2015-07-16

PSExec - Access is denied

Solution: PSExec - Access is denied

Symptoms:
Using Microsoft Powertool "PSExec" to execute a program on a remote server. This message is displayed on the source computer: Access is denied

Solution:
On the Remote (destination) server or workstation, the calling credentials must be in that machine's Administrator's group.

1.  On the remote server, see Windows Control Panel, Administrative Tools, Computer Management

2.  Still on the remote server, in Computer Management, under Users and Groups, add the userID to the Administrator's Group.  This is the source-machine's User-ID/Credentials (the machine launching PSExec).

On the remote server,
You do not need to build Shares, but they are handy to shrink path-lengths
You do not need to grant the remote ID "Execute" rights within the share
You do not need to worry about turning on File Sharing
Do not bother installing PSExec on the remote machine

This is regardless of whether -u and -p parameters are used.  Because the user is in the Administrator's group, it gets all of these rights, regardless.  To my knowledge, you cannot bypass the Administrator requirement.


Discussion:
The local PSExec temporarily installs a service at the remote machine and because it is building a new service "on-the-fly," it needs to have Administrative rights.  Because you have to grant Administrative rights, the elevated privileges trump all other rights.

The program literally copies a file, psexecsvc to the remote server's Admin$ share and starts the service on that device.  When the command completes, the service is de-installed.



Other helpful hints:

*  On the Source computer, copy PSExec.exe into C:\Windows\System32 so it will be on the path
*  On the Source computer, launch PSExec.exe with no parameters at least one time to approve the Legal-accept screen

Example, as typed on the Source machine:

psexec.exe  \\RemoteServerName  \\RemoteServerName\Share\Path\program.exe
psexec.exe  \\RemoteServerName  "C:\Program Files (x86)\program.exe"  param-1  param-2
psexec.exe -acceptULA \\RemoteServerName  "C:\Program......"  (etc.)

Different credentials can be used.  Naturally, this account must be defined in AD or as a local account on the remote server:

psexec.exe -u myaccountname -p mypassword   \\RemoteServerName  "C:\Program....."  (etc.)

use psexec.exe /? for additional help and parameters.


What is PSExec:

This is a tool developed by the talented Mark Russinovich, now of Microsoft, that allows system administrators to execute programs on a remote computer, without having to have direct control of the desktop or without using a remote console.  This is also known as Windows SysInternals or formerly "power toys".  The "ps" refers to similar Unix system commands.

When the remote program runs, it runs *on* the remote computer -- not from the calling computer. 

For example, this command retrieves the ipconfig.exe program from the remote computer and runs it on your local CPU -- giving you your machine's IP configuration -- probably not what you wanted.

\\RemoteServerName\Share\ipconfig.exe

while: 
psexec.exe  \\RemoteServerName  "ipconfig.exe"

runs on the remote server, getting the remote server's IP Config information and displays the results on your local computer.

Downloading PSExec

Download the program directly from Microsoft as a ZIP file.  An install is not required. 

From www.Microsoft.com, search for "PSTools" or "PSExec". 
Download the ZIP file.  
Open the ZIP and copy PSExec to C:\Windows\System32 or another directory of your choice. 
An install is not required.

It is helpful to have this program on the local workstation's path.  You do not need to install the program on the remote servers.


2015-07-01

Virus Cleanup Steps

How To: Virus Cleanup steps for Windows PC's.  Generals steps that work for almost all infections.

Over the years I have written many articles on how to cleanup specific viruses but the articles become dated and are less useful when other viruses take their place.  This article generalizes the steps I take for all infections.  Although time-consuming, the results are almost always good.

When cleaning viruses, it is best to boot from a non-infected virus-cleaning disk -- usually a bootable CD.  Because you are booting from a guaranteed, non-infected operating system, and because it has full-control of the hard drive, there are no locked or in-use files and the software gets complete access to the disk.  Because of this, it can clean the most stubborn infections

Microsoft and other vendors now have free, bootable CD's.  To do the job right, you will have to run multiple products, from multiple vendors.  This will take time. 



In General:

Build the bootable CD's from a non-infected machine
You will be building multiple CD's, from multiple vendors
You can build bootable CD's or bootable USB sticks; I prefer CD's
Build the disks on the day they are needed -- they become obsolete within a few days

Important: If you have a laptop, running Windows 8.x or 10.x, see below for concerns about UEFI disks***.


Build the CD's

From a non-infected computer

Download Windows Defender Offline

This is a bootable CD* that runs Microsoft's virus cleaning utility.
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline


- You must use Microsoft's Internet Explorer to download
- Always download and use the latest version
- It will download a stub program, msstools.exe.  Run this stub.
- It will build the CD automatically; follow the on-screen prompts or see the steps below.
- Most Windows 8, 7 and Vista users should choose the 64-bit version.


