1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

psexec -c

Discussion in 'Windows Home Server' started by Joey, Apr 20, 2009.

  1. Joey

    Joey Guest

    where does psexec -c option copies the file to the remote pc?
     
    Joey, Apr 20, 2009
    #1
  3. Jon Wallace

    Jon Wallace Guest

    Hi Joey,

    So I used another SysInternals tool to monitor this (Process Monitor) and
    the results were, well interesting...

    I actually couldn't get my process to run remotely by using the -c switch, I
    kept getting an error saying the process could not be found. However,
    Process Monitor did spit out the following

    --
    8:21:05.2879524 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes: A
    8:21:05.2881162 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes: A
    8:21:05.2882781 PM PSEXESVC.EXE 2208 CreateFile C:\WINDOWS\system32\c.exe
    SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read
    Attributes, Synchronize, Disposition: Open, Options: Synchronous IO
    Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    AllocationSize: n/a, OpenResult: Opened
    8:21:05.3211034 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    8:21:05.3213242 PM PSEXESVC.EXE 2208 QuerySecurityFile
    C:\WINDOWS\system32\c.exe SUCCESS Information: Owner, Group, DACL, SACL
    8:21:05.3213437 PM PSEXESVC.EXE 2208 QueryBasicInformationFile
    C:\WINDOWS\system32\c.exe SUCCESS CreationTime: 4/20/2009 8:21:05 PM,
    LastAccessTime: 4/20/2009 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM,
    ChangeTime: 4/20/2009 8:10:14 PM, FileAttributes: A
    8:21:05.3213510 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    8:21:05.3216628 PM PSEXESVC.EXE 2208 CloseFile C:\WINDOWS\system32\c.exe
    SUCCESS
    8:21:05.3218247 PM PSEXESVC.EXE 2208 CreateFile
    C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access: Read Data/List
    Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition:
    Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes:
    n/a, ShareMode: Read, Delete, AllocationSize: n/a
    8:21:05.3219712 PM PSEXESVC.EXE 2208 CreateFile
    C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access:
    Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO
    Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    AllocationSize: n/a
    --

    What this seems to say is that the file c.exe (my test executable) was
    indeed copied, to C:\WINDOWS\SYSTEM32 as the CreateFile call and then the
    various query operations seem to pass.

    So to answer your question, i'm assuming C:\WINDOWS\SYSTEM32 for the
    location - why I can't get my tool to work - my problem :eek:)

    Hope this helps,

    Regards,
    Jon

    www.insidetheregistry.com

    ---

    "Joey" <joey@joey.com> wrote in message
    news:OSSIvGhwJHA.3848@TK2MSFTNGP02.phx.gbl...
    > where does psexec -c option copies the file to the remote pc?
    >
     
    Jon Wallace, Apr 20, 2009
    #2
  4. Joey

    Joey Guest

    I do not see thew file being copied to the remote machine. I did a search.,
    Does it automatically deltes it after ?
    "Jon Wallace" <info@insidetheregistry.com> wrote in message
    news:uMLOVehwJHA.4956@TK2MSFTNGP02.phx.gbl...
    > Hi Joey,
    >
    > So I used another SysInternals tool to monitor this (Process Monitor) and
    > the results were, well interesting...
    >
    > I actually couldn't get my process to run remotely by using the -c switch,
    > I kept getting an error saying the process could not be found. However,
    > Process Monitor did spit out the following
    >
    > --
    > 8:21:05.2879524 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    > SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    > 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    > 8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes: A
    > 8:21:05.2881162 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    > SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    > 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    > 8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes: A
    > 8:21:05.2882781 PM PSEXESVC.EXE 2208 CreateFile C:\WINDOWS\system32\c.exe
    > SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read
    > Attributes, Synchronize, Disposition: Open, Options: Synchronous IO
    > Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    > AllocationSize: n/a, OpenResult: Opened
    > 8:21:05.3211034 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    > C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    > 176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    > 8:21:05.3213242 PM PSEXESVC.EXE 2208 QuerySecurityFile
    > C:\WINDOWS\system32\c.exe SUCCESS Information: Owner, Group, DACL, SACL
    > 8:21:05.3213437 PM PSEXESVC.EXE 2208 QueryBasicInformationFile
    > C:\WINDOWS\system32\c.exe SUCCESS CreationTime: 4/20/2009 8:21:05 PM,
    > LastAccessTime: 4/20/2009 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM,
    > ChangeTime: 4/20/2009 8:10:14 PM, FileAttributes: A
    > 8:21:05.3213510 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    > C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    > 176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    > 8:21:05.3216628 PM PSEXESVC.EXE 2208 CloseFile C:\WINDOWS\system32\c.exe
    > SUCCESS
    > 8:21:05.3218247 PM PSEXESVC.EXE 2208 CreateFile
    > C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access: Read
    > Data/List Directory, Execute/Traverse, Read Attributes, Synchronize,
    > Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File,
    > Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a
    > 8:21:05.3219712 PM PSEXESVC.EXE 2208 CreateFile
    > C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access:
    > Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO
    > Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    > AllocationSize: n/a
    > --
    >
    > What this seems to say is that the file c.exe (my test executable) was
    > indeed copied, to C:\WINDOWS\SYSTEM32 as the CreateFile call and then the
    > various query operations seem to pass.
    >
    > So to answer your question, i'm assuming C:\WINDOWS\SYSTEM32 for the
    > location - why I can't get my tool to work - my problem :eek:)
    >
    > Hope this helps,
    >
    > Regards,
    > Jon
    >
    > www.insidetheregistry.com
    >
    > ---
    >
    > "Joey" <joey@joey.com> wrote in message
    > news:OSSIvGhwJHA.3848@TK2MSFTNGP02.phx.gbl...
    >> where does psexec -c option copies the file to the remote pc?
    >>
    >
     
    Joey, Apr 27, 2009
    #3
  5. Jon Wallace

    Jon Wallace Guest

    Yeah - I believe it removes it afterwards as I saw the same behaviour.

    Try monitoring it using Process Monitor - you should see it create and then
    get removed...

    Cheers,
    Jon

    www.insidetheregistry.com

    ---

    "Joey" <joey@joey.com> wrote in message
    news:euxNUN2xJHA.2324@TK2MSFTNGP06.phx.gbl...
    >I do not see thew file being copied to the remote machine. I did a search.,
    >Does it automatically deltes it after ?
    > "Jon Wallace" <info@insidetheregistry.com> wrote in message
    > news:uMLOVehwJHA.4956@TK2MSFTNGP02.phx.gbl...
    >> Hi Joey,
    >>
    >> So I used another SysInternals tool to monitor this (Process Monitor) and
    >> the results were, well interesting...
    >>
    >> I actually couldn't get my process to run remotely by using the -c
    >> switch, I kept getting an error saying the process could not be found.
    >> However, Process Monitor did spit out the following
    >>
    >> --
    >> 8:21:05.2879524 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    >> SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    >> 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    >> 8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes:
    >> A
    >> 8:21:05.2881162 PM PSEXESVC.EXE 2208 QueryOpen C:\WINDOWS\system32\c.exe
    >> SUCCESS CreationTime: 4/20/2009 8:21:05 PM, LastAccessTime: 4/20/2009
    >> 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29 AM, ChangeTime: 4/20/2009
    >> 8:10:14 PM, AllocationSize: 176,128, EndOfFile: 176,128, FileAttributes:
    >> A
    >> 8:21:05.2882781 PM PSEXESVC.EXE 2208 CreateFile C:\WINDOWS\system32\c.exe
    >> SUCCESS Desired Access: Read Data/List Directory, Execute/Traverse, Read
    >> Attributes, Synchronize, Disposition: Open, Options: Synchronous IO
    >> Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    >> AllocationSize: n/a, OpenResult: Opened
    >> 8:21:05.3211034 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    >> C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    >> 176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    >> 8:21:05.3213242 PM PSEXESVC.EXE 2208 QuerySecurityFile
    >> C:\WINDOWS\system32\c.exe SUCCESS Information: Owner, Group, DACL, SACL
    >> 8:21:05.3213437 PM PSEXESVC.EXE 2208 QueryBasicInformationFile
    >> C:\WINDOWS\system32\c.exe SUCCESS CreationTime: 4/20/2009 8:21:05 PM,
    >> LastAccessTime: 4/20/2009 8:21:05 PM, LastWriteTime: 11/2/2006 8:35:29
    >> AM, ChangeTime: 4/20/2009 8:10:14 PM, FileAttributes: A
    >> 8:21:05.3213510 PM PSEXESVC.EXE 2208 QueryStandardInformationFile
    >> C:\WINDOWS\system32\c.exe SUCCESS AllocationSize: 176,128, EndOfFile:
    >> 176,128, NumberOfLinks: 1, DeletePending: False, Directory: False
    >> 8:21:05.3216628 PM PSEXESVC.EXE 2208 CloseFile C:\WINDOWS\system32\c.exe
    >> SUCCESS
    >> 8:21:05.3218247 PM PSEXESVC.EXE 2208 CreateFile
    >> C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access: Read
    >> Data/List Directory, Execute/Traverse, Read Attributes, Synchronize,
    >> Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File,
    >> Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a
    >> 8:21:05.3219712 PM PSEXESVC.EXE 2208 CreateFile
    >> C:\WINDOWS\system32\c.exe.exe NAME NOT FOUND Desired Access:
    >> Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO
    >> Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
    >> AllocationSize: n/a
    >> --
    >>
    >> What this seems to say is that the file c.exe (my test executable) was
    >> indeed copied, to C:\WINDOWS\SYSTEM32 as the CreateFile call and then the
    >> various query operations seem to pass.
    >>
    >> So to answer your question, i'm assuming C:\WINDOWS\SYSTEM32 for the
    >> location - why I can't get my tool to work - my problem :eek:)
    >>
    >> Hope this helps,
    >>
    >> Regards,
    >> Jon
    >>
    >> www.insidetheregistry.com
    >>
    >> ---
    >>
    >> "Joey" <joey@joey.com> wrote in message
    >> news:OSSIvGhwJHA.3848@TK2MSFTNGP02.phx.gbl...
    >>> where does psexec -c option copies the file to the remote pc?
    >>>
    >>
    >
    >
     
    Jon Wallace, Apr 27, 2009
    #4

Share This Page