一些Pstool
PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsInfo - list information about a system
PsKill - kill processes by name or process ID
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspend and resume processes
找PsExec的时候看到一些类似的工具包,顺便下载下来学习学习。
1.PsFile
The "net file" command shows you a list of the files that other computers have opened on the system upon which you execute the command, however it truncates long path names and doesn't let you see that information for remote systems. PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier.
Installation
Copy PsFile onto your executable path and type "psfile".
Usage
The default behavior of PsFile is to list the files on the local system that are open by remote systems. Typing a command followed by "-?" displays information on the syntax for the command.
usage: psfile [\\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Id Identifier (as assigned by PsFile) of the file for which to display information or to close.
Path Full or partial path of files to match for information display or close.
-c Closes the files identifed by ID or path.
psfile是一个显示机器上的会话和有什么文件被网络中的用户的打开的命令。
使用实例:
D:\software\PsTools>PsFile \\10.11.16.23 -u Administrator -p password
psfile v1.02 - psfile
Copyright ⌐ 2001 Mark Russinovich
Sysinternals
Files opened remotely on 10.11.16.23:
[61] \PIPE\srvsvc
User: ADMINISTRATOR
Locks: 0
Access: Read Write
1.PsInfo
PsInfo is a command-line tool that gathers key information about the local or remote system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, memory size, the install date of the system, and if it's a trial version, the expiration date. PsInfo command-line switches also let you view installed hotfixes and software applications.
Installation
Copy PsInfo onto your executable path and type psinfo.
Usage
By default PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system. Since PsInfo relies on remote Registry access to obtain its data, the remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote Registry.
In order to aid in automated Service Pack updates, PsInfo returns as a value the Service Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).
usage: psinfo [\\computer[,computer[,...] | @file [-u username [-p password]]] [-h] [-s] [-d] [-c [-t delimter]]
computer
Run the command on the computer or computers specified. If you omit the computer name the command runs on the local system and if you enter a computer name of \\* then the command runs on all computers in the current domain.
@file Execute the command on each of the computers listed in the file.
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h Shows installed hotfixes.
-s Shows installed software.
-d Show disk volume information.
-c Dump in CSV format.
-t The default delimiter for the -s option is a comma, but can be overriden with the specified character.
psinfo是一个搜集机器软硬件信息的工具,它可以获得操作系统信息,硬件信息和软件信息。
D:\software\PsTools>PsInfo \\10.11.16.23 -u Administrator -p password
PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\10.11.16.23:
Uptime: Error reading uptime
Kernel version: Microsoft Windows Server 2003, Multiprocessor Free
Product type: Standard Edition
Product version: 5.2
Service pack: 1
Kernel build number: 3790
Registered organization: Director Lab
Registered owner: IBM_USER
IE version: 6.0000
System root: C:\WINDOWS
Processors: 4
Processor speed: 2.8 GHz
Processor type: Dual-Core AMD Opteron(tm) Processor 2220
Physical memory: 0 MB
Video driver: ATI ES1000
查看远程机器的磁盘和软件可以分别用-d 和-s
查看安装软件
D:\software\PsTools>PsInfo \\10.11.16.23 -u Administrator -p password -s
PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\10.11.16.23:
Uptime: Error reading uptime
Kernel version: Microsoft Windows Server 2003, Multiprocessor Free
Product type: Standard Edition
Product version: 5.2
Service pack: 1
Kernel build number: 3790
Registered organization: Director Lab
Registered owner: IBM_USER
IE version: 6.0000
System root: C:\WINDOWS
Processors: 4
Processor speed: 2.8 GHz
Processor type: Dual-Core AMD Opteron(tm) Processor 2220
Physical memory: 0 MB
Video driver: ATI ES1000
Applications:
ATI Display Driver 8.24.50.2-071025a-055797C-IBM
Broadcom NetXtreme II Driver Installer 11.48.05
Hotfix for Windows Server 2003 (KB925336) 1
Hotfix for Windows Server 2003 (KB942288-v4) 4
MSXML 6.0 Parser (KB927977) 6.00.3890.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Virtual Server 2005 R2 SP1 1.1.603.0
Microsoft Visual C++ 2005 Redistributable (x64) 8.0.56336
Python 2.6.5 (64-bit) 2.6.5150
TivGuid64 01.03.0200
