%3CLINGO-SUB%20id%3D%22lingo-sub-2054904%22%20slang%3D%22en-US%22%3ESysmon%20v13.01%20and%20PsExec%20v2.30%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2054904%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fsysmon%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3ESysmon%20v13.01%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3EThis%20bugfix%20update%20to%20Sysmon%20resolves%20a%20series%20of%20config%20parsing%20issues.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EPsExec%20v2.30%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3EPrevious%20versions%20of%20PsExec%20are%20susceptible%20to%20a%20named%20pipe%20squatting%20attack.%20If%20a%20low-privileged%20attacker%20creates%20a%20named%20pipe%20on%20a%20server%20to%20which%20a%20PsExec%20client%20connects%2C%20they%20could%20intercept%20explicit%20authentication%20credentials%20or%20sensitive%20command-line%20arguments%20sent%20by%20the%20client.%20The%20PsExec%20client%20now%20drops%20a%20key%20into%20file%20protected%20with%20an%20administrator-only%20security%20descriptor%20with%20a%20name%20formatted%20as%20PSEXEC-.key%20into%20the%20Windows%20directory%20on%20the%20remote%20system%20that%20the%20PsExec%20service%20uses%20to%20authenticate%20to%20the%20client.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2054904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ELearn%20about%20the%20latest%20changes%20to%20Sysmon%20v13.01%20and%20PsExec%20v2.30%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2055033%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.01%20and%20PsExec%20v2.30%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2055033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362427%22%20target%3D%22_blank%22%3E%40lukekim%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20new%20version%20of%20PsExec...%20unfortunately%20it%20brakes%20the%20possibility%20to%20execute%202%20or%20more%20concurrent%20PsExec%20to%20the%20same%20host.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20the%20mentioned%20PSEXEC-.key%20file%20what%20I%20think%20is%20that%20it%20is%20not%20honoring%20the%20%3CSTRONG%3E-r%3C%2FSTRONG%3E%20option%20and%20adjusting%20the%20name%20based%20on%20it%20so%202%20process%20could%20be%20executed%20simultaneously.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoesn't%20matter%20if%20we%20use%20the%2032%20or%2064%20bits%20version%20as%20you%20will%20see.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20an%20example%20with%202.30%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECmd%201%3A%3C%2FP%3E%3CPRE%3ED%3A%5CPSTools-2.30%26gt%3BPsExec.exe%20-accepteula%20-r%20PEXEC1%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22pause%22%0A%0APsExec%20v2.30%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2021%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.30%26gt%3BPsExec64.exe%20-accepteula%20-r%20PEXEC1%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22pause%22%0A%0APsExec%20v2.30%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2021%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.30%26gt%3B%3C%2FPRE%3E%3CP%3ECmd%202%3A%3C%2FP%3E%3CPRE%3ED%3A%5CPSTools-2.30%26gt%3BPsExec.exe%20-accepteula%20-r%20PEXEC2%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22echo%20Hello%20World%202%22%0A%0APsExec%20v2.30%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2021%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0AError%20creating%20key%20file%20on%20HOSTNAME%3A%0AThe%20process%20cannot%20access%20the%20file%20because%20it%20is%20being%20used%20by%20another%20process.%0A%0AD%3A%5CPSTools-2.30%26gt%3BPsExec64.exe%20-accepteula%20-r%20PEXEC2%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22echo%20Hello%20World%202%22%0A%0APsExec%20v2.30%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2021%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0AError%20creating%20key%20file%20on%20HOSTNAME%3A%0AThe%20process%20cannot%20access%20the%20file%20because%20it%20is%20being%20used%20by%20another%20process.%0A%0AD%3A%5CPSTools-2.30%26gt%3B%3C%2FPRE%3E%3CP%3ESee%20the%20error%20on%20these%20cases%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%202.2%20there%20is%20no%20such%20problem.%20See%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECmd%201%3A%3C%2FP%3E%3CPRE%3ED%3A%5CPSTools-2.2%26gt%3BPsExec.exe%20-accepteula%20-r%20PEXEC1%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22pause%22%0A%0APsExec%20v2.2%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2016%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.2%26gt%3BPsExec64.exe%20-accepteula%20-r%20PEXEC1%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22pause%22%0A%0APsExec%20v2.2%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2016%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.2%26gt%3B%3C%2FPRE%3E%3CP%3ECmd%202%3A%3C%2FP%3E%3CPRE%3ED%3A%5CPSTools-2.2%26gt%3BPsExec.exe%20-accepteula%20-r%20PEXEC2%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22echo%20Hello%20World%202%22%0A%0APsExec%20v2.2%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2016%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.2%26gt%3BPsExec64.exe%20-accepteula%20-r%20PEXEC2%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22echo%20Hello%20World%202%22%0A%0APsExec%20v2.2%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2016%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0A%0Acmd%20exited%20on%20HOSTNAME%20with%20error%20code%200.%0A%0AD%3A%5CPSTools-2.2%26gt%3B%0A%0A%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2055092%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.01%20and%20PsExec%20v2.30%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2055092%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20details%2C%20we'll%20look%20into%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2058170%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.01%20and%20PsExec%20v2.30%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2058170%22%20slang%3D%22en-US%22%3E%3CP%3EAnother%20issue%20in%20v2.3%20that%20didn't%20exist%20in%20v2.2%20is%20that%20the%20-h%20switch%20no%20longer%20works%20with%20alternate%20credentials%20in%20both%2032%20or%2064%20bit%20version.%26nbsp%3B%20It%20now%20produces%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EERROR_LOGON_TYPE_NOT_GRANTED%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1385%20(0x569)%3C%2FP%3E%3CP%3ELogon%20failure%3A%20the%20user%20has%20not%20been%20granted%20the%20requested%20logon%20type%20at%20this%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Sysmon v13.01

