PSTools Basic Commands and Overview

[embedyt] https://www.youtube.com/watch?v=vtNiwlGd9aY&width=640&height=360&autoplay=1&centervid=1&rel=0[/embedyt]

Overview 

PSTools is a powerful suite of command line tools that can be leveraged by IT System Administrators. Today we are going to take a basic look at a few of these tools.

Welcome to my channel, I’m Alex Hubbard, I’m a Senior System Administrator and Cybersecurity Engineer. I have over 15 years of experience in the IT field. If you’re new to the channel, please subscribe below. If you’ve been here before, welcome back.  Be sure to check out my brand new Instagram @ach_sysadmin 

We will start configuration from our Admin Workstation. In my lab, it’s our LAB-UTL01 system.  

Download PSTools from here 

https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Admin Workstation Configuration 

Create a folder called “Updates” in the root of C:\ – so C:\Updates. You can call it whatever you’d like, the name of the folder really doesn’t matter. 

Extract the .zip file you downloaded above  to: C:\Updates\PSTools.  

You’ll see all the apps that come with PSTools 

Running PSTools For The First Time 

Open up PowerShell as an admin. CD to the PSTools folder we created above (C:\Updates\PSTools) 

Note, the first time you run each of the PSTools apps, you will receive a EULA agreement. Accept and then it will continue. 

pstools

To start, try running .\Psinfo64.exe \\lab-win10a – I would expect this to fail the first time I run it, as the 

Remote Registry Service is set to disabled by default in Windows. We will need to enable it. 

pstools

We can fix this by running the command: 

.\psexec64.exe \\lab-win10a sc config remoteregistry start=auto 

This will set the Remote Registry Service to “Auto” – When the service is called, in this case, by PSTools, it will start. It should state that 

The change was successful. 

pstools

PsInfo64 

Now we can run .\PsInfo64.exe \\lab-win10a – this will show you the info of the target system, which, in this demo is my LAB-WIN10a VM.  

PsInfo will show you basic information like uptime, memory, and cpu speed/type. 

pstools

PsLoggedOn 

Try running .\Psloggedon64.exe \\lab-win10a – PsLoggedOn is helpful when you are trying to determine if anyone is 

Logged into a remote system. Let’s say you need to reboot it but don’t want to interrupt the user. You can determine  

If anyone is logged in and who. It also gives you a clue as to when they logged in. If you have a user who has told you  

That they’ve rebooted, but you suspect they have not in fact rebooted, PsLoggedOn can give you a clue. 

pstools

PsList 

.\Pslist64.exe \\lab-win10a – this command will show you what processes are running on a remote system. This is usefull 

To aid in diagnosing a problem with a remote system. 

PsKill 

Let’s pretend you have what you believe is a malicious process running on a remote system  

And you need to kill that process immediately.  

After running the above PsList command against our LAB-WIN10a host, we can now see that Chrome 

Has multiple processes running 

We issue the command, .\pskill64.exe \\lab-win10a chrome and receive confirmation that 8 processes 

Have been terminated on the LAB-WIN10a host. 

PsExec 

PsExec is another awesome tool in the PSTools suite. Let’s pretend you have a full Dell shop. Mind you, 

This may work with other manufacturers. On my desk, I have my Dell Precision lab laptop. I want to know 

What the service tag is, but I do not want to unhook it, turn it over and find out.  

Issue the command:  

.\PsExec64.exe \\ach-precision wmic bios get serialnumber 

Below you can see it has returned the service tag of my remote system. 

pstools

You can also leverage PsExec to run things locally on a remote system. Say for some reason you want to open a local command prompt. 

Issue the command: 

.\PsExec64.exe \\ach-precision cmd 

We now have a command prompt, locally to that system, that works just like you were sitting in front of the system itself. You can confirm that by running 

Ipconfig or hostname commands. 

pstools

Type exit and you’re back to Powershell on your system. 

Disable Remote Registry When Complete 

First, stop the service: 

.\PsService64.exe \\ach-precision stop RemoteRegistry 

Then, set it back to disabled: 

.\PsExec64.exe \\ach-precision sc config remoteregistry start=disabled 

Summary 

I hope this overview of SysInternals PSTools suite was helpful and educational. You can do a lot with PSTools. This is my go-to when trying to diagnose or troubleshoot 

A remote system in whatever environment I am working in. There are GPOs and ways you configure your entire fleet to be responsive to PSTools and I plan to do  

Another video on that configuration.  

Permanent link to this article: https://achubbard.com/2021/12/08/pstools-basic-commands-and-overview/

Leave a Reply