Anyone who has to use Windows and suffers this, PowerToys is your friend. Locksmith identifies what’s locking your file and allows you to free it up. Dunno why PowerToys isn’t bundled by default tbh.
Shut up. I also think power toys that feature basic functionality and have been around for decades should be included in Windows. I can’t always install this on a computer that needs it.
Psexec can be pretty dangerous. Psexec.exe -i -s gives you access to the NTAUTHORITY/SYSTEM account, which is higher than Administrator. One time at work I was trying to do something and was getting permission denied so I decided to use that to get around the problem, I got to spend the afternoon talking to our security administrator because he got a bunch of alerts from our antivirus.
Never thought about that, but since these tools just work, when you copy them to your PC… how does psexec do that? It’d either need you to be an administrator (and then it’s not really a privilege escalation as you could have registered any program into the task scheduler or as a service to run as SYSTEM) or it’d need a delegate service, that should only be available when you use an installer - which again wasn’t was has been done when just copying the tool.
You need Administrative permissions for psexec. It uploads a file to the target computer’s \admin$ share (just C:\Windows) and starts a service to execute it. Services run as SYSTEM so that’s why you get those privileges.
(Hah, I forgot your message while typing mine and just copied you :)
I found a blog post outlining exactly that. If you use it locally, it will install and start a service temporarily. That service runs as SYSTEM and invokes your command. To succeed, you need to be a local administrator.
If you try the same remote, it tries to access \\remote-server-ip\$admin and installs the service with that. To succeed your current account on your local machine must exist on the remote machine and must be an administrator there.
So in short: It only works, if you’ve already the privilege to do so and the tool itself is not (ab)using a privilege escalation or something like that. Any hacker and virus may do the very same and doesn’t need psexec - it’s just easier for them to use that tool.
I always thought it wasn’t included by default to mitigate malware damage to a system. Malware needs to be just a little bit more advanced if it can’t hijack Powertools to do what it wants
Any self-respecting malware writer will download and decompile the Powertools to find out what API calls are being used. Especially if they’re calls to an undocumented API.
Having Powertools on your computer is thus not the security hole it might appear to be.
The fact they exist at all - well that’s not really a security hole either. Their existence just more quickly dissolves any security-by-obscurity that might have existed. Someone would have found those calls another way.
One might suppose that they contain something special that’s not in the stock OS, but then we’re back to the malware writer’s reverse engineering which would lead them to learn and implement their own versions of whatever it is that Powertools does.
any self-respecting malware writer will download [powertools] and…
I’m not as familiar with mass-market malware, but APT-level gear generally doesn’t try to make use of such easily observed events. The more network traffic malware appropriates, the greater the probability that it’s caught.
Simply put, Powertools puts several functions within arms reach for malware looking to stay under the radar. Without it, malware needs to bring more of its own code which increases footprint. Living off the land exploits in particular love the presence of these kinds of programs
Anyone who has to use Windows and suffers this, PowerToys is your friend. Locksmith identifies what’s locking your file and allows you to free it up. Dunno why PowerToys isn’t bundled by default tbh.
PowerToys give the user more power, which goes directly against Microsoft’s own goal.
Also, less seriously, “toys” implies the user might enjoy the experience, and you know they can’t let that happen.
Shut up. It is literally made by Microsoft. As a place to experiment what to include in Windows. Don’t argue with strawmen
Shut up. I also think power toys that feature basic functionality and have been around for decades should be included in Windows. I can’t always install this on a computer that needs it.
Shut up. I agree with you it should be included in windows, I just wanted to feel included
I was using image resizer for years before Microsoft meddled with it. Why is it slow to start up now?!
It’s a Linux circlejerk community, what did you expect?
Cause they’re too busy finding new ways to bundle ads.
Also please pre-install the sysinternals suite, thanks
Psexec can be pretty dangerous. Psexec.exe -i -s gives you access to the NTAUTHORITY/SYSTEM account, which is higher than Administrator. One time at work I was trying to do something and was getting permission denied so I decided to use that to get around the problem, I got to spend the afternoon talking to our security administrator because he got a bunch of alerts from our antivirus.
Well that was the mistake. The first thing you do with SYSTEM is disable the security software.
Never thought about that, but since these tools just work, when you copy them to your PC… how does psexec do that? It’d either need you to be an administrator (and then it’s not really a privilege escalation as you could have registered any program into the task scheduler or as a service to run as SYSTEM) or it’d need a delegate service, that should only be available when you use an installer - which again wasn’t was has been done when just copying the tool.
You need Administrative permissions for psexec. It uploads a file to the target computer’s \admin$ share (just C:\Windows) and starts a service to execute it. Services run as SYSTEM so that’s why you get those privileges.
(Hah, I forgot your message while typing mine and just copied you :)
Edit: fixed c$ to admin$
I found a blog post outlining exactly that. If you use it locally, it will install and start a service temporarily. That service runs as SYSTEM and invokes your command. To succeed, you need to be a local administrator.
If you try the same remote, it tries to access \\remote-server-ip\$admin and installs the service with that. To succeed your current account on your local machine must exist on the remote machine and must be an administrator there.
So in short: It only works, if you’ve already the privilege to do so and the tool itself is not (ab)using a privilege escalation or something like that. Any hacker and virus may do the very same and doesn’t need psexec - it’s just easier for them to use that tool.
Thank you for clearing it up!
And regarding your assessment: Exactly!
There’s a list of locked files under shares in computer management
I recently discovered Resource Monitor (resmon) can do that, too!
I was using Unlocker waaaay back, I loved it. Since then I wasn’t looking for alternatives, but since resmon also can do that, it’s more than enough.
Because it’s still in development, but afaik it is the goal to include it once it’s stable.
I always thought it wasn’t included by default to mitigate malware damage to a system. Malware needs to be just a little bit more advanced if it can’t hijack Powertools to do what it wants
Any self-respecting malware writer will download and decompile the Powertools to find out what API calls are being used. Especially if they’re calls to an undocumented API.
Having Powertools on your computer is thus not the security hole it might appear to be.
The fact they exist at all - well that’s not really a security hole either. Their existence just more quickly dissolves any security-by-obscurity that might have existed. Someone would have found those calls another way.
One might suppose that they contain something special that’s not in the stock OS, but then we’re back to the malware writer’s reverse engineering which would lead them to learn and implement their own versions of whatever it is that Powertools does.
PowerToys is open-source, so no need to decompile. https://github.com/microsoft/PowerToys.
This is the code that determines which processes are holding on to the specified files (or any files in the specified folders): https://github.com/microsoft/PowerToys/blob/a89f9f69768ace73de21dbf6020bd7fa2460bf4a/src/modules/FileLocksmith/FileLocksmithLibInterop/FileLocksmith.cpp#L18
Called from the UI code here: https://github.com/microsoft/PowerToys/blob/a89f9f69768ace73de21dbf6020bd7fa2460bf4a/src/modules/FileLocksmith/FileLocksmithUI/ViewModels/MainViewModel.cs#L112 which also has the code to kill the processes
I would not say
I’m not as familiar with mass-market malware, but APT-level gear generally doesn’t try to make use of such easily observed events. The more network traffic malware appropriates, the greater the probability that it’s caught.
Simply put, Powertools puts several functions within arms reach for malware looking to stay under the radar. Without it, malware needs to bring more of its own code which increases footprint. Living off the land exploits in particular love the presence of these kinds of programs
They definitely don’t go through the same amount of QA as other apps.
I just use process hacker and the handles part of it