PSTOOLS
| | ||
The PsTools suite falls into the gray area between enumeration and full-system access. These tools are developed by Mark Russinovich of SysInternals and are available at http://www.sysinternals.com/ntw2k/freeware/pstools.shtml. The enum and Winfingerprint tools rely on the mighty NULL IPC$ session, but the PsTools require user credentials for some options. Nevertheless, this collection of tools turns an open NetBIOS port into a remote command execution heyday.
Instead of describing the tools in alphabetical order, we'll start with the least innocuous and work up to the most versatile. A Windows administrator tool kit should contain these tools because they greatly simplify remote administration.
But first, here are some prerequisites for using these tools:
-
You must have proper user credentials. The greater functionality of these tools requires greater access. This isn't a problem for system administrators.
-
The "Server" service must be started on the target system. The "NetLogon" service helps pass credentials across the domain.
-
The "RemoteRegistry" service is used for certain functions such as PsInfo's hotfix enumeration.
-
The IPC$ share must be available.
In an environment where administration relies heavily on the GUI, the left mouse button, and Terminal Services, this suite removes an enormous amount of stress from the whole affair.
| Caution | During remote administration, your username and password are flying across the network! If you're highly concerned about sniffing attacks, make sure that your Windows 2000 and XP servers are using NTLMv2. This is a fault of the underlying Windows authentication scheme, not the PsTools. Check out Chapter 9 for more information on Windows passwords. |
Implementation
PsTools consists of several command-line utilities that truly simplify administration of large networks. Remote access using Terminal Services does help, but these tools can be an integral part of automated scripts that collect logfiles, list active users, or run arbitrary commands across dozens of systems.
PsFile
PsFile allows you to list files on one host that are in use by another host. It mirrors the functionality of the built-in net file command. This is useful for debugging file shares and tracking unauthorized file system access. The following output is shortened for the sake of brevity:
C:\>psfile.exe Files opened remotely on GOBLYNSWOOD: [ 23 ] D:\downloads\secretplans.txt User: ORC Locks: 0 Access: Read C:\>net file ID Path User name # Locks -------------------------------------------------------------------- 23 D:\downloads\secretplans.txt ORC 0 The command completed successfully.
We can tell that user ORC is viewing a text file called secretplans.txt. This tool doesn't reveal from where ORC is accessing the file, so it isn't very helpful as a forensic tool; that's a job for netstat. At first, the information appears redundant between the two commands. The c option works the same way as the /close option to net file . It closes a connection based on the ID (in boldface in the previous example):
C:\>psfile.exe 23 -c Closed file D:\downloads\secretplans.txt on GOBLYN.
Again, there doesn't seem to be a real advantage over the net utility. However, every PSTool works over a remote connection. The usage is the same, with the addition of the user credentials on the command line.
C:\>psfile.exe \192.168.0.176 -u Administrator -p IM!secure Files opened remotely on 192.168.0.176: [32] \PIPE\srvsvc User: ADMINISTRATOR Locks: 0 Access: Read Write
If you run psfile against your localhost and specify its IP address, you'll see that it opens a connection to the server service.
| Note | Just about every PsTool accepts the \\RemoteHost u UserName p password options, even if the tool's command-line help ( /h ) doesn't explicitly state it. |
PsLoggedOn
Don't accuse the PsTools of obscure naming conventions. PsLoggedOn displays the users who are logged onto a system, whether through the console, a file share, or another remote method:
C:\>psloggedon.exe Users logged on locally: <Unknown> NT AUTHORITY\LOCAL SERVICE <Unknown> NT AUTHORITY\NETWORK SERVICE 3/10/2002 11:23:49 AM GOBLYNSWOOD\pyretta <Unknown> NT AUTHORITY\SYSTEM Users logged on via resource shares: 3/12/2002 12:04:12 AM (null)\ORC
From a defense perspective, the list of users logged on via resource shares can be especially helpful to administrators. You may wish to schedule tasks that check sensitive systems such as domain controllers, web servers, or the finance department's database. You could rely on the system's event logs, but a malicious user could erase them. Having another copy from the scheduled task provides good redundancy.
From an attacker's perspective, it may not be prudent to launch buffer overflow attacks or other exploits against systems that have users currently logged onto them.
