More PSEXEC

Hier, other usefull psexec commands, let’s take the ip 10.20.198.58 al example:

See remote network configurations in a remote workstation or server:

c:\>psexec \\10.20.198.58 ipconfig /all

Start a command prompt in a remote workstation or server

c:\>psexec \\10.20.198.58 cmd.exe

To see the status of a remote Windows XP SP2 firewall in a domain, type:

C:\>psexec \\10.20.198.58 Netsh firewall show state verbose=enable

You will get a lot information to troubleshoot a windows firewall, but this is not the issue now.

To enable the Windows firewall remotely in a Windows XP SP2, hier the little LAB. Have fun !

C:\>psexec \\10.20.198.58 Netsh firewall set opmode enable

LOGOFF Remote users and administrators

Use it when you want to logoff a remote admin because you hate using the Windows Terminal Services Console or because sometimes it crashes. Functions in Windows Server 2003.

The syntax for these exercise:

C:\Administrator>psexec \\192.168.0.2 -u testing\administrator cmd

PsExec v1.94 - Execute processes remotely
Copyright (C) 2001-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

Password: ********

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>query session

SESSIONNAME USERNAME ID STATE TYPE DEVICE
>console Administrator 0 Active wdcon
rdp-tcp 65536 Listen rdpwd
rdp-tcp#4 Spiderman 1 Active rdpwd
rdp-tcp#5 Superman 2 Active rdpwd

C:\WINDOWS\system32>logoff 1

C:\WINDOWS\system32>logoff 2

And here you have the LAB, clic the image to enlarge:



Somebody will ask to logoff users in worksations, well we are here with psexec, but as a preview for the psshutdown tool, this script forces the remote opened applications to close and proceeds with the logoff of the console user:

>psshutdown \\MarketingPC -f -o

Sysinternals Networking Utilities (Pstools- PSEXEC)

Under the Network Tools from Sysinternals, are of course the pstools with a subcategory of tools, I leaved all other tools like AdInsight and AdExplorer for the last posts in this category.

Install software using PStools:

Let’s see the scenario where you want to run a program, a hotfix, any update in the workstations in your domain, for example, to update the Windows Installer in your Windows XP infrastructure in your Windows 2003 Domain.

1. Open notepad and save it as a bat file, add the following code:

psexec @c:\Folder\PChostnameList.txt -d -c WindowsInstaller-KB893803-v2-x86.exe /q /norestart
pause

execute it from the command line and you will have a silent deployment. Copy the WindowsInstaller executable in the same folder path. The PChostnameList.txt are just the hostnames from the PCs you want to affect. We will have a similar output like this, in this case for testing purposes I have just one hostname added:



If you can not see the image, clic on it.

Sysinternals Networking Utilities (AD restore)

After trying (in my opinion) the most important tools from the Category “System Information”, lets go to the next category, “Sysinternals Networking Utilities “.
One of the most typical problem, for AD administrators are deleted objects (tombstoned).

Let’s see one typical case, you have an executive user, say Bill Gates, with logon name bgates in the OU La Habana:



You delete accidentally this user (this is also valid for other AD objects, group, computer, etc). Normally, you should restore the AD completely from system state back up or other restore form with third party tools with all the risks, that the BKP is not functional, or you don´t have the BKP tape near you, etc. But, sysinternals has a good alternative, adrestore.

Download this tool:
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

and copy it to the windows\...\system32 path in the DC where you are restoring the object.

Now let’s DELETE this user Bill Gates. Inmediatley afther that, go to your DC, open a command prompt and type the following:



With these tool the deleted user, appears again in the original OU but the user account is disabled. Be sure to analyze other properties for these user account, sometimes you don´t become a fully restore, I mean, maybe you have to add the user to the respective AD groups and check for other account settings.



If you want to restore a specific user, group, computer, etc, type:

c:\> adrestore –r bgates

Have fun !!

Logged Users in Domain – System Information(with Psexec)

Sometimes you don´t become any results with psloggedon \\remotePC on Windows Systems, I didn´t investigate further, so I used another tool from pstools, psexec, but we will have other posts exclusevily for this amazing tool, psexec. For now let’s use it in the context to find out who is logged on a remote system. The syntax:

C:\>PSEXEC \\remotesystem NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

the little lab(for security reasons, hostnames and domain name are hidden)


Let’s see now psexec working with "net session" and against a server. You become not only the logged users, but also the PCs(IP Configuration) where users are loggedon. Great for my job !!!

