7

I have a Windows Service running as Local System on Windows Server 2003 and I'm trying to use PsExec to run a command as another user (using the -u -p parameters) but I keep getting Access is denied. PsExec could not start errors.

The following can be performed to replicate the issue:

C:\Documents and Settings\me>PsExec.exe -s cmd

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINNT\system32>whoami
nt authority\system

C:\WINNT\system32>PsExec.exe -u DOMAIN\my-user -p mypass cmd

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com

Access is denied.
PsExec could not start cmd:

In the example above, the first PsExec command (PsExec.exe -s cmd) will give you a command line as Local System. Then the second PsExec command (PsExec.exe -u DOMAIN\my-user -p mypass cmd) throws the error that I'm trying to resolve.

Any help would be greatly appreciated! Thank you in advance!

Jesse
  • 316
  • 1
  • 4
  • 12
  • 1
    Is your user account an admin account? – Rex Feb 12 '15 at 20:11
  • Do you know for certain that you can successfully start an instance of PSEXEC *inside* another instance, regardless of the user account involved? Why are you trying to run one inside the other in the first place? – I say Reinstate Monica Feb 13 '15 at 01:35
  • @Rex Yes, the account that I'm passing via the `-u` parameter (DOMAIN\my-user in example above) is in the local Administrators group on the server. – Jesse Feb 13 '15 at 13:40
  • @Twisty Yes, an instance of PsExec can be started from another instance of PsExec. For example, the command `PsExec.exe -s -i cmd` can be executed and then in the new window the command `PsExec.exe -s cmd` can be executed. – Jesse Feb 13 '15 at 13:55
  • @Twisty The example of running an instance of PsExec from another instance of PsExec is only to replicate the actual issue I am having with the Windows Service running as Local System trying to use PsExec (with the `-u -p` parameters). – Jesse Feb 13 '15 at 13:58
  • 1
    1) Can you successfully execute the `PsExec.exe \\ComputerName -u DOMAIN\my-user -p mypass cmd` from *another* machine against your server? 2) What happens if you run your two `psexec` commands, but use the Local Administrator account instead of the Domain user when running the second command? – I say Reinstate Monica Feb 13 '15 at 14:15
  • @Twisty You are definitely on to something... I just checked and I can successfully execute `PsExec.exe \\ComputerName -u DOMAIN\my-user -p mypass cmd /c hostname` from _another_ server. If I run the same command from my server using `\\ComptuerName` it continues to fail. **But, if I run the same command on my server using my server's CNAME or IP Address instead of ComputerName then it works!** Please post your answer and I'll accept it. – Jesse Feb 13 '15 at 15:55

1 Answers1

9

After starting your first instance of PSEXEC.EXE as the LocalSystem account, include the local computer's IP address in the command to start your second PSEXEC instance, like this:

PSEXEC.EXE \\LocalComputerIPAddress -u DOMAIN\my-user -p mypass CMD


Explanation

The behavior you're experiencing is due to a new security feature added by Windows Server 2003's Service Pack 1 called Loopback Check Functionality. According to the linked MSKB article:

After you [install Service Pack 1], you experience authentication issues when you try to access a server locally by using its fully qualified domain name (FQDN) or its CNAME alias in the following Universal Naming Convention (UNC) path:

    \\servername\sharename

In this scenario, you experience one of the following symptoms:

  • You receive repeated logon windows.
  • You receive an "Access denied" error message.
  • You receive a "No network provider accepted the given network path" error message.
  • Event ID 537 is logged in the Security event log.

The article suggests two solutions (in addition to the workaround I provided above), both which involve editing the Registry to either: 1) Add host names that can be referenced in an NTLM authentication request, or 2) Disable the authentication loopback check, effectively returning the server to the pre-SP1 behavior.

According to this WindowsITPro.com article on how PSEXEC works:

PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system.

So even though you're running PSEXEC against your local machine, it's using the ADMIN$ share nonetheless, hence the reason you're running into the Loopback Check Functionality behavior change described above.

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51