PsGetSid
Renaming the Administrator account to "TeflonBilly" might be fun, but do not consider it a true security measure. With PsGetSid, anyone with a NULL connection can obtain a string called the Security Identifier (SID) for a particular user. The final part of this string contains the Relative Identifier (RID). For the Administrator account, regardless of the account name, the RID is always 500much like the root user on Unix is always 0. The Guest account is always 501. These two RIDs never change.
C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure Orc SID for 192.168.0.176\Orc: S-1-5-21-1454471165-484763869-1708537768-501
| Tip | When targeting the "Administrator," always verify that the account has a SID that ends in 500. Otherwise, you know that the account has been renamed . |
A SID request does not have to target a user. PsGetSid can enumerate other objects such as the computer and user groups:
C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure goblynswood SID for 192.168.0.176\goblynswood: S-1-5-21-1454471165-484763869-1708537768 C:\>psgetsid.exe \192.168.0.176 -u Administrator -p IM!secure "Power Users" SID for 192.168.0.176\goblynswood: S-1-5-32-547
Alone, this type of information is not particularly useful, but when cross-referenced with user RIDs from SAM files or other sources, it fills a large part of the domain's authentication structure.
PsInfo
Operating system, uptime (based on deduction from the event logs), system root, install date, blah, blah, blahthe data almost sounds interesting. Do not mistake PsInfo for a fluff tool. It returns useful data about the system. And, remember, it does so remotely!
PsInfo 1.6 - local and remote system information viewer Copyright (C) 2001-2004 Mark Russinovich Sysinternals -www.sysinternals.com System information for \ARRAKIS: Uptime: 0 days, 0 hours, 58 minutes, 9 seconds Kernel version: Microsoft Windows XP, Uniprocessor Free Product type: Professional Product version: 5.1 Service pack: 1 Kernel build number: 2600 Registered organization: Registered owner: Michael Shema Install date: 08/11/2002, 22:26:38 Activation status: Activated IE version: 6.0000 System root: C:\WINDOWS Processors: 1 Processor speed: 665 Mhz Processor type: x86 Family 6 Model 8 Stepping 4, ConnectixCPU Physical memory: 196 MB
As you can see, PsInfo provides a quick method for checking your servers for the latest hotfixes. If you're running IIS, you should be religiously applying hotfixes. PsInfo pulls hotfix information from the HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Hotfix registry setting, so some application patches may not appear in this list. Use the h option to obtain the most accurate list of hotfixes that can be remotely enumerated.
A batch file makes this system enumeration easy:
C:\>for /L %i in (1,1,254) do psinfo \192.168.0.%i > systeminfo_192.168.0.%i.txt
Notice that we've left out the authentication credentials. If you're going to create a batch file that needs to access remote systems, don't place the username and password in the batch file. Instead, run the batch file in the context of a domain user with permissions to enumerate this information. The only problem you'll encounter is difficulty accessing systems that are not part of the domain.
PsService
This robust tool enables you to view and manipulate services remotely. The Windows net start and net stop commands tremble in the presence of PsService. With no command-line options, PsService returns a list of every service installed on the system. The following output has been shortened for brevity, but it includes complete descriptions for two services:
C:\>psservice.exe SERVICE_NAME: inetd DISPLAY_NAME: CYGWIN inetd (null) TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SharedAccess DISPLAY_NAME: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Service information, regardless of whether or not the service is currently running, indicates the role of a system, security software installed, and possibly its relative importance on a network. A server that backs up the PDC will have a backup service running, and an e-mail server might have an anti-virus server running. Even so, PsService also provides control over the services. Specify one of the following commands to manipulate a service:
| PsService "Cmd" Option | Description |
|---|---|
| query | Queries the status of a service |
| config | Queries the configuration |
| setconfig | Sets the configuration |
| start | Starts a service |
| stop | Stops a service |
| restart | Stops and then restarts a service |
| pause | Pauses a service |
| cont | Continues a paused service |
| depend | Enumerates the services that depend on the one specified |
| find | Searches for an instance of a service on the network |
After the command, specify the service to be affected. For example, here's how to start IIS on a remote computer type ( assuming you are logged into the domain as an administrator):
C:\>psservice.exe \192.168.0.39 start w3svc
You could also stop, restart, pause, or continue the service. The config command differs slightly from the query command, which provides the information when PsService runs without options. The config command returns information about the actual program the service executes:
C:\>psservice.exe config inetd SERVICE_NAME: inetd (null) TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : d:\cygwin\usr\sbin\inetd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CYGWIN inetd DEPENDENCIES : SERVICE_START_NAME: LocalSystem
Finally, the find command can be used to hunt down services running on a network. In a way, it can be a roundabout port scanner. For example, to find hosts in a domain that are running Terminal Services, look for the TermService service:
C:\>psservice.exe find TermService Found termservice on: \ZIGGURAT \GOBLYNSWOOD
Use this in conjunction with a port scanner to identify rogue IIS installations on your network.
