PsTools is a set of utilities to perform administrative tasks on local and remote systems. The executables in the PsTools suite give you quick access to remotely manage a system via command line without having to login interactively with remote desktop or interrupt a user’s session. You can download the PsTools suite from:
https://technet.microsoft.com/en-us/sysinternals/pstools.aspx
Installing and using PsTools
Extract PSTools.zip to C:\Windows\System32 or any other directory listed in your Path variable. To see which directories are available open a command prompt and use the command echo %PATH%.
PsTools can also be accessed from any system with an internet connection via the Sysinternals Live Service.
To access the Live Service via command line use the following command
pushd \\live.sysinternals.com\Tools\
To access the Live Service with Powershell use the following command
cd \\live.sysinternals.com\Tools
PsExec - execute processes remotelyPsExec executes command line processes on a remote computer. PsExec can be used for things as simple as executing commands to installing software on a remote computer or list of computers.
Examples
PsExec \\RemoteComputer cmd – opens a command prompt on the remote computer
PsExec.exe \\igskmccwlt114 cmd
PsExec -i -s Program– runs a program on the local computer interactively as system
PsExec.exe -i -s regedit
PsExec \\RemoteComputer Command – executes a specified command on the remote computer
PsExec.exe \\igskmccwlt114 ipconfig
PsGetSid @listFile Command – executes a specified command on the computers listed in the text file
PsExec.exe @laptops.txt ipconfig
PsExec \\RemoteComputer cmd /c msiexec.exe /x {uninstall Key} – uninstall a software package on a remote computer from a network share. This can also be used with the @listFile option.
PsExec.exe \\igskmccwlt114 cmd /c MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F64180102F0} /q
PsFile - shows files opened remotely
PsFile can be used to list open files on a storage server and close them if required.
Examples
PsFile \\RemoteComputer – lists open files on the remote computer
PsFile.exe \\igskmccwgs09
[1677722086] Y:\DFS_Shares\sdmedia\
User: jdlee
Locks: 0
Access: Read
PsFile \\RemoteComputer [ID : Path] –c – Closes the file identified
\\igskmccwgs09 1677722086 –c
Closed file Y:\DFS_Shares\sdmedia\ on igskmccwgs09.
PsGetSid - display the SID of a computer or a user
PsGetSid – display the SID of a computer or a user
After a system rollout there is the possibility of duplicate SIDs which can cause problems on the network. PsGetSid lists the SID assigned to the queried computer
Examples
PsGetSid \\RemoteComptuer – gets SID for targeted system
PsGetsid.exe \\igskmccwgs09
PsGetSid \\RemoteComptuer,RemoteComputer2,RemoteComputer3 – gets SIDs for listed computers
PsGetsid.exe \\igskmccwgs09,igskmccwgs02,igskmccwgs001
PsGetSid @listFile – gets SIDs for computers listed in text file
PsGetsid.exe @Servers.txt
PsGetSid Sample Output
\\igskmccwgs09:
SID for \\igskmccwgs09:
S-1-5-21-3728129569-517567604-2257356108
PsInfo - list information about a system
PsInfo gathers information about the local or remote system.
Examples
PsInfo \\RemoteComputer – gathers information for the targeted system
PsInfo.exe \\igskmccwgs09
PsInfo \\RemoteComptuer,RemoteComputer2,RemoteComputer3 – gathers information for the listed systems
PsInfo.exe \\igskmccwgs09,igskmccwgs02,igskmccwgs001
PsInfo @listFile – gathers information for the listed systems
PsInfo.exe @Servers.txt
PsInfo Sample Output
System information for \\igskmccwgs09:
Uptime: 8 days 14 hours 3 minutes 13 seconds
Kernel version: Windows Server 2012 R2 Standard, Multiprocessor Free
Product type: Standard Edition
Product version: 6.3
Service pack: 0
Kernel build number: 9600
Registered organization:
Registered owner: Windows User
IE version: 9.0000
System root: C:\Windows
Processors: 8
Processor speed: 2.2 GHz
Processor type: Intel(R) Xeon(R) CPU L5520 @
Physical memory: 4016 MB
Video driver: Microsoft Basic Display Adapter
PsKill - kill processes by name or process ID
PsKill kills running process on local or remote computers
Examples
PsKill \\RemoteComputer [ProcessName/ProcessID]
pskill.exe \\igskmccwlt123 notepad
pskill.exe \\igskmccwlt123 3616
Expected output
Process 3616 on igskmccwlt123 killed….
PsList - list detailed information about processes
PsList shows CPU and memory information for all running process on the local or remote computer.
Examples
PsList \\RemoteComputer – lists process information about the local computer
PsList.exe \\igskmccwlt123
PsList \\RemoteComputer ProcessName / PsList \\RemoteComputer PID
PsList.exe Notepad
PsList.exe 3616
These options can be paired with the –d, -m, -x, and –t switches to provide additional information about the specified processes.
pslist \\igskmccwlt123 3616
Process information for igskmccwlt123:
Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
notepad 3616 4 1 144 1644 0:00:00.140 164:01:52.095
PsList –s \\RemoteComptuer – Runs the PsList utility in task-manager mode with an optional switch for refresh rate
PsList.exe -s \\igskmccwlt123
PsList.exe –s 30 \\igskmccwlt123
PsLoggedOn - see who's logged on locally and via resource sharing
PsLoggedOn shows a list of users logged on locally and accessing network shares on a specified computer. It will also search all computers to find where a single user is logged on.
