that far back in time.

Scott Hanselman

Friday, August 19, 2011 11:57:26 PM UTC

Of course, if you are using a modern version of Windows you really should just use the included WinRS.exe if you want a remote shell, that's what the RS stands for after all. Or, if you are a PowerShell sort, use Enter-PSSession, both are built on top of the same WinRM infrastructure.

Blake

Saturday, August 20, 2011 12:00:42 AM UTC

Excellent post! PsExec is amazing, used it a lot back in my pen-testing days. So did you excise the demons from your machine?

Brett Zink

Saturday, August 20, 2011 12:25:06 AM UTC

If for some reason you don't have the ability to download psexec, you can also accomplish this with nothing more than admin rights and a spirit of reckless disregard:

XP:

at hh24:mm /interactive %comspec%

(where hh24:mm is one minute from now expressed in military time)

Vista/7/etc:

sc create NaughtyCommandService binpath= "cmd.exe /k start" type= own type= interact

sc run NaughtyCommandService

sc delete NaughtyCommandService

BrianHartung

Saturday, August 20, 2011 1:12:58 AM UTC

Currently using psexec to gac stuff on remote machines from a unc seems like a pretty standard use for this tool, very usefull indeed allowing us to have a repository of strongly named assemblies and to remove and replace at will remotely without all that tedious messing about with rdp :)

Krystan Honour

Saturday, August 20, 2011 1:44:29 AM UTC

psexec sounds like it emulates the old 'net admin' command. Of course, when that disappeared, I just used at.exe for remote execution. Tricky to work with, but it did the job.

Matt Hickman

Saturday, August 20, 2011 4:31:52 AM UTC

I'm disappointed. After reading the title, I thought you have REALLY hurt yourself with PSEXEC ;)

All joking aside, great article.

Daniel Liuzzi

Saturday, August 20, 2011 4:54:20 AM UTC

What happened to the good advice of keeping recent backups? I use TrueImage which images my c: drive every day through its scheduler and I keep a rorating last x copies. Worst case is a I lose same days work.

Another thing I do is before every install of a software I ask myself: is this a safe install and it won't mess up my system if something goes wrong. If not, I do an impromptu image and come back after 20 minutes when the image is done. A network adapter virtualization software seems to fit this criteria.
Of course you know better.

Better be safe than sorry.

Abdu

Saturday, August 20, 2011 5:37:32 AM UTC

Hey, I do a fair amount of windows automation, and I just want to say: TAKE IT ALL BACK. I cannot tell you what a horrible idea you are promoting above does. Repeat after me:

DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.
DO NOT USE PSEXEC AS AN SSH TOOL.

The above scenario has several downsides: first, if you're not already attached to a share on that computer's system, using secure authentication, YOUR USERNAME AND PASSWORD WILL BE SENT AS PLAIN TEXT ACROSS THE NETWORK WHEN CONNECTING TO $ADMIN.

REPEAT: DO NOT USE PSEXEC AS AN SSH TOOL.

Unless you want to get fired and put your network at risk. Your choice.

-Gabe

Gabe McArthur

Saturday, August 20, 2011 6:06:41 PM UTC

Greetings, everyone. Microsoft Press's big book on the Sysinternals tools, Windows Sysinternals Administrator’s Reference, by Mark Russinovich and Aaron Margosis, is now out. And it covers PSEXEC. :-)

http://blogs.msdn.com/b/microsoft_press/archive/tags/sysinternals/

Devon Musgrave

Monday, August 22, 2011 12:26:27 PM UTC

Have you ever tried using uninstaller products like Revo Uninstaller Pro? I'm sure there must be others but I know Revo has a install monitor feature so it does a better job of uninstalling.

Darrell Austin

Monday, August 22, 2011 2:24:20 PM UTC

Would Revo Uninstaller have taken care of this?

Justin Myers

Monday, August 22, 2011 4:52:14 PM UTC

Justin - I'm not sure, but I'd be surprised if it could. These were low-level network adapters that were simply "left over" from the previous bad installer. I'm not sure how Revo could know that.

Gabe - Thanks for your comment and for our follow up emails. I'll try to do a post on better ways, and PowerShell, soon.

Scott Hanselman

Tuesday, October 11, 2011 7:54:48 PM UTC

if you use psexec remotely, make sure you always specify working directory

psexec \\computer1 cmd delete *.*

will erase your system32 directory. which is awesome.

Aaron

Tuesday, October 30, 2012 4:26:35 PM UTC

Seems like the most straightforward way to deal with this is to Take Ownership of the relevant registry sub-tree, grant Admin permissions, and then delete the subtree.

Zuyq

Wednesday, December 12, 2012 3:09:05 AM UTC

Thank you for sharing! -s saved my day with some stubborn remote reinstalls

ldq

Comments are closed.