PowerShell vs. CMD (using PsExec) for Remote Command Execution

PsExec and PowerShell allow admins to be able to execute system commands remotely, without too much pre-configuration or overhead. 

Monitoring and maintaining large-scale, complex, highly distributed and interconnected systems can be extremely challenging for network administrators. Traditional IT management approaches are ill-equipped to handle the complexity of today's application architectures and deployment environments. It's common that one IT admin would support hundreds of machines in an enterprise network daily, but having to physically run down to each machine individually in order to issue a simple command is not unacceptable. Therefore, being able to execute system commands remotely without too much additional pre-configuration and overhead is always a welcomed and appreciated solution.

In this blog post, we are going to discuss how to use two remote command execution tools, PowerShell and PsExec. The latter will be used to run command prompt (also known as cmd) remotely. Our example will leverage command- line tools from two of the OESIS Framework modules: the Endpoint Security Compliance diagnose and the Application Removal, but any other command- line tool can be used in a similar fashion.

The Endpoint Security Compliance diagnose is a troubleshooting tool which leverages OESIS functionalities internally and provides necessary information and visibility to the OPSWAT engineering team to perform debugging on customer environments.

The Application Removal allows silent or unassisted removal of over 2,000 applications, from a wide range of software categories.

*These steps are provided under the assumption that the user domain is in a protected network and that the command is being triggered by the system administrator.

PowerShell

Introduction:

PowerShell is provided by Microsoft as a replacement of shell to bring advanced scripting to Windows. It provides full access to COM and WMI and enables administrators to perform system commands on both local and remote Windows systems. Previously, PowerShell was packaged as a separate add-on to Windows, marketed mainly to server administrators. Starting with Windows 7, PowerShell is a built-in part of the operating system, giving this capability to all Windows users. The tool has evolved over the years, and it is now becoming the go-to Windows command line tool for many power users.

Step by step usage for Endpoint Security Compliance diagnose:

  1. On the remote machine, enable remote commands in PowerShell as instructed below (please make sure that your Connection Type is set to Domain or Private, otherwise enabling the WinRM service will not work):
  2. PS C:\Windows\system32> Enable-PSRemoting -force

  3. On a local machine, add remote system to the trusted list in PowerShell as seen below:
  4. PS C:\Windows\system32> Set-Item wsman:\localhost\Client\TrustedHosts -value <local_machine_ipv4>

  5. On a local machine, set the execution policy to remote signed in PowerShell as below:
  6. PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

  7. Copy diagnose package (including the WaDiagnose.exe) into the remote machine.
  8. On a local machine, create PowerShell script "remoteLaunchWaDiagnose.ps1" as seen below:
  9. #Predefine necessary information 
    $Username = "<remote_machine_ip_or_domain>\<domain_user>"
    $Password = "<remote_machine_password>"
    $ComputerName = "<remote_machine_ip_or_computer_name>"
    $Script = { C:\oesis\WaDiagnose.exe}

    #Create credential object
    $SecurePassword = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassword

    #Create session object with this
    $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

    #Invoke-Command
    $Job = Invoke-Command -Session $Session -Scriptblock $Script
    echo $Job

    #Close Session
    Remove-PSSession -Session $Session

  10. On a local machine, launch "remoteLaunchWaDiagnose.ps1" in PowerShell as seen below:
  11. PS C:\Windows\system32> .\remoteLaunchWaDiagnose.ps1

  12. The PowerShell script would be executed on the remote machine and launch OESIS Diagnose. The result files would be generated on the remote machine, in the same folder as the WaDiagnose executable.

