利用PsExec提升命令行的安全级别, 绕过组策略执行命令

有一次, 我需要在客户的环境上抓取Time Travel Tracing, 简称TTT(dump的一种). 但是就是不能成功抓取. 报错如下:

image

 

具体错误信息如下:

c:\Debuggers\ttt>tttracer -dumpfull -out e:\tttoutput -attach 3384

Microsoft (R) TTTracer 2.010.40929 (Sep 29 2009 21:13:03)

Copyright (C) Microsoft Corporation. All rights reserved.

Warning: Please upgrade to a newer version of TT Tracing.

Error: Trace of "w3wp.exe" PID:3384 did not complete successfully: status:20

Error: Communication between the guest process and this client

could not be established, which may be an indication of

permissions or privileges problem (see e:\tttoutput\w3wp01.out

for more details).

Error: Corrupted trace dumped to e:\tttoutput\w3wp01.run.err.

SEE ERROR OUTPUT FILE e:\tttoutput\w3wp01.out FOR MORE DETAILS.

 

w3wp01.run.err 的内容

------------

Microsoft (R) TTTClient 2.010.40929 (Sep 29 2009 21:12:58)

Microsoft (R) Time Travel Tracing 2.010.40929 (Sep 29 2009 21:12:58)

Copyright (C) Microsoft Corporation. All rights reserved.

Microsoft Confidential - Strictly For Internal Use Only

Initializing Time Travel Tracing for Attach to 3384

Time: 03/02/2012 15:40:36

OS:6.1.7601 EDITION:x64

Group tracing GUID: d2c17755-0428-4e74-8709-b2f3bdfe0fa1

Running "w3wp.exe"

Running "c:\Debuggers\ttt\nirvexec.exe" /duration 1 /ClientName "c:\Debuggers\ttt\TTTraceWriter.dll" /ClientParams "23 e:\tttoutput\w3wp01.run 0 0 0 100000 0 1 0 0 6001" /attach 3384

 

客户说他们有一些组策略对他们的计算机进行安全限制, 然而当我们打开secpol.msc进行查看的时候, 他们也不记得究竟修改了那些组策略了.  -_-||

 

解决方案

===================

使用系统Command Prompt, 而不是提升了权限的Command Prompt.

如何才能使用System的Command Prompt呢? 答案是使用Sysinternals(已被微软收购)的一个叫做PsExec的命令行工具.

 

首先运行命令:

PsExec.exe -s -i -d cmd.exe

稍等, 在新弹出的CMD窗口中输入原本被系统拒绝的命令.

 

关于该工具的更多信息

==================

PsExec, User Account Control and Security Boundaries

http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx

Execute processes on a remote system and redirect output to the local system

http://www.windowsitpro.com/article/remote-computing/psexec 

 

下载地址

==================

PsExec v1.98

http://technet.microsoft.com/en-us/sysinternals/bb897553

posted on 2012-03-12 10:16  中道学友  阅读(3617)  评论(0编辑  收藏  举报

导航

技术追求准确,态度积极向上