PsList
When your Unix friends make fun of the Windows process list commands, mention PsList and you might see a few knowing winks or a little jealousy. PsList displays a process list for the local or remote system. The d , m , and x options show information about threads, memory, and a combination of the two, respectively. However, you will probably need to use only a plain pslist :
C:\>pslist.exe Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time Idle 0 0 1 0 16 0:00:00.000 3:57:29.219 0:00:00.000 System 8 8 39 319 216 0:00:00.000 0:00:11.536 0:00:00.000 SMSS 152 11 6 33 560 0:00:00.210 0:00:00.741 4:27:11.031 CSRSS 180 13 10 494 3560 0:00:00.650 0:01:30.890 4:26:59.084 WINLOGON 200 13 17 364 3256 0:00:00.230 0:00:01.081 4:26:55.879 SERVICES 228 9 30 561 5640 0:00:01.542 0:00:03.535 4:26:48.058 LSASS 240 9 14 307 520 0:00:00.260 0:00:00.230 4:26:48.028 svchost 420 8 9 333 3748 0:00:00.150 0:00:00.150 4:26:41.839 spoolsv 452 8 12 166 3920 0:00:00.070 0:00:00.160 4:26:41.088
You can also gather information about a specific process name or process ID by calling it on the command line. For example, to see how much of your system resources Internet Explorer has chewed away, try this:
C:\>pslist.exe iexplore Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time IEXPLORE 636 8 17 805 26884 0:00:14.711 0:00:17.154 4:38:27.694 IEXPLORE 1100 8 28 1054 27980 0:00:24.375 0:00:40.888 4:36:25.388
| Tip | A handful of password- grabbing utilities require the process ID (PID) of the LSASS program. PsList is the perfect way to find it. |
The s and r options really come in handy for monitoring important servers or even debugging code. The s puts PsList into Task Manager mode. In other words, it performs a continuous refresh until you press ESCmuch like the Unix top command. The r sets the refresh rate in seconds. For example, you can monitor the IIS service process on a web server every 10 seconds:
C:\>pslist.exe -s -r 10 inetinfo.exe
The t option displays each process and its threads in a tree format, making it easier to visualize the process relationships on the system. Here's an abbreviated output that shows the system threads:
C:\>pslist.exe -t Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd VM WS Priv Idle 0 0 1 0 0 16 0 System 8 8 39 323 1668 216 24 SMSS 152 11 6 33 5248 560 1072 CSRSS 180 13 10 502 22700 3576 1512 WINLOGON 200 13 17 364 35812 3252 5596 SERVICES 228 9 31 563 33748 5652 2772 svchost 420 8 9 333 22624 3748 1528 MDM 1420 8 3 96 25996 2640 924 Avsynmgr 556 8 4 139 28024 2708 1460 VSStat 896 8 2 112 26376 2664 1376 vshwin32 956 8 7 219 54220 6468 3908 WebScanX 1036 8 3 194 40020 6052 4628 Avconsol 976 8 2 112 28500 2640 1484 svchost 592 8 33 449 43592 8084 3364 LSASS 240 9 14 307 28080 864 2344 explorer 1200 8 17 468 99580 4460 11912
PsKill and PsSuspend
As you can list a process, so you can kill it (or suspend it if you're feeling gracious). The PsKill tool takes either a process name or ID as an argument. If you rely on the PID, you'll need to use PsKill in conjunction with PsList. On the other hand, specifying the process by name might kill more processes than you intended. Both methods are susceptible to the "oops" vulnerabilitymistyping a PID and accidentally killing the wrong process.