Examples
PsLoggedOn \\ComputerName – Lists all Local and remote session on the system.
PsLoggedon.exe \\igskmccwgs09
Users logged on locally:
8/15/2016 9:16:37 PM GS\jdlee-ou
<unknown time> GS\igskmccw-spicew
<unknown time> GS\igskmccw-backupexec
Users logged on via resource shares:
8/24/2016 10:47:02 AM \\igskmccwgs09\pnorton
8/24/2016 10:48:27 AM \\igskmccwgs09\cprice
8/24/2016 10:42:34 AM \\igskmccwgs09\dgdrisco
PsLoggedOn UserName – searches the network for systems user is logged on to.
PsLoggedon.exe jdlee
GS\jdlee logged onto IGSKMCCWGS09 remotely.
Checking IGSKMCCWGS207…Connecting to Registry of IGSKMCCWGS207…
PsLogList - dump event log records
PsLogList lets you view logs on different computers with visual friendly formatting.
Examples
PsLogList –a mm/dd/yy –b mm/dd/yy – Filters log events by after and before specified date
psloglist.exe \\igskmccwgs09 -a 08/21/16 -b 08/23/16
PsLogList –d # – only displays records for the previous number of days
psloglist.exe \\igskmccwgs09 -d 10
PsLogList –f EventType [w – warnings, e – error, I – information, c – critical]
psloglist.exe \\igskmccwgs09 -f w
PsLogList -i EventID – filter by event ID
psloglist.exe \\igskmccwgs09 –i 4625
PsPasswd - changes account passwords
PsPasswd is used to change local account passwords on remote systems.
Examples
PsPasswd \\RemoteComputer UserName NewPassword – changes specified account password on remote computer
pspasswd.exe \\igskmccwlt123 power P@ssW0rd1234
PsPasswd \\RemoteComputer,RemoteComputer1,RemoteComputer2 UserName NewPassword – changes specified account password on listed remote computer
pspasswd.exe \\igskmccwlt123,igskmccwlt151 power P@ssW0rd1234
PsPasswd @FileName UserName NewPassword – changes specified account password on listed remote computer
Pspasswd.exe @servers.txt power P@ssW0rd1234
PsPing - measure network performance
PsPing is used to measure network performance, latency, and bandwidth available.
Examples
ICMP – PsPing -n (ping count) -i (interval between pings) -l (packet size) destination
psping.exe -n 10 -i 0 -l 1500 152.61.245.9
TCP – PsPing -n (ping count) -i (interval between pings) -l (packet size) destination:port
psping.exe -n 10 -i 0 -l 1500 152.61.245.9:80
Latency Test – Latency test requires access to both the client and the server. On the server a listen service will need to be started for the client to communicate with.
Server command – PsPing -f -s listeningAddress:port
psping.exe -f -s 152.61.245.9:99
Type Control-C to exit.
Waiting for TCP connection on 152.61.245.9:99:
Client Command – PsPing -h (Histogram count) -n (ping count) -l (packet size) destination:port
psping.exe -h 10 -n 10 -l 1500 152.61.245.9:99
Bandwidth Test – Bandwidth will help determine how much data can be passed between two systems. This test also requires access to both the client and the server. On the server a listen service will need to be started for the client to communicate with. Start the listing service on the server the same as with the latency test.
psping.exe -b -n 5000 -l 8000 152.61.245.9:99
TCP sender bandwidth statistics:
Sent = 5000, Size = 8000, Total Bytes: 40056000,
Minimum = 30.30 MB/s, Maximum = 31.90 MB/s, Average = 31.47 MB/s
PsService - view and control services
PsService can be used to view, start, and stop services on a remote computer.
Examples
PsService \\RemoteComputer Command (options)
PsService.exe \\igskmccwgs09 query | more – lists all sevices
PsService.exe \\igskmccwgs09 start spooler – starts the spooler service, can be used with stop and restart
PsService \\RemoteComputer setconfig ServiceName StartType
PsService.exe \\igskmccwgs09 setconfig spooler auto
PsShutdown - shuts down and optionally reboots a computer
PsShutdown can be used to shutdown or restart a single computer or group of computers.
Examples
PsShutdown \\RemoteComputer -s | -r – shutdown or restart the tarted computer
psshutdown.exe \\igskmccwlt114 -r
PsShutdown \\RemoteComputer @listFile -s | -r – shutdown or restart the listed systems
psshutdown.exe “@computers.txt” -r
PsSuspend - suspends processes
PsSuspend suspends a process on a local or remote computer and allows the process to be resumed at a later time.
Examples
PsSuspend \\RemoteComputer ProcessName – suspends named process
pssuspend.exe \\igskmccwlt114 notepad
2 processes named suspended notepad on igskmccwlt114.
PsSuspend \\RemoteComputer ProcessName – restores named process
pssuspend.exe -r \\igskmccwlt114 notepad
2 processes named resumed notepad on igskmccwlt114.
The full Sysinternals Suite contains additional troubleshooting tools and can be downloaded from Microsoft.
https://technet.microsoft.com/en-us/sysinternals/bb842062