This bugfix update to Sysmon resolves a series of config parsing issues.
 

PsExec v2.30

Previous versions of PsExec are susceptible to a named pipe squatting attack. If a low-privileged attacker creates a named pipe on a server to which a PsExec client connects, they could intercept explicit authentication credentials or sensitive command-line arguments sent by the client. The PsExec client now drops a key into file protected with an administrator-only security descriptor with a name formatted as PSEXEC-.key into the Windows directory on the remote system that the PsExec service uses to authenticate to the client.
5 Comments
Frequent Visitor

@lukekim Thanks for the new version of PsExec... unfortunately it brakes the possibility to execute 2 or more concurrent PsExec to the same host.

 

Based on the mentioned PSEXEC-.key file what I think is that it is not honoring the -r option and adjusting the name based on it so 2 process could be executed simultaneously.

 

Doesn't matter if we use the 32 or 64 bits version as you will see.

 

This is an example with 2.30:

 

Cmd 1:

D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.30>

Cmd 2:

D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

Error creating key file on HOSTNAME:
The process cannot access the file because it is being used by another process.

D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

Error creating key file on HOSTNAME:
The process cannot access the file because it is being used by another process.

D:\PSTools-2.30>

See the error on these cases

 

With 2.2 there is no such problem. See:

 

Cmd 1:

D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>

Cmd 2:

D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>

Microsoft

Thanks for the details, we'll look into it.

Another issue in v2.3 that didn't exist in v2.2 is that the -h switch no longer works with alternate credentials in both 32 or 64 bit version.  It now produces 

 

ERROR_LOGON_TYPE_NOT_GRANTED

1385 (0x569)

Logon failure: the user has not been granted the requested logon type at this computer.

 

Occasional Visitor

@lukekim- Is there a public facing backlog/roadmap for Sysmon?

Occasional Visitor

@siegfried_hello - also add the -i switch to make it work. (Adding this for visitors coming from search engines who don't see the other thread).

 

@davemcincork - there's nothing like that at the moment.