Windows Driver Package - Adaptec (arcsas) SCSIAdapter (07/18/2007 5.2.0.12913)
07/18/2007 5.2.0.12913
Windows Driver Package - LSI Corporation (LSI_SAS) SCSIAdapter (01/30/2009 1.30
.02.00) 01/30/2009 1.30.02.00
Windows Driver Package - LSI Corporation System (10/14/2008 1.0.7.0) 10/14/2008
1.0.7.0
Windows Driver Package - LSI Logic (LSI_SAS) SCSIAdapter (10/18/2006 1.21.28.00
) 10/18/2006 1.21.28.00
Windows Driver Package - LSI Logic System (07/24/2006 0.0.1.0) 07/24/2006 0.0.1
.0
Windows Driver Package - QLogic (ql2300) SCSIAdapter (09/25/2008 9.1.7.45) 09/2
5/2008 9.1.7.45
查看磁盘信息
D:\software\PsTools>PsInfo \\10.11.16.23 -u Administrator -p password-d
PsInfo v1.77 - Local and remote system information viewer
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com
System information for \\10.11.16.23:
Uptime: 64 days 17 hours 30 minutes 17 seconds
Kernel version: Microsoft Windows Server 2003, Multiprocessor Free
Product type: Standard Edition
Product version: 5.2
Service pack: 1
Kernel build number: 3790
Registered organization: Director Lab
Registered owner: IBM_USER
IE version: 6.0000
System root: C:\WINDOWS
Processors: 4
Processor speed: 2.8 GHz
Processor type: Dual-Core AMD Opteron(tm) Processor 2220
Physical memory: 0 MB
Video driver: ATI ES1000
Volume Type Format Label Size Free Free
C: Fixed NTFS 68.36 GB 8.73 GB 12.8%
D:\software\PsTools>
1.PsGetSid
Have you performed a rollout and only to discover that your network might suffer from the SID duplication problem? In order to know which systems have to be assigned a new SID (using a SID updater like Sysinternals' own NewSID) you have to know what a computer's machine SID is. Up until now there's been no way to tell the machine SID without knowing Regedit tricks and exactly where to look in the Registry. PsGetSid makes reading a computer's SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts.
Installation
Copy PsPsGetSid onto your executable path and type "psgetsid".
Usage
Usage: psgetsid [\\computer[,computer[,...] | @file [-u username [-p password]]] [account]
If you want to see a computer's SID just pass the computer's name as a command-line argument. If you want to see a user's SID, name the account (e.g. "administrator") on the command-line and an optional computer name.
Specify a user name if the account you are running from doesn't have administrative privileges on the computer you want to query. If you don't specify a password as an option PsGetSid will prompt you for one so that you can type it in without having it echoed to the display.
使用实例:
D:\software\PsTools>Psgetsid
PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
SID for \\R86M1CV:
S-1-5-21-2766576068-2271245186-4045486440
补充知识:什么是SID:
SID
SID也就是安全标识符(Security Identifiers),是标识用户、组和计算机帐户的唯一的号码。在第一次创建该帐户时,将给网络上的每一个帐户发布一个唯一的 SID。Windows 2000 中的内部进程将引用帐户的 SID 而不是帐户的用户或组名。如果创建帐户,再删除帐户,然后使用相同的用户名创建另一个帐户,则新帐户将不具有授权给前一个帐户的权力或权限,原因是该帐户具有不同的 SID 号。安全标识符也被称为安全 ID 或 SID。
SID的作用
用户通过验证后,登陆进程会给用户一个访问令牌,该令牌相当于用户访问系统资源的票证,当用户试图访问系统资源时,将访问令牌提供给 Windows NT,然后 Windows NT 检查用户试图访问对象上的访问控制列表。如果用户被允许访问该对象,Windows NT将会分配给用户适当的访问权限。
访问令牌是用户在通过验证的时候有登陆进程所提供的,所以改变用户的权限需要注销后重新登陆,重新获取访问令牌。
SID号码的组成
如果存在两个同样SID的用户,这两个帐户将被鉴别为同一个帐户,原理上如果帐户无限制增加的时候,会产生同样的SID,在通常的情况下SID是唯一的,他由计算机名、当前时间、当前用户态线程的CPU耗费时间的总和三个参数决定以保证它的唯一性。
一个完整的SID包括:
? 用户和组的安全描述
? 48-bit的ID authority
? 修订版本
? 可变的验证值Variable sub-authority values
例:S-1-5-21-310440588-250036847-580389505-500
我们来先分析这个重要的SID。第一项S表示该字符串是SID;第二项是SID的版本号,对于2000来说,这个就是1;然后是标志符的颁发机构(identifier authority),对于2000内的帐户,颁发机构就是NT,值是5。然后表示一系列的子颁发机构,前面几项是标志域的,最后一个标志着域内的帐户和组。
其他的使用工具如:
(1)PsKill
Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process.
Installation
Copy PsKill onto your executable path and type pskill with command-line options defined below.
Usage
Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If you specify a process name PsKill will kill all processes that have that name.
usage: pskill [-t] [\\computer [-u username] [-p password]]
-t Kill the process and its descendants.
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
process id Specifies the process ID of the process you want to kill.
process name Specifies the process name of the process or processes you want to kill.
pskill是一个杀除进程的程序。 它的使用格式为: pskill [\\远程机器ip [-u username] [-p password]]
(2)PsShutdown:
PsShutdown is a similar to the Resource Kit and Windows XP shutdown tools, providing you the same options and ability to shutdown, and optionally reboot, local and remote Windows NT/2K/XP/2003 systems. It also provided additional options that make it more powerful and flexible.
