C# and paexec - redirect input and programmatically pass in password

blee 18
Viewed 0

I am using paexec in my C# project and I am trying to avoid providing the password using the "-p" command line argument because while paexec is still running anyone using a utility such as Process Explorer from SysInternals could see the password in plaintext as part of the process command line arguments.

Here is my approach number one, including credentials with the ProcessStartInfo object:

        Process p = new Process();
        p.StartInfo.FileName = "paexec.exe";
        p.StartInfo.Arguments = "\\\\remote_system remote_app.exe";
        p.StartInfo.UseShellExecute = false;

        string pw = "password";
        System.Security.SecureString ss = new System.Security.SecureString();
        for (int i = 0; i < pw.Length; i++)
        {
            ss.AppendChar(pw.ToCharArray()[i]);
        }

        p.StartInfo.Domain = "domain_name";
        p.StartInfo.UserName = "administrator";
        p.StartInfo.Password = ss;

        p.Start();
        p.WaitForExit();

With the above code I would get an access denied message.

Approach number two, redirect PaExec IO:

    ProcessStartInfo psi = new ProcessStartInfo("paexec.exe", "\\\\remote_system -u administrator remote_app.exe");
psi.UseShellExecute = false;
psi.RedirectStandardInput = true;

Process p = Process.Start(psi);

StreamWriter inWriter = p.StandardInput;

inWriter.WriteLine("password_here");
p.WaitForExit();

Console.WriteLine(p.ExitCode);

In this case the paexec console window is just blank, and remote_app.exe doesn't get executed.

Has anyone ever able to accomplish this?

password input redirect paexec
2 Answers

Thanks for the response Doug. After MUCH digging I have found a workaround.

For #1 I got the "access denied" error because my remote_app.exe is located on a network share, and the authentication method I implemented in C# calls for impersonation which doesn't allow network access. As a workaround I used -c -clist to copy remote_app.exe and all other related files from the machine running paexec to the target systems, then executing remote_app.exe locally instead of across the network.

For #2 I was never able to get redirected input to work.

blee18

I don't think anyone has tried this before.

For your approach #1, is the user account an administrator? The reason I ask is PAExec (and PsExec) create a temporary service on the target computer, so administrator access is needed to the remote computer.

For #2, I think the password is probably getting appended after the application name, so PAExec is probably stuck without a password (maybe prompting for one?)

Attempt #1 seems like it has the greatest chance for success. Any suggestions for an alternate way to get the password in? A temporary file or registry read might work, but then if PAExec was not allowed to run for some reason, the password would be sitting in the file or registry...

Doug1126
Related