This update to PsExec enhances the –i option to allow process launch in a specific session and leverages Windows Vista’s low integrity (the same mechanism used by Protected Mode Internet Explorer) for the –l switch. See Mark’s most recent blog post, “PsExec, User Account Control and Security Boundaries” for more information.
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
The Windows NT and Windows 2000 Resource Kits come with a number of command line tools that help you administer your Windows NT/2K systems. Over time, I’ve grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The “Ps” prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named “ps”, so I’ve adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.
The tools included in the PsTools suite, which are downloadable individually or as a package, are:
- PsExec – execute processes remotely
- PsFile – shows files opened remotely
- PsGetSid – display the SID of a computer or a user
- PsInfo – list information about a system
- PsKill – kill processes by name or process ID
- PsList – list detailed information about processes
- PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)
- PsLogList – dump event log records
- PsPasswd – changes account passwords
- PsService – view and control services
- PsShutdown – shuts down and optionally reboots a computer
- PsSuspend – suspends processes
- PsUptime – shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)
PsExec v1.80
February 12, 2007
Utilities like Telnet and remote control programs like Symantec’s PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.
PsExec v1.80 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.
Usage: psexec [computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-l]
[-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-][-a n,n,...] cmd [arguments]
-a Separate processors on which the application can run with
commas where 1 is the lowest numbered CPU. For example,
to run the application on CPU 2 and CPU 4, enter:
"-a 2,4"
-c Copy the specified program to the remote system for
execution. If you omit this option the application
must be in the system path on the remote system.
-d Don't wait for process to terminate (non-interactive).
-e Does not load the specified account's profile.
-f Copy the specified program even if the file already
exists on the remote system.
-i Run the program so that it interacts with the desktop of the
specified session on the remote system. If no session is
specified the process runs in the console session.
-l Run process as limited user (strips the Administrators group
and allows only privileges assigned to the Users group).
On Windows Vista the process runs with Low Integrity.
-n Specifies timeout in seconds connecting to remote computers.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-s Run the remote process in the System account.
-u Specifies optional user name for login to remote
computer.
-v Copy the specified file only if it has a higher version number
or is newer on than the one on the remote system.
-w Set the working directory of the process (relative to
remote computer).
-x Display the UI on the Winlogon secure desktop (local system
only).
-priority Specifies -low, -belownormal, -abovenormal, -high or
-realtime to run the process at a different priority.
computer Direct PsExec to run the application on the remote
computer or computers specified. If you omit the computer
name PsExec runs the application on the local system,
and if you specify a wildcard (*), PsExec runs the
command on all computers in the current domain.
@file PsExec will execute the command on each of the computers listed
in the file.
program Name of application to execute.
arguments Arguments to pass (note that file paths must be
absolute paths on the target system).
You can enclose applications that have spaces in their name with
quotation marks e.g. psexec marklap "c:long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.
If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the DomainUser syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password is transmitted in clear text to the remote system.
Error codes returned by PsExec are specific to the applications you
execute, not PsExec.PsFile v1.02
December 4, 2006
The “net file” command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn’t let you see that information for remote systems. PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier./p>
psfile v1.02 - psfile
Copyright (C) 2001 Mark Russinovich
Sysinternals
PsFile lists or closes files opened remotely.
Usage: psfile.exe [RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
-u Specifies optional user name for login to
remote computer.
-p Specifies password for user name.
Id Id of file to print information for or close.
Path Full or partial path of files to match.
-c Closes file identified by file Id.
Omitting a file identifier has PsFile list all files opened remotely.PsGetSid v1.43
December 4, 2006
Have you performed a rollout and only to discover that your network might suffer from the SID duplication problem In order to know which systems have to be assigned a new SID (using a SID updater like our own NewSID) you have to know what a computer’s machine SID is. Up until now there’s been no way to tell the machine SID without knowing Regedit tricks and exactly where to look in the Registry. PsGetSid makes reading a computer’s SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts and translate a SID into the name that represents it.
PsGetSid v1.43 - Translates SIDs to names and vice versa
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Usage: psgetsid.exe [computer[,computer2[,...] | @file] [-u Username [-p Password]]] [account | SID]
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
account PsGetSid will report the SID for the specified user account
rather than the computer.
SID PsGetSid will report the account for the specified SID.
computer Direct PsGetSid to perform the command on the remote
computer or computers specified. If you omit the computer
name PsGetSid runs the command on the local system,
and if you specify a wildcard (*), PsGetSid runs the
command on all computers in the current domain.
@file PsGetSid will execute the command on each of the computers listed
in the file.PsInfo v1.74
December 4, 2006
PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.
PsInfo v1.74 - Local and remote system information viewer
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
PsInfo returns information about a local or remote Windows NT/2000/XP system.
Usage: psinfo [-h] [-s] [-d] [-c [-t delimiter]] [filter] [computer[,computer[,..]]|@file [-u Username [-p Password]]]
-u Specifies optional user name for login to
remote computer.
