Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > PsTools
  New Posts New Posts RSS Feed - psexec Access is denied
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

psexec Access is denied

 Post Reply Post Reply Page  <12345>
Author
Message
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 21 August 2005 at 11:40am
Hello, h3ctic.

Sorry for not showing up here for several days now. Yet, last week was pretty busy, preparing some scheduled maintenance tasks for this weekend and of course the maintenance shift itself.

You wrote
Quote both the local and the remote machine's are XP Home machines.

Oh, I see. So my first impression, your local PC were Win2K and the remote PC only were XP Home, was incorrect. I am not sure whether this will make analyzing and solving your problem any easier. To be honest, I think it makes it more difficult, but we will see.

And as I see your problem is still there:
Quote Access is denied
Couldn't access targetpc


This together with Mark's article on how psexec works internally made me do this little experiment:

Local PC: WinXP Prof. Sp1, psexec V1.60, ProcessExplorer 9.12
Remote PC: Win2003 Server, psexec V1.58, ProcessExplorer 9.12
I had physical access to the local PC. I had a network connection to the remote PC and could control it using MS Remote Desktop software.

These are the steps that were carried out:
(1) On the loacal and on the remote PC, launch ProcessExplorer and activate handle view (View => Lower Pane View => Handles) so that it would be possible to view which file and device handles would be used on both machines.
(2) On the local machine, as a poweruser launch the command psexec \\Win2003 -u admin -p password cmd.exe
(3) On the local machine, the remote cmd windows opened just fine and could be used.
(4) On the local machine, ProcessExplorer showed that psexec was using the IPC$ share.
(5) On the remote machine, ProcessExplorer showed that a service named psexesvc had been started.
(6) On both machines, ProcessExplorer revealed that psexec and psexesvc might be communicating through a pipe device.
(7) On the local machine, closed the remote cmd window thus terminating psexec. This also terminated the psexesvc on the remote machine.

Having read Mark's article, one might have known all this without the experiment. Yet, I wanted to find out if these things were visible inside ProcessExplorer.

Actually, I was sure they would be, I justed wanted to have gone through this myself, because I would like to ask you to repeat the steps described above on your two XP Home machines and report what you see, whenever you find the time to do so.

Your observations may give valuable hints needed to analyze what goes wrong and why. (And this why may well be related to XP Home itself, simple filesharing and ForceGuest, I assume.)

Kind regards,
Karl
--
P.S.:
Do not worry if your versions of psexec and ProcessExplorer differ from my versions, I do not think that this is the cause of your psexec problem.


Edited by Karlchen
Back to Top
h3ctic View Drop Down
Newbie
Newbie


Joined: 21 July 2005
Status: Offline
Points: 15
Post Options Post Options   Thanks (0) Thanks(0)   Quote h3ctic Quote  Post ReplyReply Direct Link To This Post Posted: 21 August 2005 at 3:20pm
Hi again Karl and thanks YET again for your efforts, its greatly appreciated :)

Ok..I installed processexplorer (latest version) on both pc's and tried what you wrote in your previous message, but...thing is...

whenever i try to run the psexec command it dies so fast its not possible to see anything in processexplorer.

What I did see however was that there is no admin$ share on the local machine.

And whenever I try the psexec command on the remote machine from the local machine i get the now standard:

Access is denied
Couldn't access targetpc

Another thing I noticed was in Control Panel - Administrative Tools - Computer Maintenance (not sure of translation) - Shared Folders - Sessions. On the local machine there was indeed a session to my remote machine... !!?? This could however just be the result from when I copied processexplorer over to a shared folder from the remote to the local one....
Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 21 August 2005 at 4:46pm
Hello, h3ctic.

Thanks for trying and giving your report. It seems to confirm what I was afraid of would happen on a remote PC running XP Home.

When you enter a psexec command on the loacal machine that looks like psexec \\remote some_command, the local machine will try
+ to open a connection to the ports 139 and 445 on the machine \\remote
+ psexec will then use the open connection to access the Admin$ share on the remote machine and
+ extract psexesvc.exe to \\remote\Admin$ which is the Windows folder on the remote machine.