C:\>pslist.exe findstr /i notepad notepad 1764 8 1 30 1728 0:00:00.020 0:00:00.020 0:00:07.400 notepad 1044 8 1 30 1724 0:00:00.020 0:00:00.020 0:00:05.077 notepad 1796 8 1 30 1724 0:00:00.010 0:00:00.020 0:00:03.835 C:\>pskill.exe 1764 process #1764 killed C:\>pskill.exe notepad 2 processes named notepad killed.
| Caution | Be aware of killing processes by name. PsKill matches every process, not just the first one it encounters. It does not honor wildcards, such as the asterisk (*). |
PsSuspend works in the same manner. Specify a process name or ID after the command to suspend that process:
C:\>pssuspend.exe 1116 Process 1116 suspended.
Use the r option to resume a process:
C:\>pssuspend.exe -r 1116 Process 1116 resumed.
| Note | Remember that these tools work remotely, but they require user authentication. An open NetBIOS port doesn't expose the entire system to compromise. However, there is a problem with an open NetBIOS port and a blank administrator password (we've seen plenty of these). Use the PsTools to tighten and audit your network. |
PsLogList
The event log contains a wealth of information about system health, service status, and security. Unfortunately, the awkwardness of the Event Log Viewer typically precluded administrators from running quick log audits . Unlike the Unix world, where the majority of logs are in text format, the Windows event logs are a binary puzzle. The advent of PsLogList makes two things possible: Logfiles can be extracted to a text format and parsed into spreadsheets or other formats, and logfiles can be retrieved remotely to consolidate, back up, and preserve their content.
PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com PsLogList dumps event logs on a local or remote NT system. Usage: psloglist [\computer[,computer2[,...] @file] [-u username [-p password]]] [-s [-t delimiter]] [-m #-n #-d #-h #-w][-c][-x] [-r][-a mm/dd/yy][-b mm/dd/yy] [-f filter] [-i ID,[ID,...]] -e ID, [ID,...]] [-o event source[,event source[,...]]] [-q event source[, event source[,...]]] [[-g-l] event log file] <event log>
The following table details the available options:
| PsLogList Option | Description |
|---|---|
| @file | File contains a list of hostnames against which PsLogList will dump event log information. This enables you to easily automate log management for many systems. |
| -a <mm/dd/yy> | Dumps records timestamped after specified date. |
| -b <mm/dd/yy> | Dumps records timestamped before specified date. |
| -c | Clears event log after displaying. |
| -d <digit(s)> | Displays only records from previous n days. |
| -e | Excludes events with the specified ID or IDs (up to 10). |
| -f <eIw> | Filters event types, using starting letter (for example, -f we to filter warnings and errors). |
| -g | Exports an event log as an evt file. This can only be used with the -C switch (clear log). |
| -h <n> | Only display records from previous n hours. |
| -i <Event ID> | Shows only events with the specified ID. |
| -l | Dumps the contents of the specified saved event logfile. |
| -m <n> | Only display records from previous n minutes. |
| -n <digit(s)> | Displays only n most recent records. |
| -o <source> | Shows only records from the specified event source (for example, -o cdrom ). |
| -p | Specifies password for username. |
| -q | Omits records from the specified event source or sources (for example, -q cdrom ). |
| -r | Dumps log from least recent to most recent. |
| -s | Lists records on one line each with delimited fields, which is convenient for string searches. |
| -t <character> | Default delimiter for the -s option is a comma; can be overridden with the specified character. |
| -u | Specifies optional username for login to remote computer. |
| -w | Waits for new events, dumping them as they generate (local system only). |
| -x | Dumps extended data. |
| <eventlog> | Specifies event log to dump. Default is system. If the -l switch is present, then the event log name specifies how to interpret the event logfile. |
PsLogList displays the logfile contents in a long format or a consolidated, commadelimited manner. By default, PsLogList returns the long format of the system log:
C:\>psloglist PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com System log on \ARRAKIS: [549] Service Control Manager Type: INFORMATION Computer: ARRAKIS Time: 25/07/2003 22:27:10 ID: 7036 The WMI Performance Adapter service entered the stopped state.
