Batch command tasklist for remote computer - windows

i'm trying to use tasklist command in cmd.exe for list all processes on my remote Windows 10 PC (which is in my home and connected on the same network as my main computer).
But when I type in cmd.exe from my main computer tasklist /s <his IP> /u Lucas /p <Lucas's password> it shows me Error : Incorrect user or password but user Lucas is the local admin for this remote PC and I'm 100% sure it's the right password, I really don't understand.
I have tried to disable firewall for private network, without success.
I have tried to add an exception in the firewall for port 135 (TCP), without success.
Ping command works fine.
I hope you can help me.
Regards.

Solved my problem by doing powershell Invoke-Command -ComputerName <ip of the remote computer> -Credential <his_name>\PC_Guest -ScriptBlock {Get-Process}
with <his_name> the name of the remote PC.
For the explanations PC_Guest was the old name of the admin account that I renamed to Lucas and I think that when we rename administrators accounts, Windows not change completely the name in permissions system, so that is why I had Access Denied or Unknown user or password errors with user Lucas.
Thanks #lit for your answer.

Related

Acces denied when using psexec

I try to use the psexec program via command line to run program on another pc connected to my local network.
What i try to accomplish?:
I want to code a program that lets user send links ( to ebay auction e.g. ) to chosen pc from local network, for that i want to use psexec as a main component.
What is my problem?:
When i try to dry use psexec ( e.g. psexec \\another-pc cmd ) i got acces denied every time i try this ( no matter what machine is target ).
What i tried?:
So far i tried to fetch login credentials in command line:
psexec \\some-pc -u someuser -p password cmd
I also tried to disable UAC on target PC with this line:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
I think i could do that easily if i knew a passwod for -p part, but none of my pcs have passwords set, all default users are admins,
My question is, does windows set any default password for local network acces like masterkey or smth ?
I'm a bit confused on what shall i do next.
If anyone know what should i do to overcome this obstacle i would be gratefull.
To use psexec remotely you should be an admin on a remote PC. And since Windows does not allow remote connections for admins with an empty password so you'll either need to set a password for your admin user or create a new user.
BTW your question is more suitable for superuser, not stackoverflow.

PsExec works only with "runas /netonly", not with -u and -p parameters

What I mean:
If I...
run runas /netonly /user:computername\username cmd
enter the password for the local admin account "username"
then type psexec \\computername cmd
I now have a working shell and can run commands as the local admin user on the remote machine.
However, trying to run this without the runas... and instead with the username and password arguments of psexec returns an access denied error.
Example below:
psexec \\computername -u username -p password cmd
Access Denied
Note: Others seem to also have this issue. My refined questions:
Is this intended behavior?
Why even have the -u and -p?
I have also tried disabling the firewall on both my machine and the target machine, and adding the registry key listed here.
When you initiate a connection with PsExec.exe, it tries to use the credentials you are currently authenticated with to copy the PSEXESVC to the \\$machine\ADMIN$\System32 share VIA SMB, which enables the communication with your PsExec.exe and the $machine's service.
If your currently logged in user account does not have access to \\$machine\ADMIN$\System32 and the ability to install/start services, then this won't work.
I'm assuming if you have access with your user account that this would work.
Here is a very interesting article from 2004 on reverse-engineering of the original implementation. I am pretty sure it has changed in that time with Windows 7 & Windows 10.

Run command as System User in Powershell

I found several answers on the web, but not really what I was searching for.
The issue is as follows:
When restoring a file with "Networker", the ACLs of the file are the same ones as when the file was backed up, regardles of inheritance in the folder the file is restored to. Meaning the inheritence of ACL does not affect the newly restored file.
This leaves me with the problem that only 3 Accounts have the right to alter the ACL.
The user, the file belongs to
The domain Admins
The system account
To solve the issue I would like to run an automated script fixing the ACL and activating the correct inheritance.
The system user for the script has to be one of the three.
The User is changing and thefore not a valid choice, also I dont want to leave any domain admin credentials nor give domain admin rights to a service account.
This leaves me with the system account to do the job and here comes the question:
How do I execute a task in powershell under system account credentials?
I tried
$username = "NT Authority\System"
$password = ConvertTo-SecureString -String "" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist #($username, $password)
Since the password is an empty I can not really create credentials with it.
The name of the account in all locales is .\LocalSystem. The name,
LocalSystem or ComputerName\LocalSystem can also be used. This account
does not have a password.
https://msdn.microsoft.com/de-de/library/windows/desktop/ms684190(v=vs.85).aspx
So now I am a little bit confused as to how I can get this to work.
Edit:
The file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account.
TL;DR
I want to inherit ACL Permissions on files using the system account with powershell, how?
https://github.com/mkellerman/Invoke-CommandAs
Made a function to Invoke-Command against local/remote computer using provided credentials or SYSTEM. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.
Try it out let me know if this resolves your issues.
If you're ok installing a (very useful) 3rd party program, you can try the following. It's a portable .zip, no real installation.
Run as administrator:
C:\WINDOWS\system32>nircmd.exe elevatecmd runassystem c:\windows\System32\cmd.exe
starts a new cmd window:
Microsoft Windows [Version 10.0.18362.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
C:\WINDOWS\system32>
https://www.nirsoft.net/utils/nircmd.html
Domain Admins get access via the local Administrators group. Local Administrators can take ownership of any local object and subsequently grant new permissions to that object.
Running something like this as an administrator should do what you want:
takeown /f C:\some\file_or_folder /a /r /d:y
icacls C:\some\file_or_folder /reset /t /c /q
Never use the SYSTEM account for things like this.

