Thursday, August 05, 2010
Anu
Here is a tool that will not catched by any AntiVrus n with the help of this tool, you will take full control of any PC.
So, lets check it out...
PsTools is a suite of fantastic and dangerous (in the wrong hands) command line utilities made by Mark Russinovich for Windows. In the right hands, (computer professionals) PsTools can either automatic a computers shutdown, list a computer’s running processes, or kill a process. PsTools is a favorite of network pros and hackers alike. In this book I demonstrate the use of this tools on page:
The Windows NT and Windows 2000 Resource Kits come with a number of command line tools that help you administer your Windows NT/2K systems. Over time, I've grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.
All of the utilities in the PsTools suite work on Windows NT, Windows 2000, Windows XP, and Server 2003 and none of the tools requires any special installation. You don't even need to install any client software on the remote computers at which you target them. Run them by typing their name and any command-line options you want. To show complete usage information, specify the "-?" command-line option.
The tools included in the PsTools suite are:
1) PsExec - execute processes remotely
Installation
Copy PsExec onto your executable path. Typing "psexec" displays its usage syntax.
Usage
usage: [\\computer[,computer[,...] | @file][-u user [-p psswd]][-n s][-l][-s|-e][-i [session]][-c [-f|-v]][-d][-w directory][-priority][-a n,n,...] cmd [arguments]
computer | Direct PsExec to run the application on the computer or computers specified. If you omit the computer name PsExec runs the application on the local system and if you enter a computer name of \\* then PsExec executes the commands on all computers in the current domain. | |
@file | PsExec will execute the command on each of the computers listed in the file. | |
-u | Specifies optional user name for login to remote computer. | |
-p | Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. | |
-s | Run remote process in the System account. | |
-e | Loads the specified account's profile. | |
-i | Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. | |
-l | Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. | |
-c | Copy the specified program to the remote system for execution. If you omit this option then the application must be in the system's path on the remote system. | |
-n | Specifies timeout in seconds connecting to remote computers. | |
-f | Force the copy of the specified program if it already exists on the remote system. | |
-v | Copy the specified file only if it has a higher version number or is newer on than the one on the remote system. | |
-d | Don't wait for application to terminate. Only use this option for non-interactive applications. | |
-w | Set the working directory of the process (relative to the remote computer). | |
-x | Display the UI on the Winlogon desktop. | |
-priority | Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. | |
-a | Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: "-a 2,4" | |
arguments | Arguments to pass (note that file paths must be absolute paths on the target system) |
If you omit a username the remote process runs in the same account from which you execute PsExec, but because the remote process is impersonating it will not have access to network resources on the remote system. When you specify a username the remote process executes in the account specified, and will have access to any network resources the account has access to. Note that the password is transmitted in clear text to the remote system.
Examples
The following command launches an interactive command prompt on \\marklap:
psexec \\marklap cmd
psexec \\marklap ipconfig /all
psexec \\marklap -c test.exe
psexec \\marklap c:\bin\test.exe
2) PsFile - shows files opened remotely
The "net file" command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn't let you see that information for remote systems. PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier.Installation
Copy PsFile onto your executable path and type "psfile".
Usage
The default behavior of PsFile is to list the files on the local system that are open by remote systems. Typing a command followed by "-?" displays information on the syntax for the command.usage: psfile [\\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
-u | Specifies optional user name for login to remote computer. | |
-p | Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. | |
Id | Identifier (as assigned by PsFile) of the file for which to display information or to close. | |
Path | Full or partial path of files to match for information display or close. | |
-c | Closes the files identifed by ID or path. |
3) PsGetSid - display the SID of a computer or a user
Have you performed a rollout and only to discover that your network might suffer from the SID duplication problem? In order to know which systems have to be assigned a new SID (using a SID updater like Sysinternals' own NewSID) you have to know what a computer's machine SID is. Up until now there's been no way to tell the machine SID without knowing Regedit tricks and exactly where to look in the Registry. PsGetSid makes reading a computer's SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts.Installation
Copy PsPsGetSid onto your executable path and type "psgetsid".
Usage
psgetsid [\\computer[,computer[,...] | @file [-u username [-p password]]] [account]
Specify a user name if the account you are running from doesn't have administrative privileges on the computer you want to query. If you don't specify a password as an option PsGetSid will prompt you for one so that you can type it in without having it echoed to the display.
4) PsInfo - list information about a system
PsInfo is a command-line tool that gathers key information about the local or remote system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, memory size, the install date of the system, and if it's a trial version, the expiration date. PsInfo command-line switches also let you view installed hotfixes and software applications.Installation
Copy PsInfo onto your executable path and type psinfo.