Output in a comma-delimited format is obtained by the s option. Once more, the example has been shortened for clarity:
C:\>psloglist -s PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com System log on \ARRAKIS: 551,System,Tcpip,INFORMATION,ARRAKIS,Fri Jul 25 23:26:46 2003,4201, None, The system detected that network adapter \DEVICE\TCPIP_{056213EA- 3E98-4CBB-8997-5145022A8FDC} was connected to the network, and has initiated normal operation over the network adapter. Any of the three event logsapplication, security, or systemcan be viewed :
C:\>psloglist -s security PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com Security log on \ARRAKIS: 2017,Security,Security,AUDIT SUCCESS,ARRAKIS,Mon Jul 28 10:36:12 2003, 520,SYSTEM\NT AUTHORITY,The system time was changed. Process ID: 1176 Process Name: C:\WINDOWS\CNTX\VPCSRVC.EXE Primary User Name: ARRAKIS$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: ARRAKIS$ Client Domain: WORKGROUP Client Logon ID: (0x0,0x3E7) Previous Time: 10:36:12 28/07/2003 New Time: 10:36:12 28/07/2003
The f option enables you to filter events based on one of five types: Warning (w), Information (i), Errors (e), Audit Success, and Audit Failure. (The letters in parentheses are abbreviations that PsLogList accepts.) The two audit types apply only to the security log and must be wrapped in quotation marks:
C:\>psloglist.exe -s -f "Audit Success" Security Security_successes.log
Use PsLogList to help maintain and follow your network's audit policy. Although this tool does not toggle event log settings, use it to coordinate logs and generate daily, weekly, or monthly reports about your network. Proper log review will not only catch malicious users, but it also helps maintain a healthy network.
| Caution | The c option will actually clear the logfile after it has been dumped. Use this option with care, as you may inadvertently erase logfiles that have not yet been backed up. |
C:\>psloglist.exe -c Application ...output truncated... Application event log on GOBLYNSWOOD cleared. C:\>psloglist.exe Application Application log on \GOBLYNSWOOD: No records in Application event log on GOBLYNSWOOD.
| Note | An attacker could use the c option to clear event logs to hide her tracks. |
The a and b options retrieve events after and before the supplied date in the "mm/dd/yy" format. For example, here's how to view the previous day's security events (using 02/09/02 as the current day):
C:\>psloglist.exe -a 02/08/02 -b 02/09/02 Security
Finally, PsLogList reads the binary event logfiles from any system. Supply the filename to the l option. In this instance, PsLogList deduces the log type (application, security, system):
C:\>psloglist.exe -l Security.evt
The latest version of PsLogList introduces two new options. The first option filters events with a specific event ID ( -i ). The second option filters events with a specific event source ( -o ). Thus, you can look for specific events with strong security implications such as failed logon/ logoff events in the security log:
C:\>psloglist -s security -i 529 Security log on \ARRAKIS: 1962,Security,Security,AUDIT FAILURE,ARRAKIS,Fri Jul 25 21:39:35 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password User Name: Muaddib Domain: ARRAKIS Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: ARRAKIS 1919,Security,Security,AUDIT FAILURE,ARRAKIS,Tue Jul 22 16:13:58 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password
Or you can check for errors from specific sources in the application or system logs:
C:\>psloglist -s system -o dhcp PsLogList v2.61 - local and remote event log viewer Copyright (C) 2000-2005 Mark Russinovich Sysinternals - www.sysinternals.com System log on \ARRAKIS: 469,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:24 2003,1007,None, Your computer has automatically configured the IP address for the Network Card with network address 0003FFABA4F6. The IP address being used is 169.254.235.60. 468,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:19 2003,1003,None, Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0003FFABA4F6. The following error occurred: The semaphore timeout period has expired. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Sources are easily identified from the "Source" column when you launch the GUI-based Event Viewer (eventvwr.exe).
PsExec
PsExec ranks as the most useful of the PsTools suite. It executes commands on the remote system, even going as far as uploading a program if it does not exist on the target system. Unlike other remote tools such as the Windows clone of Unix's rexec command, with PsExec you do not need to install support DLLs or special server applications. However, you must have access to the ADMIN$ share and proper credentials for this tool to work.