-p Specifies password for user name.
-h Show installed hotfixes.
-s Show installed software.
-d Show disk volume information.
-c Print in CSV format
-t The default delimiter for the -c option is a comma,
but can be overriden with the specified character. Use
"t" to specify tab.
filter Psinfo will only show data for the field matching the filter.
e.g. "psinfo service" lists only the service pack field.
computer Direct PsInfo to perform the command on the remote
computer or computers specified. If you omit the computer
name PsInfo runs the command on the local system,
and if you specify a wildcard (*), PsInfo runs the
command on all computers in the current domain.
@file PsInfo will run against the computers listed in the file
specified.PsKill v1.12
December 4, 2006
Windows NT/2000 does not come with a command-line ‘kill’ utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit’s utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit’s version does, but can also kill processes on remote systems. You don’t even have to install a client on the target computer to use PsKill to terminate a remote process.
PsKill v1.12 - Terminates processes on local or remote systems
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
Usage: pskill [-t] [computer [-u username [-p password]]]
-t Kill the process and its descendants.
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.PsList v1.28
December 4, 2006
List detailed information about processes
pslist v1.28 - Sysinternals PsList
Copyright (C) 2000-2004 Mark Russinovich
Sysinternals
Usage: pslist.exe [-d][-m][-x][-t][-s [n] [-r n] [computer [-u username][-p password][name|pid]
-d Show thread detail.
-m Show memory detail.
-x Show processes, memory information and threads.
-t Show process tree.
-s [n] Run in task-manager mode, for optional seconds specified.
Press Escape to abort.
-r n Task-manager mode refresh rate in seconds (default is 1).
computer Specifies remote computer.
-u Optional user name for remote login.
-p Optional password for remote login. If you don't present
on the command line pslist will prompt you for it if necessary.
name Show information about processes that begin with the name
specified.
-e Exact match the process name.
pid Show information about specified process.
All memory values are displayed in KB.
Abbreviation key:
Pri Priority
Thd Number of Threads
Hnd Number of Handles
VM Virtual Memory
WS Working Set
Priv Private Virtual Memory
Priv Pk Private Virtual Memory Peak
Faults Page Faults
NonP Non-Paged Pool
Page Paged Pool
Cswtch Context SwitchesPsLoggedOn v1.33
December 4, 2006
You can determine who is using resources on your local computer with the “net” command (“net session”), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. Full source code is included.
PsLoggedOn’s definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name that is a user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource share to remote computers that you query because a logon is required for PsLoggedOn to access the Registry of a remote system.
psloggedon v1.33 - See who's logged on
Copyright (C) 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Usage: psloggedon.exe [-l] [-x] [computername]
or psloggedon.exe [username]
-l Show only local logons
-x Don't show logon timesDownload Source code of PsLoggedOn – PsLoggedOnSource.zip
PsLogList v2.64
December 4, 2006
The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides.
PsLoglist v2.64 - local and remote event log viewer
Copyright (C) 2000-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
PsLogList dumps event logs on a local or remote NT system.
Usage: psloglist [computer[,computer2[,...] | @file] [-u username [-p password]]]
[-s [-t delimiter]] [-m #|-n #|-d #|-h #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy]
[-f filter] [-i ID,[ID,...]] | -e ID,[ID,...]] [-o event source[,event source[,...]]]
[-q event source[,event source[,...]]] [[-g|-l] event log file]
@file Psloglist will execute the command on each of the computers
listed in the file.
-a Dump records timestamped after specified date.
-b Dump records timestamped before specified date.
-c Clear event log after displaying.
-d Only display records from previous n days.
-e Exclude events with the specified ID or IDs (up to 10).
-f Filter event types, using starting letter
(e.g. "-f we" to filter warnings and errors).
-g Export an event log as an evt file. This can only be used
with the -c switch (clear log).
-h Only display records from previous n hours.
-i Show only events with the specified ID or IDs (up to 10).
-l Dump the contents of the specified saved event log file.
-m Only display records from previous n minutes.
-n Only display n most recent records.
-o Show only records from the specified event source or sources
(e.g. "-o cdrom").
-p Specifies password for user name.
-q Omit records from the specified event source or sources
(e.g. "-q cdrom").
-r Dump log from least recent to most recent.
-s Records are listed on one line each with delimited
fields, which is convenient for string searches.
-t The default delimiter for the -s option is a comma,
but can be overriden with the specified character. Use "t"
to specify tab.
-u Specifies optional user name for login to
remote computer.
-w Wait for new events, dumping them as they generate (local system
only.)
-x Dump extended data.
eventlog Specifies event log to dump. Default is system. If the
-l switch is present then the event log name specifies
how to interpret the event log file.PsPasswd v1.22
December 4, 2006
Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password.
PsPasswd v1.22 - Local and remote password changer
Copyright (C) 2003-2004 Mark Russinovich
Sysinternals - www.sysinternals.com
PsPasswd changes passwords on a local or remote system.