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).usage:
psinfo [\\computer[,computer[,...] | @file [-u username [-p password]]] [-h] [-s] [-d] [-c [-t delimter]]
5) PsKill - kill processes by name or process ID
Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process.Installation
Copy PsKill onto your executable path and type pskill with command-line options defined below.Usage
Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If you specify a process name PsKill will kill all processes that have that name.pskill [-t] [\\computer [-u username] [-p password]] [process name | process id]
6) PsList - list detailed information about processes
Most UNIX operating systems ship with a command-line tool called "ps" (or something equivalent) that administrators use to view detailed information about process CPU and memory usage. Windows NT/2K comes with no such tool natively, but you can obtain similar tools with the Windows NT Workstation or Server Resource Kits. The tools in the Resource Kits, pstat and pmon, show you different types of information, and will only display data regarding the processes on the system on which you run the tools. PsList is utility that shows you a combination of the information obtainable individually with pmon and pstat. You can view process CPU and memory information, or thread statistics. What makes PsList more powerful than the Resource Kit tools is that you can view process and thread statistics on a remote computer.
Installation
Copy PsList onto your executable path and type "pslist".Usage
The default behavior of PsList is to show CPU-oriented information for all the processes that are currently running on the local system. The information listed for each process includes the time the process has executed, the amount of time the process has executed in kernel and user modes, and the amount of physical memory that the OS has assigned the process. Command-line switches allow you to view memory-oriented process information, thread statistics, or all three types of data.
pslist [-?] [-d] [-m] [-x][-t][-s [n] [-r n] [\\computer [-u username] [-p password]] [[-e] name | pid]
7) PsLoggedOn - see who's logged on locally and via resource sharing.
You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name that is a user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource share to remote computers that you query because a logon is required for PsLoggedOn to access the Registry of a remote system.
Installation
Copy PsLoggedOn onto your executable path and type "psloggedon".Usage
psloggedon [-?] [-l] [-x] [\\computername | username]
8) PsLogList - dump event log records
The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides.Installation
Copy PsLogList onto your executable path and type "psloglist".
Usage
The default behavior of PsLogList is to show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records. Command line options let you view logs on different computers, use a different account to view a log, or to have the output formatted in a string-search friendly way.
psloglist [-?] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] [eventlog]
9) PsPasswd - changes account passwords.
Installation
Copy PsPasswd onto your executable path and type pspasswd with command-line options defined below.Usage
You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.
pspasswd [\\computer[,computer[,...] | @file [-u username [-p password]]] Username [NewPassword]]
10) PsService - view and control services.
PsService is a service viewer and controller for Windows NT/2K. Like the SC utility that's included in the Windows NT and Windows 2000 Resource Kits and Windows XP, PsService displays the status, configuration, and dependencies of a service, and allows you to start, stop, pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to a remote system using a different account, for cases when the account from which you run it doesn't have required permissions on the remote system. PsService includes a unique service-search capability, which identifies active instances of a service on your network. You would use the search feature if you wanted to locate systems running DHCP servers, for instance. Finally, PsService works on both NT 4 and Windows 2000, whereas the Windows 2000 Resource Kit version of SC requires Windows 2000, and PsService doesn't require you to manually enter a "resume index" in order to obtain a complete listing of service information.
Installation
Copy PsService onto your executable path and type "psservice".Usage
The default behavior of PsService is to display the configured services (both running and stopped) on the local system. Entering a command on the command-line invokes a particular feature, and some commands accept options. Typing a command followed by "-?" displays information on the syntax for the command.
psservice [\\computer [-u username] [-p password]] [command][options]
11) PsShutdown - shuts down and optionally reboots a computer.
PsShutdown is a similar to the Resource Kit and Windows XP shutdown tools, providing you the same options and ability to shutdown, and optionally reboot, local and remote Windows NT/2K/XP/2003 systems. It also provided additional options that make it more powerful and flexible.Installation
Copy PsShutdown onto your executable path and type "psshutdown" with command-line options defined below.Usage
You can use PsShutdown to initiate a shutdown of the local or a remote computer, abort an imminent shutdown, logoff a console user, or lock the desktop.
psshutdown [\\computer[,computer[,...] | @file [-u username [-p password]]] -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-n s] [-t nn|h:m] [-e [u|p]:xx:yy] [-m "message"]
12) PsSuspend - suspend and resume processes.
PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that's consuming the resource, suspending permits you to let it continue operation at some later point in time. Installation
Copy PsSuspend onto your executable path and type "pssuspend" with command-line options defined below.Usage
Running PsSuspend with a process ID directs it to suspend the process of that ID on the local computer. If you specify a process name PsSuspend will suspend all processes that have that name. Specify the -r switch to resume suspended processes.
pssuspend [-r] [\\computer [-u username] [-p password]] [process name | process id]
Posted in
0 comments:
Post a Comment