PowerShell vs. PsExec for Remote Command Execution

Posted by Jianpeng Mo / January 20, 2014

Monitoring and maintaining large-scale, complex, highly distributed and interconnected systems can be extremely challenging for network administrators. Traditional IT management approaches are ill-equipped to handle the complexity of today's application architectures and deployment environments. It's common that an IT admin would support hundreds of machines in an enterprise network daily, but having to physically run down to each machine individually in order to issue a simple command is not acceptable. Therefore, being able to execute system commands remotely without too much additional pre-configuration is always a welcomed and appreciated solution.

In this blog post, we are going to discuss how to use two remote command execution tools, PowerShell and PsExec. We will show how to use each of these tools to remotely execute command line tools, using two OPSWAT products, OESIS Diagnose and Metascan Client, for our examples.

OESIS Diagnose is a troubleshooting tool for the OESIS project. It leverages OESIS Local functionalities internally and provides necessary information and visibility to the OPSWAT engineering team. Metascan Client is a GUI based utility that connects to the Metascan server and performs on-demand scan function calls.

*These steps are provided under the assumption that the user domain is in a protected network and that the command is being triggered by the system administrator.

PowerShell

Introduction:

PowerShell is provided by Microsoft as a replacement of shell to bring advanced scripting to Windows. It provides full access to COM and WMI and enables administrator to perform system commands on both local and remote Windows systems. Previously, PowerShell was packaged as a separate add-on to Windows, marketed mainly to server administrators. Starting with Windows 7, PowerShell is now a built-in part of the operating system, giving this capability to all Windows users.

Step by step usage for OESIS Diagnose:

1. On the remote machine, enable remote commands in PowerShell as instructed below:

   PS C:\Windows\system32> Enable-PSRemoting -force_

2. On a local machine, add remote system to the trusted list in PowerShell as seen below:
   

   PS C:\Windows\system32> Set-Item wsman:\localhost\Client\TrustedHosts -value 10.0.X.X_

3. On a local machine, set the execution policy to remote signed in PowerShell as below:
   

   PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned_

4. Copy OESIS Local package (including the OESIS Diagnose.exe) into the remote machine.
5. On a local machine, create PowerShell script "remoteLaunchOESISDiagnose.ps1" as seen below:
   

   #Predefine necessary information
   $Username = "10.0.X.X\username"
   $Password = "password"
   $ComputerName = "10.0.X.X"
   $Script = {C:\OESISLocalPackage\OesisDiagnose_V3.exe}

   #Create credential object
   $SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
   $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

   #Create session object with this
   $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

   #Invoke-Command
   $Job = Invoke-Command -Session $Session -Scriptblock $Script
   echo $Job

   #Close Session
   Remove-PSSession -Session $Session

6. On a local machine, launch "“remoteLaunchOESISDiagnose.ps1” in PowerShell as seen below:
   

   PS C:\Windows\system32> ./remoteLaunchOESISDiagnose.ps1_

7. The PowerShell script would be executed on the remote machine and launch OESIS Diagnose in the system. The result files would be generated on the remote machine.

Step by step usage for Metascan Client:

1. The same setup process as step 1, 2 and 3 of the OESIS Diagnose example above.
2. Copy Metascan Client package into the remote machine.
3. On the local machine, create PowerShell script "remoteLaunchMetascanClient.ps1” as below:
   

   #Predefine necessary information
   $Username = "10.0.X.X\username"
   $Password = "password"
   $ComputerName = "10.0.X.X"
   $Script = {C:\MetascanClientPackage\MetascanClient.exe server="10.0.Y.Y:8008/metascan_rest" auto_start=1 allowed_scan_levels=1}

   #Create credential object
   $SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
   $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

   #Create session object with this
   $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

   #Invoke-Command
   $Job = Invoke-Command -Session $Session - Scriptblock $Script
   echo $Job

   #Close Session
   Remove-PSSession -Session $Session

4. On the local machine, launch “remoteLaunchMetascanClient.ps1” in PowerShell as seen below:
   

   PS C:\Windows\system32> ./remoteLaunchMetascanClient.ps1_

5. The PowerShell script will be executed on the remote machine and triggers Metascan Client to scan against the pre-setup Metascan server which is specified in the command line, with the scan result being generated on the remote machine.

Limitations:

Both the OESIS Diagnose and Metascan Client scan functions are able to be executed remotely via PowerShell, but PowerShell fails to launch Metascan Client UI from the remote machine. This is because when remotely accessing a machine via PowerShell, an interactive desktop session is not started. For security reasons, users can only see applications that are opened within their own interactive sessions. Basically every Windows operating system thinks it's a Terminal Server, but Windows does not want users opening applications that other users could possibly see. Windows assumes that multiple users will be using the machine, so it isolates these applications for a number of obvious security reasons.

PsExec

Introduction:

PsExec is a command line tool allowing the execution of processes on a remote system and transfer the results of operations to the local console. It has a long list of optional parameters that allow a great deal of flexibility for IT administrators. The key feature of PsExec is to allow users to run a script or application within the security context of either the currently logged on user or as a user provided during program initialization.

Step by step usage for OESIS Diagnose:

1. Download PSTools from the below link, PsExec is part of the package.
   • http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
2. Copy OESIS Local package (including the OESIS Diagnose.exe) into the remote machine.
3. On the local machine, open the command prompt (cmd), go to the directory where the PsExec file is located.
4. On the local machine, execute the following command:
   

   C:\whereYouSavePsExec>PsExec.exe \\10.0.X.X -u username -p password C"\OESISLocalPackage\OesisDiagnose_V3.exe_

5. PsExec will launch the OESIS Diagnose process on the remote machine using the credential which is provided above and generate the diagnose report in the system.

Step by step usage for Metascan Client:

1. The same setup process as step 1 of OESIS Diagnose usage.
2. Copy Metascan Client package into the remote machine.
3. On the local machine, open command prompt (cmd), go to the directory where the PsExec file exists.
4. On the local machine, execute the following command:
   

   C:\whereYouSavePsExec>PsExec.exe \\10.0.X.X -u username -p password C:\MetascanClientPackage\MetascanClient.exe server="10.0.Y.Y:8008/metascan_rest" auto_start=1 allowed_scan_levels=1_

5. PsExec will launch the Metascan Client process on the remote machine using the credential which is provided above. This will bring up the Metascan Client UI and the scan result will be generated on the remote machine.

Limitations:

PsExec does not natively come with the Windows operating system, users have to download the PSTool package separately (an extra 1.6 Mb folder). PsExec does not provide an easy way for users to access network resources on the remote machine, due to the input argument being limited to 256 characters. Some older versions such as v1.73 and v1.82 have some serious problems with programmatic redirection of StdOut over named pipes.

Notes: On the Microsoft website, it mentions the below statement “some anti-virus engines report that one or more of the tools are infected with a ‘remote admin’ virus.” But, according to the latest scan result from Metascan Online, there were no antivirus engines detecting the PSTool package as a threat.

Summary:

Both PowerShell and PsExec have some advantages and disadvantages for network administrators. When it comes down to it, there is really no good or bad choice between PowerShell and PsExec, it largely depends on which system management tools IT administrators decide to select. The best option for novice users would be to use the PsExec option, considering it’s the easiest to start out with and allows you to run CLI based executables remotely and take advantage of the full feature set.

Announcement: Metascan Client is now Metadefender Client as part of our streamlined Metadefender Product Family. Check out the blog announcement to learn more.