Logged Users in Domain – System Information

If you want to check which user is loggedon on to a PC or PCs in your windows domain, use the tool psloggedon from Russinovich. (Microsoft Windows User Management).Download it from Microsoft’s page:

http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

and copy it to your %windows%system32 path. Remember that you must be an administrator on the PC or remote system.

C:\Documents and Settings\Admin>psloggedon batman


loggedon v1.33 - See who's logged on
Copyright ⌐ 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

RD\batman logged onto PC05 remotely.
RD\batman logged onto PC04 remotely.
RD\batman logged onto PC07 remotely.
RD\batman logged onto MYPC locally.
RD\batman logged onto S01 remotely.
RD\batman logged onto S02 remotely.

Let's see who is now remotely logged on PC08
C:\>psloggedon \\PC08


loggedon v1.33 - See who's logged on
Copyright ⌐ 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
Error: could not retrieve logon time
NT AUTHORITY\SERVICIO LOCAL
Error: could not retrieve logon time
NT AUTHORITY\Servicio de red
06-Mar-2009 6:58:31 AM CONTOSO\intruder
Error: could not retrieve logon time
NT AUTHORITY\SYSTEM

Users logged on via resource shares:
06-Mar-2009 12:05:28 PM CONTOSO\Admin

we find the user "intruder", loggedon the remote system

More psinfo - sysinternals

I insist with scanning a computer list or domain with low level tools.
With the new Windows XP SP3 and in cases for deployments or inventory reports, you can of course use Systems Management Server(if you have), MS-Inventory Analyzer, MS-Base Line Security Analyzer, the problems I had is that some tools stop responding when they don´t find a PC, or they scan all PCs from a range of IPs, which of course takes longer.
The scenario: You want to check in your domain or host list which PCs have the Windows SP2 or SP3. Also try this against a computer list:

c:>psinfo service @c:\hosts.txt

where hosts.txt is a text file that you create in the c drive, and should look simple like this:


the output shows the hostname and the number service pack version:

PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\PC01:
Service pack: 2
System information for \\ PC02:
Service pack: 2
System information for \\ PC03:
Service pack: 2
System information for \\ PC04:
Service pack: 2

For reporting options and Excel import it does not look so great, so lets modify and print it in CSV format:

C:\ >psinfo service -c @c:\hosts.txt

PC01,2,
PC02,2,
PC03,3,
PC04,3,
………
………

Do you want to have the whole procedure automated and just import to Excel, type:

C:\ >psinfo service -c @c:\hosts.txt>c:\servicepackinventory.txt

Finally now scan your domain and have fun:

C:\ >psinfo service -c \\*>c:\servicepackinventory.txt

Ps Tools - Sysinternals - System Information

I'm a fun of sysinternals and use this tools fast daily, they make my work not only easier, also greater, faster. I recommend all of you the usage.

Download them at: http://technet.microsoft.com/en-us/sysinternals/default.aspx

copy the executables y the %windows&\system32\ folder and make sure you have administrative rights in the remote PCs, of course in your own PC.

Let's see the first of them in the category System Information: psinfo

just type psinfo and you'll get all system information from the PC
C:\>psinfo

PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\PC01:
Uptime: 2 days 0 hours 4 minutes 20 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type: Professional
Product version: 5.1
Service pack: 2
Kernel build number: 2600
Registered organization: CORP S.A.
Registered owner: CORP S.A.
Install date: 07-Oct-2008, 1:32:55 PM
Activation status: Error reading status
IE version: 6.0000
System root: C:\WINDOWS
Processors: 2
Processor speed: 2.9 GHz
Processor type: Intel(R) Core(TM)2 Duo CPU E8400 @
Physical memory: 2002 MB
Video driver: Intel(R) Q35 Express Chipset Family

You can get the same info for a rmeote PC with:
c:\>psinfo \\PC02

Check if the deployed hotfixes were installed on remote PCs on the fly and the install date(and the uptime):

