IT Trenches

Dec 18 2009   7:28PM GMT

Using PsExec to fight malware

Troy Tate Profile: Troy Tate

The excellent Sysinternals Windows tools have been around for many years (since 1996!). Microsoft now has these tools available and they are all FREE! They are also available in a “live” way such that you do not need to have previously downloaded the tools to use them. Simply browse to:

and run the tool from a web browser. This means that you always have access to the latest valid version and can use the tool anywhere you are that has internet access.

One of the tools I most frequently use is the PsExec tool. PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. There are several command-line options on this tool so please read the documentation carefully to understand how to use this powerful tool.

The following is an example of how to use PsExec to remotely fight a system infected by malware. Note that this access works ONLY if you have administrative access on the remote Windows host.

The first step in accessing the remote system is to run the psexec command shown below where the IP address or name after the “\\” characters is the remote system. This particular command runs the cmd.exe executable that should already exist on the remote system at the IP address starting with 10. and ending in .29. In this case, the remote system is Windows XP.

One thing that a lot of malware does today is open up network connections to other machines or to the internet to spread an infection or get additional instructions. To see where this remote computer has made connections, I issue the netstat -an command. Using PsExec with the remote CMD shell is just like I am sitting at the console of the remote system so I can see the results on my screen even though the netstat command is being processed by the remote computer.

Nothing seems too amiss here. All of the remote (foreign) connections appear valid and using standard Windows ports for communication. But WAIT! This system is listening on a very strange port. What application is listening on port 22347? We can find this out using the netstat -ano command like shown below. The results show us the PID or process identifier number of the executable.

From these results, we see that the PID listening on port 22347 is 1820. So, the next step is to run tasklist to list running processes. Remember, we are doing this on a remote machine! Isn’t this cool?

Ahhh… so the executable of interest running on port 22347 and PID number 1820 is WkSvW32.exe. This doesn’t sound familiar to me. So, I need to find out what it is. How can I do that remotely? How about just running the DIR /s command at the root of the drive and see what the path is to the WkSvW32.exe executable is?

FOUND IT! The WkSvW32.exe program is in the C:\Program Files\WIBUKEY\Server folder. In this case the WIBUKEY application is supporting a license dongle for a legitimate business application. However, what if the executable had been something malicious? Well, then you would need to take some steps to get a copy of the malicious executable for forensics and identification. The machine would then need to be isolated and cleaned if possible. Do you have additional special procedures for handling malicious software like this? Please share your tips and tricks with other ITKE readers.

This article is meant to just scratch the surface and give a very practical use of the PsExec tool from the Sysinternals toolset. Other tools may be described in future entries. What tool(s) would you like me to focus on in future articles?

Thanks for reading & let’s continue to be good network citizens!

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: