PSTools is a powerful suite of command line tools that can be leveraged by IT System Administrators. Today we are going to take a basic look at a few of these tools.
Welcome to my channel, I’m Alex Hubbard, I’m a Senior System Administrator and Cybersecurity Engineer. I have over 15 years of experience in the IT field. If you’re new to the channel, please subscribe below. If you’ve been here before, welcome back. Be sure to check out my brand new Instagram @ach_sysadmin
We will start configuration from our Admin Workstation. In my lab, it’s our LAB-UTL01 system.
Download PSTools from here
Admin Workstation Configuration
Create a folder called “Updates” in the root of C:\ – so C:\Updates. You can call it whatever you’d like, the name of the folder really doesn’t matter.
Extract the .zip file you downloaded above to: C:\Updates\PSTools.
You’ll see all the apps that come with PSTools
Running PSTools For The First Time
Open up PowerShell as an admin. CD to the PSTools folder we created above (C:\Updates\PSTools)
Note, the first time you run each of the PSTools apps, you will receive a EULA agreement. Accept and then it will continue.
To start, try running .\Psinfo64.exe \\lab-win10a – I would expect this to fail the first time I run it, as the
Remote Registry Service is set to disabled by default in Windows. We will need to enable it.
We can fix this by running the command:
.\psexec64.exe \\lab-win10a sc config remoteregistry start=auto
This will set the Remote Registry Service to “Auto” – When the service is called, in this case, by PSTools, it will start. It should state that
The change was successful.
Now we can run .\PsInfo64.exe \\lab-win10a – this will show you the info of the target system, which, in this demo is my LAB-WIN10a VM.
PsInfo will show you basic information like uptime, memory, and cpu speed/type.
Try running .\Psloggedon64.exe \\lab-win10a – PsLoggedOn is helpful when you are trying to determine if anyone is
Logged into a remote system. Let’s say you need to reboot it but don’t want to interrupt the user. You can determine
If anyone is logged in and who. It also gives you a clue as to when they logged in. If you have a user who has told you
That they’ve rebooted, but you suspect they have not in fact rebooted, PsLoggedOn can give you a clue.
.\Pslist64.exe \\lab-win10a – this command will show you what processes are running on a remote system. This is usefull
To aid in diagnosing a problem with a remote system.
Let’s pretend you have what you believe is a malicious process running on a remote system
And you need to kill that process immediately.
After running the above PsList command against our LAB-WIN10a host, we can now see that Chrome
Has multiple processes running
We issue the command, .\pskill64.exe \\lab-win10a chrome and receive confirmation that 8 processes
Have been terminated on the LAB-WIN10a host.
PsExec is another awesome tool in the PSTools suite. Let’s pretend you have a full Dell shop. Mind you,
This may work with other manufacturers. On my desk, I have my Dell Precision lab laptop. I want to know
What the service tag is, but I do not want to unhook it, turn it over and find out.
Issue the command:
.\PsExec64.exe \\ach-precision wmic bios get serialnumber
Below you can see it has returned the service tag of my remote system.
You can also leverage PsExec to run things locally on a remote system. Say for some reason you want to open a local command prompt.
Issue the command:
.\PsExec64.exe \\ach-precision cmd
We now have a command prompt, locally to that system, that works just like you were sitting in front of the system itself. You can confirm that by running
Ipconfig or hostname commands.
Type exit and you’re back to Powershell on your system.
Disable Remote Registry When Complete
First, stop the service:
.\PsService64.exe \\ach-precision stop RemoteRegistry
Then, set it back to disabled:
.\PsExec64.exe \\ach-precision sc config remoteregistry start=disabled
I hope this overview of SysInternals PSTools suite was helpful and educational. You can do a lot with PSTools. This is my go-to when trying to diagnose or troubleshoot
A remote system in whatever environment I am working in. There are GPOs and ways you configure your entire fleet to be responsive to PSTools and I plan to do
Another video on that configuration.