Usage: pspasswd [[computer[,computer,[,...]|Domain]|@file] [-u Username [-p Password]]] Username [NewPassword]
computer Direct PsPasswd to perform the command on the remote
computer or computers specified. If you omit the computer
name PsPasswd runs the command on the local system,
and if you specify a wildcard (*), PsPasswd runs the
command on all computers in the current domain.
@file PsPasswd will change the password on the computers listed
in the file.
-u Specifies optional user name for login to remote
computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
Username Specifies name of account for password change.
NewPassword New password. If ommitted a NULL password is applied.PsService v2.21
December 4, 2006
PsService is a service viewer and controller for Windows. Like the SC utility that’s included in the Windows NT and Windows 2000 Resource Kits, PsService displays the status, configuration, and dependencies of a service, and allows you to start, stop, pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to a remote system using a different account, for cases when the account from which you run it doesn’t have required permissions on the remote system. PsService includes a unique service-search capability, which identifies active instances of a service on your network. You would use the search feature if you wanted to locate systems running DHCP servers, for instance.
Finally, PsService works on both NT 4 and Windows 2000, whereas the Windows 2000 Resource Kit version of SC requires Windows 2000, and PsService doesn’t require you to manually enter a “resume index” in order to obtain a complete listing of service information.
PsService v2.21 - Service information and configuration utility
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
PsService lists or controls services on a local or remote system.
Usage: psservice.exe [Computer [-u Username [-p Password]]]
Cmd is one of the following:
query Queries the status of a service
config Queries the configuration
setconfig Sets the configuration
start Starts a service
stop Stops a service
restart Stops and then restarts a service
pause Pauses a service
cont Continues a paused service
depend Enumerates the services that depend on the one specified
find Searches for an instance of a service on the network
security Reports the security permissions assigned to a service
Use the username and password to log into the remote computer in cases where
your account does not have permissions to perform the action you specify.
Omitting a command queries the active services on the specified computer.
Enter -? for help on a particular command.PsShutdown v2.52
December 4, 2006
PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software.
PsShutdown v2.52 - Shutdown, logoff and power manage local and remote systems
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
usage:
psshutdown -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-t [nn|h:m]] [-v nn] [-e [u|p]:xx:yy]
[-m "message"] [-u Username [-p password]] [-n s] [computer[,computer[,...]|@file]
-a Abort a shutdown (only possible while countdown is in progress)
-c Allow the shutdown to be aborted by the interactive user
-d Suspend the computer
-e Shutdown reason code (available on Windows XP and higher).
Specify 'u' for unplanned and 'p' for planned
shutdown reason codes.
xx is the major reason code (must be less than 256)
yy is the minor reason code (must be less than 65536)
-f Forces running applications to close
-h Hibernate the computer
-k Poweroff the computer (reboot if poweroff is not supported)
-l Lock the computer
-m Message to display to logged on users
-n Specifies timeout in seconds connecting to remote computers
-o Logoff the console user
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-r Reboot after shutdown
-s Shutdown without poweroff
-t Specifies countdown in seconds until shutdown (default is 20) or
the time of shutdown (in 24 hour notation)
-u Specifies optional user name for login to remote
computer.
-v Display message for the specified number of seconds before
the shutdown. If you omit this parameter the shutdown
notification dialog displays and specifying a value of 0
omits the dialog.
computer Shutdown the computer or computers specified
@file Shutdown the computers listed in the file specified
Reasons defined on this computer (U = unplanned, P = planned):
Type Major Minor Title
U 0 0 Other (Unplanned)
P 0 0 Other (Planned)
U 1 1 Hardware: Maintenance (Unplanned)
P 1 1 Hardware: Maintenance (Planned)
U 1 2 Hardware: Installation (Unplanned)
P 1 2 Hardware: Installation (Planned)
U 2 3 Operating System: Upgrade (Unplanned)
P 2 3 Operating System: Upgrade (Planned)
U 2 4 Operating System: Reconfiguration (Unplanned)
P 2 4 Operating System: Reconfiguration (Planned)
U 4 1 Application: Maintenance (Unplanned)
P 4 1 Application: Maintenance (Planned)
U 4 5 Application: Unresponsive
U 4 6 Application: Unstable
PsSuspend v1.06
December 4, 2006
PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that’s consuming the resource, suspending permits you to let it continue operation at some later point in time.
PsSuspend v1.06 - Process Suspender
Copyright ? 2001-2003 Mark Russinovich
Sysinternals
PsSuspend suspends or resumes processes on a local or remote NT system.
Usage: pssuspend [-r] [RemoteComputer [-u Username [-p Password]]]
-r Resume.
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.All of the utilities in the PsTools suite work on Windows NT, Windows 2000, Windows XP and Windows Server 2003. The PsTools download package includes an HTML help file with complete usage information for all the tools.Note: some anti-virus scanners report that one or more of the tools are infected with a “remote admin” virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.
Related links
Download PsTools (1 MB)