PsExec assumes you want to execute the command on a remote server, so the ComputerName argument is mandatory (you can always specify the u and p options for the username and password):
C:\>psexec.exe \192.168.0.43 cmd /c dir
Be sure to keep track of your command paths. By default, PsExec works from the %SYSTEMROOT%\System32 directory. Here are some other examples:
C:\>psexec.exe \192.168.0.43 ipconfig /all C:\>psexec.exe \192.168.0.43 net use * \10.2.13.61\backups Rch!ve /u:backup C:\>psexec.exe \192.168.0.43 c:\cygwin\usr\sbin\sshd
If the program name or path contains spaces, wrap it with double quotes.
If the program doesn't exist on the target system, use the c option (or f ). This copies it from the system running PsExec to the \\ComputerName's \System32 directory. The f overwrites the file if it already exists. This example places fscan , a command-line port scanner, on the target, and then launches a port scan from that system against the class C network:
C:\>psexec.exe \192.168.0.43 -c fscan.exe -q --bp1-10001 -o targets.txt 192.168.0.1-192.168.0.255
Conceivably, you could use c to upload an entire tool kit to the target. If you suspect a file already exists and you want to overwrite it only with a newer version, you can supply the v option in conjunction with c . The v option instructs PsExec only to copy the file if the version number is higher or the date stamp is newer. A file's version number can be found by right-clicking the binary and selecting Properties.
The final options control how the remote process runs. To detach the process and let it run in the background, use d (think daemon mode in Unix). Use s to have the command run in a System account. The i option enables interactive access, such as FTP or other commands that prompt for a password.
You can also control how the remote application executes by setting its priority ( -low , -belownormal , -abovenormal , -high , -realtime ) and processors on a multi-CPU machine with the a option. Specify the processors by number after the a option, such as a 1,2 to run on processors 1 and 2 of a four-CPU system.
PsShutdown
PsShutdown is the exception to the rule for PsTools expansion. It performs the same functions as the Resource Kit shutdown tool. Both work remotely. You can shut down a server or stop a pending shutdown. The PsShutdown usage is shown here and in the table that follows (yes, it is safe to type psshutdown without optionsit will display the usage):
C:\>psshutdown PsShutdown v2.50 - Shutdown, logoff and power manage local and remote systems Copyright (C) 1999-2005 Mark Russinovich Sysinternals - www.sysinternals.com usage: psshutdown -s-r-h-d-k-a-l-o [-f] [-c] [-t [nnh:m]] [-v nn] [-e [up]:xx:yy] [-m "message"] [-u Username [-p password]] [-n s] [\computer[,computer[,...]@file]
| PsShutdown Option | Description |
|---|---|
| -a | Aborts a shutdown (only possible while countdown is in progress). |
| -c | Allows the shutdown to be aborted by the interactive user. |
| -d | Suspends the computer. |
| -e | Shutdown reason code (available on Windows XP and higher). Specify ˜u for unplanned and ˜p for planned shutdown reason codes. |
| -f | Forces the running applications to close. |
| -h | Hibernates the computer. |
| -k | Powers off the computer (reboot if poweroff is not supported). |
| -l | Locks the computer. |
| -m | Displays message to logged-on users. |
| -n | Specifies timeout in seconds connecting to remote computers. |
| -o | Logs off the console user. |
| -p | Specifies optional password for username. If you omit this, you will be prompted to enter a hidden password. |
| -r | Reboots after shutdown. |
| -s | Shutdown without poweroff. |
| -t | Specifies countdown in seconds until shutdown (default is 20) or the time of shutdown (in 24- hour notation). |
| -u | Specifies optional username for login to remote computer. |
| -v | Displays message for the specified number of seconds before the shutdown. If you omit this parameter the shutdown notification dialog displays and specifying a value of 0 omits the dialog. |
| \\computer | Shuts down the remote computer specified. |
| @file | Shuts down the computers listed in the file specified. |
There are no catches to using this tool. To shut down a system somewhat ungracefully, use the f option; it works just like shutdown c y from the Resource Kit. Its benefit over the shutdown utility is that PsShutdown includes the o option to log off the console user forcefully .
| | ||
EAN: 2147483647
Pages: 175
- Step 2.1 Use the OpenSSH Tool Suite to Replace Clear-Text Programs
- Step 4.5 How to use OpenSSH Passphrase Agents
- Step 4.7 Using Public Key Authentication for Automated File Transfers
- Step 5.2 Troubleshooting Common OpenSSH Errors/Problems
- Step 6.2 Using Port Forwarding Within PuTTY to Read Your E-mail Securely