Download Kaspersky Rescue Disk

This is a bootable CD that is downloaded as an .iso file.  Use the .iso to build the CD


http://support.kaspersky.com/us/viruses/rescuedisk#downloads
Click "Distributive" to download the ISO

- Click the Download Kaspersky Rescue Disk link.
- This will write an ISO file, which is a CD disk image.
- From Windows 7, 8 or 10, follow these steps to write the ISO file to a CD.


Download AVG Rescue CD

This may be overkill, but a third vendor may find things that the others miss.
 http://www.avg.com/us-en/avg-rescue-cd

- Click the AVG Rescue CD Free Download link; download the ISO version.
- See these keyliner steps to write the ISO file to a CD.



Begin the Cleanup

Once the Bootable CD's have been built and labeled, do the following:


0.  Malware Bytes

If your machine is healthy enough to run other software, from the infected machine, download and run this program, from MalwareBytes.org.  This is my favorite anti-virus program.
https://www.malwarebytes.org/mwb-download/

If the machine is not healthy enough, download the installation from another computer and burn it to a CD.  Then, disconnect the network cable from your infected computer, or disable the Wireless.  Then run this program; it will probably succeed.  Because it is not on the wire, it won't be able to update its definition files; cancel the update and let it run a full-scan with the version you downloaded. 

- Select the Free Download
- Decline the offer to install the 30-day trial
- If possible, allow the program to update its definition / dictionary files
- Allow the program to do a full-system scan
- It will take hours to run.  It runs unattended

Once it is complete, continue with the next bootable CD

If you cannot get MalwareBytes to install or run, continue with the next CD.


1.  Kaspersky First

Have your network cable plugged in or your wireless enabled.  Boot the computer with this CD and follow the on-screen prompts.

- Insert the Kaspersky CD into your drive and boot the computer.
- Hopefully, you are prompted "Press any key to boot from the CD"
- If you do not see this prompt, see below on how to change your BIOS boot Order**

Allow the program to do a full-system scan.  The program is a little weird.  Click the big red (or green) button in the upper-left corner to begin the process.  On the current version as of this writing, the button looks like a bunch of LED' in a circle and it is not clear this is a button.

The scan will take hours and can run unattended.


2.  MSE Second

Boot the Microsoft CD and instruct it to do a full (not quick) scan.


3.  AVG - Optionally Third

Consider booting the AVG disk if you want to be even more thorough.  Personally, I have not actually done this, but if you have the time, it is worth the effort.  It may find something the others missed.


4.  Last Step

If you were unable to run MalwareBytes in Step 0, allow the computer to boot normally (without a bootable CD).  Install MalwareBytes and allow it to run.


In my experience, these steps have almost always fixed the computer, with one notable exception.

RANSOMWARE Viruses

If you detect a Ransomware virus, the programs above will remove the virus but they will not be able to save the data and many programs.  It will render your computer useless.  It is repairable, but your data will be lost. 

(Ransom viruses encrypt all of your data files, such as Word, WordPerfect, Excel, PPT, photos, etc., and invite you to pay a fee of $100-$500 for the decryption key.  The fee is usually paid in bitcoins, which are untraceable.  Under no circumstances should you pay.  To begin, they will take your money and may not give a decryption key.  They may give the key, which will restore your data files, but will like re-encrypt in the future and charge ransom again.  This is truly a lost-cause.)

The only way I have found to 'recover' from this type of attack is to build your system recovery CD's (from your hardware vendor - usually a menu to build "recovery disks", or contact the vendor to have one shipped), format the hard disk and start over.  This will save the hardware, but all data will be lost.  Recover data from your backups.

Other Notes:

**BIOS Boot Order

Your PC may not allow booting from a CD.  Follow these rough steps, which vary by each computer model.

A.  Cold boot the PC
B.  At the hardware banner screen, press F10, or F12 or F2, to enter the BIOS Setup or Boot Setup menu.  Sadly, this varies.
C.  If you arrive at at UEFI Secure Boot screen, see the note below* before going further
D.  Enter the BIOS Setup (sometimes called simply "Setup").
E.  In the top BOOT menu, look for a choice that shows boot order.  Arrange the order so the CD is first to boot, then the Hard Disk.
F.  Most BIOS screens use a bottom-menu F10 to SAVE your changes.
G. Allow the PC to reboot.  Watch the screen for a Press any key to boot from CD


***UEFI Disks

Very new laptops, with Windows 8.x or 10.x have a UEFI encryption, which prevents viruses from writing boot-sector changes.  Unfortunately, this also blocks bootable CD's from seeing the disk (UEFI is actually a very good security feature -- it just stops some of these tools).  If your vendor has signed drivers, they can boot, but as of this writing, I have not found a vendor who can do this.

For example, if you have a UEFI disk, Microsoft's MSE claims to be able to boot and clean the disk, but I have not yet got this to work.  I am still researching this.

If you have a UEFI disk, I do not know how to use these bootable CD's.  Your only hope will be MalwareBytes.

Your comments are welcome.