cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Sysmon v13.01 and PsExec v2.30
By
lukekim
Published Jan 12 2021 03:01 PM 12.6K Views
lukekim
Microsoft
‎Jan 12 2021 03:01 PM

Sysmon v13.01 and PsExec v2.30

‎Jan 12 2021 03:01 PM

Sysmon v13.01

This bugfix update to Sysmon resolves a series of config parsing issues.
 

PsExec v2.30

Previous versions of PsExec are susceptible to a named pipe squatting attack. If a low-privileged attacker creates a named pipe on a server to which a PsExec client connects, they could intercept explicit authentication credentials or sensitive command-line arguments sent by the client. The PsExec client now drops a key into file protected with an administrator-only security descriptor with a name formatted as PSEXEC-.key into the Windows directory on the remote system that the PsExec service uses to authenticate to the client.
5 Comments
martind22
Copper Contributor
‎Jan 12 2021 03:57 PM
‎Jan 12 2021 03:57 PM

@lukekim Thanks for the new version of PsExec... unfortunately it brakes the possibility to execute 2 or more concurrent PsExec to the same host.

 

Based on the mentioned PSEXEC-.key file what I think is that it is not honoring the -r option and adjusting the name based on it so 2 process could be executed simultaneously.

 

Doesn't matter if we use the 32 or 64 bits version as you will see.

 

This is an example with 2.30:

 

Cmd 1:

D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.30>

Cmd 2:

D:\PSTools-2.30>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

Error creating key file on HOSTNAME:
The process cannot access the file because it is being used by another process.

D:\PSTools-2.30>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

Error creating key file on HOSTNAME:
The process cannot access the file because it is being used by another process.

D:\PSTools-2.30>

See the error on these cases

 

With 2.2 there is no such problem. See:

 

Cmd 1:

D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC1 -i 1 -w . cmd /s /c "pause"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>

Cmd 2:

D:\PSTools-2.2>PsExec.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>PsExec64.exe -accepteula -r PEXEC2 -i 1 -w . cmd /s /c "echo Hello World 2"

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


cmd exited on HOSTNAME with error code 0.

D:\PSTools-2.2>
0 Likes
Like
lukekim
Microsoft
‎Jan 12 2021 04:35 PM
‎Jan 12 2021 04:35 PM

Thanks for the details, we'll look into it.

0 Likes
Like
siegfried_hello
Copper Contributor
‎Jan 13 2021 11:46 AM
‎Jan 13 2021 11:46 AM

Another issue in v2.3 that didn't exist in v2.2 is that the -h switch no longer works with alternate credentials in both 32 or 64 bit version.  It now produces 

 

ERROR_LOGON_TYPE_NOT_GRANTED

1385 (0x569)

Logon failure: the user has not been granted the requested logon type at this computer.

 

0 Likes
Like
davemcincork
Copper Contributor
‎Jan 20 2021 01:27 PM
‎Jan 20 2021 01:27 PM

@lukekim- Is there a public facing backlog/roadmap for Sysmon?

0 Likes
Like
foxmsft930
Copper Contributor
‎Jan 21 2021 08:49 AM
‎Jan 21 2021 08:49 AM

@siegfried_hello - also add the -i switch to make it work. (Adding this for visitors coming from search engines who don't see the other thread).

 

@davemcincork - there's nothing like that at the moment.

Version history
Last update:
‎Jan 12 2021 03:01 PM
Updated by: