Duck

Capturing PSEXEC's command line output

2 posts in this topic

I'm attempting to capture the output from the command line tool PSEXEC. I'm using AutoIT to run an instance of PSEXEC against a remote PC to audit Local Admins in my environment using net.exe (C:\Windows\System32> net localgroup administrators). However the usual trick I use to capture command line output does not appear to work well with PSEXEC, as the bottom portion of the output is missing from the return. Any ideas or recommendations are greatly appreciated.  

 

Here is what I'm working with: 

;This script will read from a list of hosts and report who has local admin privileges on the machine
#RequireAdmin

Global $fileName = @ScriptDir & '\test.txt' ;hostlist, one host per line

readHostList()

;Read list of hosts
Func readHostList()
    Local $file = FileOpen($fileName, 0)

    While 1
        $line = FileReadLine($file)
        If @error = -1 Then ExitLoop
        ConsoleWrite($line & @CRLF)
        ;MsgBox(0,0,$line)
        getLocalAdmins($line)
    WEnd

    FileClose($file)
EndFunc

;run PSEXEC to list local admins
Func getLocalAdmins($remotePC)
    Local $testFile = @ScriptDir &'\test234.txt'
    FileOpen($testFile, 1)
    Local $psexec = 'psexec \\' & $remotePC & ' net localgroup administrators'
    FileWriteLine($testFile, _RunCmd($psexec) )
    FileClose($testFile)
EndFunc

;Used to return CLI output
Func _RunCmd($sCommand)
    Local $nPid = Run(@Comspec & " /c" & $sCommand, @SystemDir, @SW_Hide, 8), $sRet = ""
    If @Error then Return "ERROR:" & @ERROR
    ProcessWait($nPid)
    While 1
        $sRet &= StdoutRead($nPID)
        If @error Or (Not ProcessExists ($nPid)) Then ExitLoop
    WEnd

    Return $sRet
EndFunc

 

## If i manually run the command on the remote PC via PSEXEC I will get the following output: 

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

Starting net on PCNAME... on PCNAME...
net exited on PCNAME with error code 0.

-------------------------------------------------------------------------------
admin
Administrator
Alias name     administrators
Domain\Domain Admins
Comment        Administrators have complete and unrestricted access to the computer/domain
Members
The command completed successfully.

 

## The returned output from running the above script is as follows:

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

Alias name     administrators
Connecting to PCNAME...

Starting PSEXESVC service on PCNAME...

Connecting with PsExec service on PCName...

Starting net on PCNAME..

net exited on PCNAME with error code 0.

 

**Note to test this script PSEXEC must be in the system dir or the path in the script changed 
PSEXEC tool: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Share this post


Link to post
Share on other sites



#2 ·  Posted

What if  you pipe your PSEXEC command to a text file and then parse the text file?

Local $psexec = 'psexec \\' & $remotePC & ' net localgroup administrators > C:\temp\textout.txt'


Who lied and told you life would EVER be fair?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • hcI
      By hcI
      Hello I would like to know if there is a way to return a sentence in cmd when I launch from it (because I add arguments).
      For example, diskpart.exe which help to manage the key and hdd connected, when you launch it with the parameter "/f" the app return a sentence saying that it don't recognize the parameter "/f" and it return the sentence in the cmd where i started the application, not a new one.
      That's what I want to do but I couldn't find anything that would solve my problem on internet and on AutoIt like ConsoleWrite / ConsoleWriteError (don't work).
       
      Thanks
    • luckyluke
      By luckyluke
      Hello,
      Im trying to read the output from CMD using Dllcall, here is my code:
      #include <WinAPI.au3> #include <array.au3> Global Const $STD_OUTPUT_HANDLE = -11 Global Const $_CONSOLE_SCREEN_BUFFER_INFO = _ "struct;int dwSizeX;" & _ "short dwSizeY;" & _ "short dwCursorPositionX;" & _ "short dwCursorPositionY;" & _ "short wAttributes;" & _ "short Left;" & _ "short Top;" & _ "short Right;" & _ "short Bottom;" & _ "short dwMaximumWindowSizeX;" & _ "short dwMaximumWindowSizeY;endstruct" $pCmd = Run( "cmd.exe" ) Sleep(1000) $hCmd = WinGetHandle("") ConsoleWrite('handle:' & $hCmd & @CRLF) $aRet = DllCall("kernel32.dll", "int", "AttachConsole", "dword", $pCmd) ;_ArrayDisplay($aRet) If $aRet[0] <> 0 Then $vHandle_data='' $vHandle='' $vHandle_data = DllStructCreate($_CONSOLE_SCREEN_BUFFER_INFO) ; Screen Buffer structure $aRet1 = DllCall("kernel32.dll", "hwnd", "GetStdHandle", "dword", $STD_OUTPUT_HANDLE) if not @error Then $vHandle = $aRet1[0] $aRet = DllCall("kernel32.dll", "int", "GetConsoleScreenBufferInfo", "hwnd", $vHandle, _ "ptr", $vHandle_data) MsgBox(0, '1',DllStructGetData($vHandle_data, 'dwSizeX') & _WinAPI_GetLastErrorMessage()) EndIf It did not work, i got the message 'The handle is invalid'. Please help?
      Thank you in advance!
    • mihaijulien
      By mihaijulien
      Hello,
      I compiled a script I made that takes a command line parameter (the version of a .msi installer) when launched. The script was compiled with the /console option. The script (.au3) works fine but the executable returns  the following error:  
      Error: array variable has incorrect number of subscripts or subscript dimension range exceeded  
    • fosil
      By fosil
      Hi everyone.

      I'm currently working a program that constantly prints out log files through "consolewrite" and the "#AutoIt3Wrapper_Change2CUI=y" wrapper.

      Part of this program requires me to run a batch script.

      My issue is the batch script launches from the same window as consolewrite. I need the batch file to be launched through a different window as currently this causes an issue with the logs (which need to be very precise) but also causes the batch file to produce some funny behavior...

      Does anyone know how I can force the file to run on a second DOS window?

      Thanks in advance!!!
       
      Edit: Im using the "run" command if that helps. I tried "shellexecute" but that seemed to not launch the batch scripts at all.
    • Baboo85
      By Baboo85
      Hi all,
      I need to start a script that include:
      - admin privileges
      - multiple cmd commands
      - no bat, no exe, no tmp files created anywhere (especially in the user temp folder)
      In a bat file it would be simple, but users shouldn't see what commands I'm sending.
      Example of the script:
      echo off cls echo. echo I AM A TOOL echo. echo NOTE: echo - note 1 echo - note 2 echo - etc set USER1=0 set COMPUTER1=0 if /i %username% equ user.user ( set USER1=1 set COMPUTER1=1 ) if /i %username% equ another.user set USER1=1 if /i %computername% equ notebook set COMPUTER1=1 if %USER1% EQU 1 ( if %COMPUTER1% EQU 1 ( reg delete "HKLM\SOFTWARE\blablabla" /f ) else ( echo Computer not authorized. Contact assistance.) ) else ( echo User not authorized. Contact assistance.) echo. pause exit With the send("") is a disaster.
      I'm a noob here, so what can I do?
       
      EDIT: OR ELSE I explain the situation and what I need, so if there is a simple solution I can use that.
       
      SITUATION: our domain users have Users rights on the machine. Some of them need administrator rights.
      We create a local user with administrator rights, so that the users must insert username and password when asked to run something with administrator rights.
      We have an internal domain group policy that blocks EXE, BAT, COM, TMP files from the user local temp directory, for a security reason (malware). That also blocks most software installation.
      But some users are often out of office, away from workplace and in another country, they need a complete control on their computers.
       
      WHAT I NEED: I need to check the username and the computer name. If the username is the one with local administrator rights and the computer name is a computer that is qualified to temporary remove the policy, then I need to execute a REG DELETE command with administrator rights.
       
      I hope I explained myself.
       
      Thank you very much.