Could not connect sessionID 0 to sessionname console .bat from psexec

I'm attempting to force a VM to log the current user out and send the session to the console via running a .bat script.
I can get this working if I manually run a .bat file on the VM which contains the following:
%windir%\System32\tscon.exe 0 /dest:console
However, when using psexec or paexec to call the same .bat:
c:\>psexec.exe \\virtualmachine -u domain\username -p password -h cmd /c
c:\user\atest\desktop\test.bat
I get an access denied:
Could not connect sessionID 0 to session name console, Error code 5
Error [5]:Access is denied. C:\windows\system32\tscon.exe exited on
virtualmachine with error code 1.
Alternatively, I've tried (same result):
C:\>PsExec.exe \\virtualmachine -u domain\username -p password -h
C:\windows\system32\tscon.exe 0 /dest:console
I'm not sure where I'm going wrong, because this starts iexplore.exe fine:
C:\>PsExec.exe \\virtualmachine -u domain\username -p password -h "c:\program files\internet explorer\iexplore.exe"
The problem was because the user was connected via RDP, it was not session 0. I had to run "query user" to get the session ID of the RDP connection, then pass that into PsExec using "-i" like so:
C:\>PsExec.exe -s -i $id \\virtualmachine c:\windows\system32\tscon.exe $id /dest:console
Because this is running as system (-s) I didn't need to pass in any authentication.
This answer helped me with the concept of sessions, hope it helps someone else.
I had a batch file that worked for years ending a RDP session and leaving the host screen unlocked, it had conditions for sessionid's 0 through 10 just in case. Then this week after a windows update loaded it stopped working and I kept getting 7045 errors in the results of the batch file. The RDP session would close but the host machines screen was locked. The host machine runs a message board so this was not acceptable and the machine is mounted to the ceiling so no mouse or keyboard is possible.
I searched a ton and found nothing that worked more than once if it worked at all. Then I found this by chance, and when I ran this power shell command my problem was solved. It works great so far and better yet you don't have to know the sessionID or name, or pass a password in a text or batch file.
#powershell -NoProfile -ExecutionPolicy unrestricted -Command "$sessionid=((quser $env:USERNAME | select -Skip 1) -split '\s+')[2]; tscon $sessionid /dest:console" 2> UnlockErrors.log
Just copy the script into a text file, rename it something.cmd then create a shortcut to it on the hosts desktop and go to the properties and select advanced and have it run as administrator. Easy. Works on win7 pro. I found the script here https://steamcommunity.com/groups/homestream/discussions/0/617335934139051123/?ctp=5
I also faced the same issue with the following command
Command – tscon SessionID /dest:console /password: ****
Resolution: I worked a lot and finally got to know the issue is with password. i.e. the password length should not be greater than 13 characters. But in this case password = 20 characters.
Later I changed the password to ****(12 characters) and issue got resolved.
If you are not a local administrator of the VM, you won't be able to do this. The session I was logged-in with was not a local admin, but when running the shortcut "as an administrator", I tried using another account that was a local admin (when prompted). However, this doesn't work. The account you are moving to the console session is the one you are logged-in with, but if you use a different account for the shortcut elevation, TSCON will try using that account instead.

How to execute a Windows command on a remote PC?

Is it possible to execute a Windows shell command on a remote PC when I know its login name and password?
Is it possible to do it using client PC's Windows shell?
If you are in a domain environment, you can also use:
winrs -r:PCNAME cmd
This will open a remote command shell.
psexec \\RemoteComputer cmd.exe
or use ssh or TeamViewer or RemoteDesktop!
This can be done by using PsExec which can be downloaded here
psexec \\computer_name -u username -p password ipconfig
If this isn't working try doing this :-
Open RegEdit on your remote server.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Add a new DWORD value called LocalAccountTokenFilterPolicy
Set its
value to 1.
Reboot your remote server.
Try running PSExec again from
your local server.
You can use native win command:
WMIC /node:ComputerName process call create “cmd.exe /c start.exe”
The WMIC is part of wbem win folder: C:\Windows\System32\wbem

Resources