But you never get that far in your psexec attempts, very likely because
+ there is no Admin$ share on your remote machine
+ even if there were an Admin share$ on your remote machine it would not help you, because
+ your remote XP Home machine maps any incoming network user to the guest account (ForecGuest=1), but
+ you can only use the remote Admin$ share if you have got admin rights. Guests do not have them and should never get them.

As a result the psexec process on your local machine fails, because it cannot even copy psexsvc.exe to \\remote\admin$.

So the basic problem is that the remote XP Home machine does not meet the prerequisites that psexec relies on:
+ Workstation service running (check using services.msc)
+ Server service running (check using services.msc)
+ Admin$ share available (check using computer management)
+ Incomming network users authenticate as themselves

And now we are back almost at the beginning of this thread (go down to the 6th post on that page).
So the circle is complete now.

I really wish that Mark would drop in and simply say, "Ok, boys, forget it. psexec and XP Home is a deadend." or "Don't be so stupid. It is pretty easy. Simply follow these steps ..."

But I am afraid, we will have to find out ourselves or simply give up?

Regards,
Karl

Edited by Karlchen
Back to Top
h3ctic View Drop Down
Newbie
Newbie


Joined: 21 July 2005
Status: Offline
Points: 15
Post Options Post Options   Thanks (0) Thanks(0)   Quote h3ctic Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2005 at 12:48am
I've run out of ideas, and it seems you have as well 

Ahhh...well..perhaps I should do that convert to xp pro instead

Anyways, huge thanks karl and others for trying !!!
Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 22 August 2005 at 11:49pm
Good morning, h3ctic.

Seems as if you are right about the lack of any new ideas, at least for the moment

Please, do not forget to rollback any changes made to your XP Home. In particular, make sure that any Admin$ be removed and cannot come back.
Usually, Admin$ is only open to members of the administrator group, yet I am not sure if it will give read-only access to everybody or even full access on an XP Home system, if Admin$ exists.

Hm, I'm thinking of setting up an XP Home myself in order to experiment with it. But very likely this will never be done due to lack of spare time

Cheers,
Karl
Back to Top
memcg View Drop Down
Newbie
Newbie


Joined: 23 August 2005
Location: United States
Status: Offline
Points: 7
Post Options Post Options   Thanks (0) Thanks(0)   Quote memcg Quote  Post ReplyReply Direct Link To This Post Posted: 23 August 2005 at 2:34pm

Have you tried to prefix the user name with the computer name?

For example:

Psexec \\homepc1 -u homepc1\username ipconfig.exe

Back to Top
h3ctic View Drop Down
Newbie
Newbie


Joined: 21 July 2005
Status: Offline
Points: 15
Post Options Post Options   Thanks (0) Thanks(0)   Quote h3ctic Quote  Post ReplyReply Direct Link To This Post Posted: 29 October 2005 at 3:16pm
Originally posted by memcg memcg wrote:

Have you tried to prefix the user name with the computer name?

For example:

Psexec \\homepc1 -u homepc1\username ipconfig.exe



yes I just tried.... same result...  :(

However...I just found this:

Quote
August 2
PsTools v2.21

Several Pstools have updates in this release: PsShutdown includes a -v switch for specifying the duration the notification dialog displays or omitting the dialog altogether; PsLoglist has a time formatting fix for its csv output; PsInfo now shows full hotfix information, including IE hotfixes; and PsExec now works like Runas when you run commands on the local system, allowing you to run it from a non-administrator account and script the password entry.


on the main page.....

Newest downloadable version is 1.63 and it seems I'm running 1.58, I havent tested the newest one yet. Will post my findings.

Back to Top
h3ctic View Drop Down
Newbie
Newbie


Joined: 21 July 2005
Status: Offline
Points: 15
Post Options Post Options   Thanks (0) Thanks(0)   Quote h3ctic Quote  Post ReplyReply Direct Link To This Post Posted: 29 October 2005 at 3:44pm
hmmm...what I find is that if I use the Computermanagement (not sure of the translation, I'm still running norwegian win xp) and go to the Systemtools - Shared Folders - Sessions.... I find that there is indeed a active session after running this command from the client pc:

psexec \\server -u guest -p guest ipconfig.exe
psexec \\server -u testuser1 -p testuser1pw ipconfig.exe

But I'm still getting the same error as before, and I'm not sure/dont remember if this session was active on earlier releases when I tested...

