How to securely use PSEXEC with a remote user and password from a batch file?

Taed Wynnell 0

I use PSEXEC to administer many embedded Windows systems (no KVM) that are not part of our domain. (Think of a thermostat or freezer.) They use their own user/password that does not exist in our domain or locally. I use "PSEXEC -u user -p password" to connect to them without a problem.

The IT group pointed out that the command line is logged (I assume process auditing in Windows Security Event Log) and so they see the user/password and don't like the security aspect of that, which is fine.

However, I can't figure out a way around that for my use.

Yes, if I don't specify the "-p password", it will prompt me for a password. However, I want to do this from the command line for many machines, so I don't want to continually retype the password.

I tried to ECHO the password and pipe it into PSEXEC, but that surprisingly didn't work. (I assume that PSEXEC flushes the input before prompting for a password.) Similarly, I put the password in a file and redirected it into PSEXEC and that similarly did not work.

I also tried to NET USE the remote \C$, \ADMIN$, and \IPC$ shares, thinking PSEXEC would not then need a user/password, but nope. It seems like the \ADMIN$ should have worked.

I understand that PSEXEC version 2.1 and up sends the password over the network encrypted. I verified it myself, so I'm satisfied with that aspect of it.

So does anyone know how I can use PSEXEC from a batch file to connect to a user/password on another machine without specifying the password on the command line?

RLWA32 45,581 Reputation points

2024-07-24T07:05:36.8133333+00:00

@Taed Wynnell Any updates on this issue?

2 answers

RLWA32 45,581

There may be an easier way but using a launcher process to tweak the PsExec64 command line worked in a test for me. The launcher process starts PsExec64.exe suspended. The command line passed to CreateProcess uses "XXXXXXXX" for the user and password parameters. This is what is captured in the Security event log for Process Creation event id 4688. The launcher process replaces the filler characters with the real user name and password and then resumes the PsExec64.exe process.

Event log entry -

Auditlog

Its hackish and ugly but it worked.

Taed Wynnell 5 Reputation points

2024-07-20T15:12:09.38+00:00

Clever idea! I'm not sure how to start the process as suspended, though. Could you explain that or point me to your code or an example? Thank you!

RLWA32 45,581

One of the Process Creation Flags that can be passed to the CreateProcess function is CREATE_SUSPENDED. The ResumeThread function is called to continue execution after the the command line of the suspended process has been changed by inserting the actual username and password. I used VS2022 Community to create the test program and ran it on Win 10 22H2. Instead of hard coding parameters i used an old-fashioned .ini file instead of a modern xml settings file. The .ini file should be in the same folder with the test program.

The bitness of the test program should match the bitness of the PsExec(64).exe that you are using.

Example .ini file

[Machine1]
Machine="\\machine"
User="Username"
Password="password"
PSExec=""C:\Program Files\Sysinternals\PSTools\PsExec.exe""
PSExec64=""C:\Program Files\Sysinternals\PSTools\PsExec64.exe""
PSECommands="-i -d "C:\Windows\System32\cmd.exe""

[Machine2]
Machine="\\machine2"
User="someotheruser"
Password="otherpass"
PSExec=""C:\Program Files\Sysinternals\PSTools\PsExec.exe""
PSExec64=""C:\Program Files\Sysinternals\PSTools\PsExec64.exe""
PSECommands ="-i -d C:\Windows\System32\notepad.exe"

While the test program does have some error checking it is not comprehensive. For example, it makes no attempt to validate the content of the .ini file. It is for illustrative purposes only as a proof of concept.

Test program code -

#define WIN32_NO_STATUS
#include <Windows.h>
#include <Shlwapi.h>
#undef WIN32_NO_STATUS
#include <ntstatus.h>
#include <winternl.h>

#pragma comment(lib, "ntdll")
#pragma comment(lib, "shlwapi")

#include <cstdio>
#include <cstdlib>
#include <string>
#include <vector>

#ifdef _WIN64
WCHAR szName[]{ L"PsExec64" };
#else
WCHAR szName[]{ L"PsExec" };
#endif

WCHAR szFile[MAX_PATH]{};

void GetMachines(std::vector<std::wstring>& m);
void Initialize(LPCWSTR section, LPWSTR user, DWORD cchuser, LPWSTR pw, DWORD cchpw, LPWSTR cmdline, DWORD cchcmdline);
void RunPsExec(LPCWSTR user, LPCWSTR pw, LPWSTR cmdline);
void Error(LPCWSTR pszmsg, DWORD err = GetLastError());

int wmain(int argc, WCHAR* argv[])
{
    WCHAR szUser[32]{}, szPW[32]{}, szCmdLine[1024]{};
    std::vector<std::wstring> machines;
    
    GetModuleFileNameW(NULL, szFile, _countof(szFile));
    PathRemoveFileSpecW(szFile);
    PathAppendW(szFile, L"PSExecStarter.ini");

    GetMachines(machines);

    if (machines.empty())
    {
        wprintf_s(L"%s was not found\n", szFile);
    }
    else
        for (auto& s : machines)
        {
            Initialize(s.c_str(), szUser, _countof(szUser), szPW, _countof(szPW), szCmdLine, _countof(szCmdLine));
            wprintf_s(L"%s\n", szCmdLine);
            RunPsExec(szUser, szPW, szCmdLine);
        }

    return 0;
}

void GetMachines(std::vector<std::wstring>& m)
{
    bool bcontinue{ true };
    size_t bufsize = 64 * sizeof(WCHAR);
    PZZWSTR pbuf = (PZZWSTR)malloc(bufsize);
    do
    {
        auto cch = bufsize / sizeof(WCHAR);
        auto nChars = GetPrivateProfileSectionNamesW(pbuf, (DWORD)cch, szFile);
        if (nChars == cch - 2)
        {
            bufsize *= 2;
            pbuf = (PZZWSTR)realloc(pbuf, bufsize);
        }
        else
            bcontinue = false;
    } while (bcontinue);

