Blog Post

Sysinternals Blog
1 MIN READ

Sysmon v13.01 and PsExec v2.30

lukekim's avatar
lukekim
Icon for Microsoft rankMicrosoft
Jan 12, 2021

Sysmon v13.01

This bugfix update to Sysmon resolves a series of config parsing issues.
 

PsExec v2.30

Previous versions of PsExec are susceptible to a named pipe squatting attack. If a low-privileged attacker creates a named pipe on a server to which a PsExec client connects, they could intercept explicit authentication credentials or sensitive command-line arguments sent by the client. The PsExec client now drops a key into file protected with an administrator-only security descriptor with a name formatted as PSEXEC-.key into the Windows directory on the remote system that the PsExec service uses to authenticate to the client.
Published Jan 12, 2021
Version 1.0
  • foxmsft930's avatar
    foxmsft930
    Copper Contributor

    siegfried_hello - also add the -i switch to make it work. (Adding this for visitors coming from search engines who don't see the other thread).

     

    davemcincork - there's nothing like that at the moment.

  • siegfried_hello's avatar
    siegfried_hello
    Copper Contributor

    Another issue in v2.3 that didn't exist in v2.2 is that the -h switch no longer works with alternate credentials in both 32 or 64 bit version.  It now produces 

     

    ERROR_LOGON_TYPE_NOT_GRANTED

    1385 (0x569)

    Logon failure: the user has not been granted the requested logon type at this computer.

     

  • martind22's avatar
    martind22
    Copper Contributor

    lukekim Thanks for the new version of PsExec... unfortunately it brakes the possibility to execute 2 or more concurrent PsExec to the same host.

     

    Based on the mentioned PSEXEC-.key file what I think is that it is not honoring the -r option and adjusting the name based on it so 2 process could be executed simultaneously.

     

    Doesn't matter if we use the 32 or 64 bits version as you will see.

     

    This is an example with 2.30:

     

    Cmd 1:

    D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"
    
    PsExec v2.30 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"
    
    PsExec v2.30 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.30>

    Cmd 2:

    D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"
    
    PsExec v2.30 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Error creating key file on HOSTNAME:
    The process cannot access the file because it is being used by another process.
    
    D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"
    
    PsExec v2.30 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Error creating key file on HOSTNAME:
    The process cannot access the file because it is being used by another process.
    
    D:\PSTools-2.30>

    See the error on these cases

     

    With 2.2 there is no such problem. See:

     

    Cmd 1:

    D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"
    
    PsExec v2.2 - Execute processes remotely
    Copyright (C) 2001-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"
    
    PsExec v2.2 - Execute processes remotely
    Copyright (C) 2001-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.2>

    Cmd 2:

    D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"
    
    PsExec v2.2 - Execute processes remotely
    Copyright (C) 2001-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"
    
    PsExec v2.2 - Execute processes remotely
    Copyright (C) 2001-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    cmd exited on HOSTNAME with error code 0.
    
    D:\PSTools-2.2>