When I try the psexec command "for the first time" it will "think" a while longer before giving the error than is the case when this session is first activated. So when the session is active I get the error much faster than is the case for the "first try"

Session details is:
User: ClientUser
ComputerName: ClientPCName
Type: Windows
Number of open files: 0
Connected time: 00:02:50 (increments until i manually ends the session)
Time without activity: 00:02:50 (increments until i manually ends the session - so there's clearly no activity)
Guest: Yes

???
Back to Top
jp73 View Drop Down
Newbie
Newbie


Joined: 06 April 2006
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote jp73 Quote  Post ReplyReply Direct Link To This Post Posted: 06 April 2006 at 10:34am

Hello Karlchen and others...

I'm a bit late joining this but I've been trying to turn off simple file sharing on Win XP home and found this thread...

On my Windows XP home PC:

In the registry I set forceguest to 0

and i used shrpubw to set permissions on a share so that only the local user "jp" had access to it.  i then try to see the folder from a laptop running xp when i'm logged in as "jp" with the same password and it tells me i don't have access rights.

So on the PC I use shrpubw to give "guest" permissions on the share and then i can see it on the laptop.  so it seems that even tho i set forceguest to 0 the PC is still logging network people in as guest

I have run net user to make sure the jp account is active on the PC that is sharing.  I also made guest not active using net user but that seemed to just shut off file sharing all together and when i enabled file sharing again guest was back to active...

Karlchen in the answer you posted on the previous problem (quoted below) you said there might be something to do with everyone rights that needed changing to turn off simple file sharing - can you shed any more light on that?

Karlchen and anyone else please Help!

; ) 

 

 

Originally posted by Karlchen Karlchen wrote:

Hello, Jonathan.

Thanks for point us to the TweakXP article and sharing your own findings with us.

TweakXP confirmed what I had read before somewhere, but had not found again, neither in my magazines, nor by googling, yet.

Your hint to shrpubw was new to me. Really useful!
I hope I will remember next time a Home user asks for help on access rights.

Most articles found by Google that promised to tell how to turn off Simple File Sharing and ForceGuest on WinXP just showed ways to do it on XP Pro and simply (and incorrectly) repeated Micorsoft's statement that it could not be turned off on XP Home.

The registry value that seems to be crucial is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Forc eGuest.
ForceGuest=1 turns Simple File Sharing and Mapping Network Users to Guest on.
ForceGuest=0 turns it off.
(cf. Microsoft KB29403)

KB29403 also shows that TweakXP is right about Safe Mode and XP Home. In safe mode the classic ACL GUI is available on XP Home, too.

Yet, setting ForceGuest is not enough to switch Simple File Sharing on and off. Additionally the access rights for the user group everyone need to be modified, too.

This is probably the reason why all the articles I found so far simply said it couldn't be done on XP Home. The authours did not know about shrpubw. So thanks again for telling us.

And I am curious to learn if it will help h3ctic make psexec work as it should.

Regards,
Karl

Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 06 April 2006 at 4:45pm
Hi, jp73.

Too bad you found this old thread, I had hoped it had vanished deep down inside the forum archive.

Reason:
It was a very interesting story. Yet in the course of it, I had to learn that I had talked a lot of nonsense. Or to put it more nicely: I had trusted promises made by some computer magazine writers without studying their articles thoroughly enough and without testing all the things I wrote thoroughly. What a shame.

Anyway, as far as network shares are concerned there is no way under Windows XP Home to keep it from mapping any incoming network users to the guest account. Period.

There are some tools out there that allow you to fine tune access rights for local users on the Windows XP Home machine, because XP Home uses the same NTFS right management system as XP Professional.

But this was not your question. XP Home will map incoming network users to the guest account. Period.

Kind regards,
Karl


Back to Top
 Post Reply Post Reply Page  <12345>
  Share Topic   

Forum Jump Forum Permissions View Drop Down