Installation
Copy PsShutdown onto your executable path and type "psshutdown" with command-line options defined below.
Usage
You can use PsShutdown to initiate a shutdown of the local or a remote computer, abort an imminent shutdown, logoff a console user, or lock the desktop.
usage: psshutdown [\\computer[,computer[,...] | @file [-u username [-p password]]] -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-n s] [-t nn|h:m] [-e [u|p]:xx:yy] [-m "message"]
computer
Run the command on the computer or computers specified. If you omit the computer name the command runs on the local system and if you enter a computer name of \\* then the command runs on all computers in the current domain.
@file Execute the command on each of the computers listed in the file.
-u Specifies optional user name for login to remote computer
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-a Aborts a shutdown (only possible while a countdown is in progress)
-c Allow the shutdown to be aborted by the interactive user
-e Shutdown reason code. Specify 'u' for user reason codes and 'p' for planned shutdown reason codes.
xx is the major reason code (must be less than 256)
yy is the minor reason code (must be less than 65536)
-f Forces all running applications to exit during the shutdown instead of giving them a chance to gracefully save their data
-h Hibernate the computer
-k Poweroff the computer (reboot if poweroff is not supported
-l Lock the computer
-m This option lets you specify a message to display to logged-on users when a shutdown countdown commences
-n Specifies timeout in seconds connecting to remote computers
-o Logoff the console user
-r Reboot after shutdown
-s Shutdown without poweroff
-t Specifies the countdown in seconds until the shutdown (default: 20 seconds) or the time of shutdown in 24 hour notation
-v Display message for the specified number of seconds before the shutdown. If you omit this parameter the shutdown notification dialog displays and specifying a value of 0 omits the dialog.
psshutdown是一个远程关机命令。 它的参数有:-a 取消以前执行的关机指令,-t离关机还有多少秒(默认是20秒),-s关闭机 器,-m是要显示的信息,-f是关机是不保存运行的程序,-r表示重启,-l表示锁定电脑,-o 表示注销用户。 比如我想让远程机器30秒后关闭并显示(要关机了,请保存文件)则打: psshutdown -t 30 -s -m "要关机了,请保存文件" \\远程机器ip 如果是要重起的话打: psshutdown -t 30 -m "要关机了,请保存文件" -r \\远程机器ip 如果要取消刚才的指令可以打: psshutdown -a \\远程机器ip
(3)Psservice:
PsService
PsService is a service viewer and controller for Windows NT/2K. Like the SC utility that's included in the Windows NT and Windows 2000 Resource Kits and Windows XP, PsService displays the status, configuration, and dependencies of a service, and allows you to start, stop, pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to a remote system using a different account, for cases when the account from which you run it doesn't have required permissions on the remote system. PsService includes a unique service-search capability, which identifies active instances of a service on your network. You would use the search feature if you wanted to locate systems running DHCP servers, for instance.
Finally, PsService works on both NT 4 and Windows 2000, whereas the Windows 2000 Resource Kit version of SC requires Windows 2000, and PsService doesn't require you to manually enter a "resume index" in order to obtain a complete listing of service information.
Installation
Copy PsService onto your executable path and type "psservice".
Usage
The default behavior of PsService is to display the configured services (both running and stopped) on the local system. Entering a command on the command-line invokes a particular feature, and some commands accept options. Typing a command followed by "-?" displays information on the syntax for the command.
usage: psservice [\\computer [-u username] [-p password]]
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
query Displays the status of a service
config Displays the configuration of a service
setconfig
Specify the start type (auto, demand, disabled) of a service.
start Starts a service
stop Stops a service
restart Stops and then restarts a service
pause Pauses a service
cont Resumes a paused service
security Dumps the service's security descriptor
depend Lists the services dependent on the one specified
find Searches the network for the specified service
使用实例:
D:\software\PsTools>psservice \\10.11.16.23 -u Administrator -p passwordquery
tlntsvr
PsService v2.24 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: TlntSvr
DISPLAY_NAME: Telnet
Enables a remote user to log on to this computer and run programs, and supports
various TCP/IP Telnet clients, including UNIX-based and Windows-based computers.
If this service is stopped, remote user access to programs might be unavailable
. If this service is disabled, any services that explicitly depend on it will fa
il to start.
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
(3)
PsPasswd
Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computer's they manage in order to perform a mass change of the administrator password.
Installation
Copy PsPasswd onto your executable path and type pspasswd with command-line options defined below.
Usage
You can use PsPasswd to change the password of a local or domain account on the local or a remote computer.
usage: pspasswd [\\computer[,computer[,...] | @file [-u username [-p password]]] Username [NewPassword]]
computer
Run the command on the computer or computers specified. If you omit the computer name the command runs on the local system and if you enter a computer name of \\* then the command runs on all computers in the current domain.
@file Execute the command on each of the computers listed in the file.
-u Specifies optional user name for login to remote computer.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
Username Specifies name of account for password change.
NewPassword New password. If ommitted a NULL password is applied.