    PWSTR p = pbuf;
    while (*p)
    {
        m.push_back(p);
        p += wcslen(p) + 1;
    }

    free(pbuf);
}

void Initialize(LPCWSTR section, LPWSTR user, DWORD cchuser, LPWSTR pw, DWORD cchpw, LPWSTR cmdline, DWORD cchcmdline)
{
    WCHAR szCmds[128]{}, szPsExec[MAX_PATH]{}, szMachine[32]{};

    auto nChars = GetPrivateProfileStringW(section, L"User", NULL, user, cchuser, szFile);
    std::wstring uFiller(nChars, L'X');

    nChars = GetPrivateProfileStringW(section, L"Password", NULL, pw, cchpw, szFile);
    std::wstring pFiller(nChars, L'X');

    nChars = GetPrivateProfileStringW(section, L"Machine", NULL, szMachine, _countof(szMachine), szFile);
    nChars = GetPrivateProfileStringW(section, szName, NULL, szPsExec, _countof(szPsExec), szFile);
    nChars = GetPrivateProfileStringW(section, L"PSECommands", NULL, szCmds, _countof(szCmds), szFile);
    swprintf_s(cmdline, cchcmdline, L"%s %s -u %s -p %s %s", szPsExec, szMachine, uFiller.c_str(), pFiller.c_str(), szCmds);
}

void RunPsExec(LPCWSTR user, LPCWSTR pw, LPWSTR cmdline)
{
    STARTUPINFOW si{ sizeof si };
    PROCESS_INFORMATION pi{};

    if (CreateProcessW(nullptr, cmdline, nullptr, nullptr, FALSE, CREATE_SUSPENDED | NORMAL_PRIORITY_CLASS, nullptr, nullptr, &si, &pi))
    {
        PROCESS_BASIC_INFORMATION pbi{};
        ULONG length{};

        auto status = NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof pbi, &length);
        if (NT_SUCCESS(status))
        {
            SIZE_T cBytes{};
            PEB peb{};

            if (ReadProcessMemory(pi.hProcess, pbi.PebBaseAddress, &peb, sizeof peb, &cBytes))
            {
                RTL_USER_PROCESS_PARAMETERS rupp{};
                if (ReadProcessMemory(pi.hProcess, peb.ProcessParameters, &rupp, sizeof rupp, &cBytes))
                {
                    auto ulength = wcslen(user), plength = wcslen(pw);
                    std::wstring uFiller(ulength, L'X'), pFiller(plength, L'X');
                    PBYTE p = (PBYTE) cmdline;

                    PWSTR puser = wcsstr(cmdline, uFiller.c_str());
                    DWORD_PTR uOffset = (DWORD_PTR)puser - (DWORD_PTR)p;
                    PWSTR pNext = puser + ulength;
                    PWSTR ppwd = wcsstr(pNext, pFiller.c_str());
                    DWORD_PTR pOffset = reinterpret_cast<DWORD_PTR>(ppwd) - reinterpret_cast<DWORD_PTR>(p);
                    PVOID newuser = (PVOID)((DWORD_PTR)rupp.CommandLine.Buffer + uOffset);
                    PVOID newpwd = (PVOID)((DWORD_PTR)rupp.CommandLine.Buffer + pOffset);
                    if (WriteProcessMemory(pi.hProcess, newuser, user, ulength * sizeof(WCHAR), &cBytes))
                    {
                        if (WriteProcessMemory(pi.hProcess, newpwd, pw, plength * sizeof(WCHAR), &cBytes))
                        {
                            ResumeThread(pi.hThread);
                            CloseHandle(pi.hThread);
                            WaitForSingleObject(pi.hProcess, INFINITE);
                            DWORD code{};
                            GetExitCodeProcess(pi.hProcess, &code);
                            wprintf_s(L"%s has exited with code %d\n", szName, code);
                            CloseHandle(pi.hProcess);
                        }
                        else
                        {
                            Error(L"WriteProcessMemory");
                            TerminateProcess(pi.hProcess, 3);
                        }
                    }
                    else
                    {
                        Error(L"WriteProcessMemory");
                        TerminateProcess(pi.hProcess, 3);
                    }
                }
                else
                {
                    Error(L"ReadProcessMemory");
                    TerminateProcess(pi.hProcess, 3);
                }
            }
            else
            {
                Error(L"ReadProcessMemory");
                TerminateProcess(pi.hProcess, 3);
            }
        }
        else
        {
            Error(L"NtQueryInformationProcess", RtlNtStatusToDosError(status));
            TerminateProcess(pi.hProcess, 3);
        }
    }
    else
        Error(L"CreateProcess");
}

void Error(LPCWSTR pszmsg, DWORD err)
{
    wprintf_s(L"%s, error code was %d\n", pszmsg, err);
}

MotoX80 34,076

What OS are these machines running? How about using Powershell instead of psexec? On the remote systems run "winrm quickconfig" to enable remoting.

$target = "test10"
$script = 
 {
    "This script is running on {0}" -f $env:COMPUTERNAME
    ""
    "**** Calling whoami to execute on the remote system"
    c:\Windows\system32\whoami.exe
    ""
 }
 $User = ".\admin"
 $PWord = ConvertTo-SecureString -String "admin" -AsPlainText -Force
 $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Invoke-Command -ComputerName  $target -credential $Credential -ScriptBlock $script

Share via

How to securely use PSEXEC with a remote user and password from a batch file?

2 answers

Your answer