Step by step usage for Application Removal:

  1. The same setup process as step 1, 2 and 3 of the diagnose example above.
  2. Copy the Application Removal package into the remote machine.
  3. On the local machine, create PowerShell script "remoteLaunchAppRemover.ps1" as below:
  4. #Predefine necessary information
    $Username = "<remote_machine_ip_or_domain>\<domain_user>
    $Password = "<remote_machine_password>"
    $ComputerName = "<remote_machine_ip_or_computer_name>"
    $Script = {C:\appremover\AppRemover_CLI.exe -u -s <product_signature_id>}

    #Create credential object
    $SecurePassword = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassword

    #Create session object with this
    $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

    #Invoke-Command
    $Job = Invoke-Command -Session $Session - Scriptblock $Script
    echo $Job

    #Close Session
    Remove-PSSession -Session $Session

  5. On the local machine, launch "remoteLaunchAppRemover.ps1" in PowerShell as seen below:
  6. PS C:\Windows\system32> .\remoteLaunchAppRemover.ps1

  7. The PowerShell script will be executed on the remote machine and will start uninstalling the desired application.

Limitations:

Both the diagnose tool and AppRemover are able to be executed remotely via PowerShell, but PowerShell will fail to launch an applications’ UI on the remote machine. This is because when remotely accessing a machine via PowerShell, an interactive desktop session is not started. For security reasons, users can only see applications that are opened within their own interactive sessions. Basically every Windows operating system thinks it's a Terminal Server, but Windows does not want users opening applications that other users could possibly see. Windows assumes that multiple users will be using the machine, so it isolates these applications for a number of obvious security reasons.

PsExec

Introduction:

PsExec is a command line tool allowing the execution of processes on a remote system and transfer the results of operations to the local console. It has a long list of optional parameters that allow a great deal of flexibility for IT administrators. The key feature of PsExec is to allow users to run a script or application within the security context of either the currently logged on user or as a user provided during program initialization.

Step by step usage for Endpoint Security Compliance diagnose:

  1. Download PSTools from the link (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx), PsExec is part of the package.
  2. Copy diagnose package (including the WaDiagnose.exe) on the remote machine.
  3. On the local machine, open the command prompt (cmd) and go to the directory where the PsExec file is located.
  4. On the local machine, execute the following command:
  5. C:\<PSTools_directory>>PsExec.exe \\<remote_ip> -u <remote_username> -p <remote_password> "C:\oesis\WaDiagnose.exe"

  6. PsExec will launch the WaDiagnose process on the remote machine using the credential which is provided above and generate the diagnose report on the remote file system.

Step by step usage for Metascan Client:

  1. The same setup process as step 1 of diagnose usage.
  2. Copy the Application Removal package on the remote machine.
  3. On the local machine, open command prompt (cmd), go to the directory where the PsExec file is located.
  4. On the local machine, execute the following command:
  5. C:\ <PSTools_directory>>PsExec.exe \\<remote_ip> -u <remote_username> -p <remote_password> C:\appremover\AppRemover_CLI.exe -u -s <product_signature_id>

  6. PsExec will launch the Application Removal process on the remote machine using the credential which is provided above. This will start the uninstallation of the desired application and report back the exit code of the CLI.

Limitations:

PsExec does not natively come with the Windows operating system, so users have to download it separately (an extra 1.6 Mb folder). PsExec does not provide an easy way for users to access network resources on the remote machine, due to the input argument being limited to 256 characters. Some older versions such as v1.73 and v1.82 have some significant issues with programmatic redirection of StdOut over named pipes.

Note: On the Microsoft website, it mentions the below statement "some antivirus engines report that one or more of the tools are infected with a 'remote admin' virus." According to the latest scan result from MetaDefender Cloud, this is true, as some of the engines will find that files from the PSTools archive are infected. Assuming that the archive was downloaded from the Microsoft website, the results should be treated just as a warning.

Summary:

Both PowerShell and PsExec have some advantages and disadvantages for network administrators. When it comes down to it, there is really no good or bad choice between PowerShell and PsExec, it largely depends on which system management tools IT administrators decide to select. The best option for novice users would be to use the PsExec option, considering it's the easiest to start out with and allows you to run CLI based executables remotely and take advantage of the full feature set.

For more information, schedule a meeting with one of our cyber security experts today.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.