Introducing PsTools

The Sysinternals Suite of remote-control tools bears mention in this chapter as well. The PsTools binaries provide a method for remote system administration using the command-line. While PowerShell fills the need for powerful command-line remoting capabilities in Windows 10, earlier editions come with older versions of PowerShell by default or don't even come with it at all.

Installation is as simple as downloading the PsTools suite from https://technet.microsoft.com/en-us/sysinternals/pstools.aspx and extracting the ZIP file. Execute them in an elevated Command Prompt. Setting them as part of your system path can be handy but also an easy attack vector, so carefully considers the impact before configuring.

The tools themselves are executable command-line binaries that perform different system tasks; many of them can be used on remote systems with ease. The ZIP contains the following binaries:

  • PsExec: Execute processes on remote hosts
  • PsFile: Show files opened remotely
  • PsGetSid: Display the SID of a computer or user object
  • PsInfo: List information about a host
  • PsPing: Measure network performance
  • PsKill: Kill processes by either name or PID
  • PsList: List detailed information about processes on a host
  • PsLoggedOn: See who's logged on locally and also via sharing
  • PsLogList: Dump event logs
  • PsPasswd: Change account passwords
  • PsService: View and control services
  • PsShutdown: Shut down and optionally reboot a host
  • PsSuspend: Suspend processes

As you can see, these are some powerful tools that enhance the tool belt of the enterprise administrator. Because of this, some network and security administrators will want to block these tools to prevent abuse and attack vectors. This is difficult to do as the ports used are TCP ports 135 and 445. These may sound familiar: port 135 is designated for DCOMSCM and port 445 is designated for Microsoft Directory Services. Specifically, this port is used for Server Message Block (SMB) file sharing and other administrative concepts in Windows.

As a result, these need to be open and running. File sharing (IPC specifically) needs to be available. The remote registry service needs to be turned on for some actions as well.

If you do try to block this, you'd in essence be blocking file sharing and inter-node communication of Windows machines. It is worth noting that you need knowledge of administrator-level accounts to use PsTools. So it is more important to practice good account security and auditing than it is to worry about this tool, assuming everything else is the same.