C:\>psinfo \\PC02 -h


PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\PC02:
Uptime: 2 days 8 hours 19 minutes 57 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type: Professional
Product version: 5.1
Service pack: 2
Kernel build number: 2600
Registered organization: CORP S.A.
Registered owner: CORP S.A.
Install date: 22-Jan-2009, 10:07:45 AM
Activation status: Error reading status
IE version: 6.0000
System root: C:\WINDOWS
Processors: 2
Processor speed: 2.9 GHz
Processor type: Intel(R) Core(TM)2 Duo CPU E8400 @
Physical memory: 2002 MB
Video driver: Intel(R) Q35 Express Chipset Family

Installed HotFix
22-Jan-2009 Windows XP Hotfix - KB885222
05-Feb-2009 Windows XP Hotfix - KB886185
22-Jan-2009 Windows Installer 3.1 (KB893803)
05-Feb-2009 Update for Windows XP (KB894391)
22-Jan-2009 Security Update for Windows XP (KB896358)
18-Nov-2008 Update for Windows XP (KB898461)
05-Feb-2009 Update for Windows XP (KB900485)


Sometimes you don't have an inventory tool, like Microsoft SMS or other native tools can not check for non Microsoft software on remote PCs like MSIA(MS-Inventory Analizer). Sometimes you want results now, on the fly and against many remote PCs. Let's see what we can do. Run this script against a remote PC or Server and make and audit on the fly.
C:\>psinfo -s \\PC02 | find "Tuning Car Studio"

PsInfo v1.75 - Local and remote system information viewer
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
Tuning Car Studio

Great you become in one line the searched software.
Do the same against your domain, and you are done:
c:\>psinfo -s "\\*">c:\TuningStudioOutput.txt | find "Tuning Car Studio"

Active Directory - Replication 4

Let´s see another useful tool which you can download from Microsoft:

http://www.microsoft.com/Downloads/details.aspx?FamilyID=158cb0fb-fe09-477c-8148-25ae02cf15d8&displaylang=en

copy the tool in the path you like, I prefer %windows%system32, then execute the tool

C:\Documents and Settings>SONAR.EXE



You will find an interesting Graphical Tool, to monitor key statistics and status about members of a file replication service (FRS) replica set. Administrators can use Sonar to watch key statistics on a replica set in order to monitor traffic levels, backlogs, and free space.

Active Directory - Replication 3

Let's see another way to troubleshoot replication. In some cases you receive a call from a remote site, telling you that the change you made, does not appear in the remote site.
First Step:
Check replication between the two partners. In this example, source Domain Controller: SYPFBDCVM01, target Domain Controller: SYPFBDCVM03

First check out the GUID from the source Domain Controller with:

>repadmin /showrepl



in this case I forced some errors the past days to troubleshoot the lab. What we need from this command is the GUID(red), now we run the next commmand line:

>repadmin /showchanges SYPFBDCVM03.TESTING.COM 4dc3140c-ac14-42ca-9a54-c95b3cb4c0fb DC=TESTING,DC=COM
In the case you have no changes, you see this output:



in other case you'll have the replication delay or failure, again, check:

http://technet.microsoft.com/en-us/library/bb727057.aspx

to troubleshoot every single error in your environment.

Active Directory Replication - Replication 2

Bored from opening the Active Directory Replicatoin Monitor ? check replication on the fly.

>repadmin /replsum /bysrc /bydest /sort:delta

you'll get an output similar to this, where the DCs should have 0 in the Fails column, and the largest deltas (which indicate the number of changes that have been made to the Active Directory database since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that is used by the domain controller for replication. The default replication frequency is 180 minutes



if you get a replication error or the number in the Fails Column is not null,check Event Viewer and take a look at Technet for troubleshooting replication.

http://technet.microsoft.com/en-us/library/bb727057.aspx

Active Directory Support Tools - Replication 1

First of all install the Windows Server 2003 Support Tools, >CD-ROM\Support\Tools and launch SUPTOOLS.MSI

Hier the syntax, run it from a Domain Controller

>dcdiag /test:replications

under normal operation you will see something like this(see image). It means the tests for the replications variables are running with success.

Modify the Global Catalog role

removing the global catalog from a domain controller

dsmod server CN=DC2,CN=Servers,CN=BostonSite,CN=Configuration,DC=GC,DC=TESTING,DC=COM –isgc no

and assign the GC again to another domain controller:

dsmod server CN=DC1,CN=Servers,CN=BostonSite,CN=Configuration,DC=GC,DC=TESTING,DC=COM –isgc yes