Introduction to PsTools: psexec.exe, psinfo.exe & psloggedon.exe

PsExec is a managementtool that can be used to manage Windows environments in an easy way from a commandline. Sometimes its the quickest way to change a users password or add a new user, instead of having to login with RDP to the domain controller. It can be downloaded from Microsoft themselves here.

Here is a collection of some of the things that psexec can be used for:

Execute a simple command on a remote server, in this case the DC:
Psexec.exe \\192.168.1.1 ipconfig

Add a new user to the domain:
Psexec.exe \\192.168.1.1 net user username password /ADD /DOMAIN

Add the new user to Domain Admins:
Psexec.exe \\192.168.1.1 net group "Domain Admins" username /ADD /DOMAIN

Add new local user:
Psexec.exe \\192.168.1.1 net user username password /ADD
Psexec.exe \\192.168.1.1 net localgroup Administrators username /ADD

Change the password of 'Administrator':
Psexec.exe \\192.168.1.1 net user Administrator *

Connect to the other server and get a commandprompt:
Psexec.exe \\192.168.1.1 cmd.exe

Delete the user account again:
Psexec.exe \\192.168.1.1 net user username /DEL /DOMAIN

Get groups from the DC or local machine (add /DOMAIN if not local)
Psexec.exe \\192.168.1.1 net group /DOMAIN

Get users from "Domain Users" group:
Psexec.exe \\192.168.1.1 net group "Domain Users" /DOMAIN

Get users from "Domain Admin" group:
Psexec.exe \\192.168.1.1 net group "Domain Admins" /DOMAIN

Two other commands that are part of the PsTools package, are PsInfo and PsLoggedon. The first one can be used to gather information about both a local and remote system, and PSLoggedon can be used to see who's logged on to a target system, both can be very nice to have.

Get information about a target:
Psinfo.exe \\192.168.1.1 (Shows uptime, kernel version, product type, CPU etc.)

Show users that are logged on locally:
PSLoggedon.exe

Show users that are logged on to a remote target:
PsLoggedon.exe \\192.168.1.1

Show where a specific user is logged on to:
PsLoggedon.exe "Username" \\192.168.1.1 (leave out the last part to only check locally)