V1.2.1

Using paexec from program to run remote commands. Seems to work, however it leaves Windows Services behind it after execution. Going to the Control Panel/Services after running for a little while, I see that on each target, I have a large number of services named PAExec-<pid>-<client> left behind.

Is this a known issue? Is this new? How can I get rid of this behaviour?

Thanks,

Dominique

asked 17 Sep '13, 05:58

ddewaleffe's gravatar image

ddewaleffe
1324
accept rate: 0%


Hi --

PAExec will clean up it's service definition when it shuts down, but if it's killed, it doesn't get a chance to do the cleanup. I don't know how it could if the cleanup code can't run :(

link

answered 04 Oct '13, 17:42

Doug's gravatar image

Doug ♦♦
10.1k112037
accept rate: 21%

Further trials/exploration seem to show that this happens when process gets killed.. [I did process.WaitForExit(someTimeout); if (! process.HasExited()) process.Kill(); ] This leaves a service definition behind...

link

answered 17 Sep '13, 07:59

ddewaleffe's gravatar image

ddewaleffe
1324
accept rate: 0%

Any resolution for this?

link

answered 07 Jan '15, 16:46

bluebaron's gravatar image

bluebaron
1
accept rate: 0%

Are you using v1.22 or newer? v1.22 made additional attempts to clean up the service.

(07 Jan '15, 17:00) Doug ♦♦

This is actually kind of funny but we have a program that copies itself in a remarkably similar method to yours. I actually spent a good portion of December rewriting the code to resolve this issue. Now we're not even handling the stop event or spawning a process. Now we just register the ctl handler, set running, run the program(less than 10 seconds) and tell the service manager that we stopped and then bail. In fact I was noticing with the remote debugger that if you're deleting yourself, sometimes that doesn't complete before the process bails. Now we're deleting from outside

(07 Jan '15, 17:06) bluebaron

and checking to make sure that process is deleted, but we're getting many failures. We're at our wits end with this issue so I finally typed into The Googles, "psexec source code" and that brought me here. Until now I had no idea that someone else had tackled this issue.

(07 Jan '15, 17:08) bluebaron

I actually noticed your comment: //for some reason (probably because the service didn't or couldn't stop when requested, and then couldn't be deleted), we're seeing cases where the service definition //still hangs around (ie a long list of PAExec-xx-yy in services.msc), so here we'll take an additional step and try to delete ourself

(07 Jan '15, 17:18) bluebaron

Also I noticed that you're opening the service manager with too many permissions. Not that it will matter in most cases but some users might have selective permissions for service management. Also, how are you authenticating? We're using user impersonation. Also, I see that you're using a single method for checking all bad handles, but the api documentation defines each failure condition separately(though I believe they're all the same) ... maybe not .. but if the definition changes in later versions you might be in trouble.

(07 Jan '15, 17:24) bluebaron
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×52
×4
×1

Asked: 17 Sep '13, 05:58

Seen: 8,851 times

Last updated: 07 Jan '15, 17:24