PsTools Artifacts

John Lukach

PsTools Suite 2.44

PsTools are a common resource used to manage remote systems. During execution of PsExec, PsFile, PsGetSID, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutDown, and PsSuspend the EULA software license agreement must be accepted. A registry entry is created allowing you to determine which tools have been used on a specific machine. I used the RegRipper framework by Harlan Carvey to create a new plugin that will be available at: http://regripper.wordpress.com to harvest these artifacts.

\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsExec\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsFile\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsGetSID\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsInfo\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsKill\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLoggedOn\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLogList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsPasswd\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsService\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsShutDown\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsSuspend\EulaAccepted

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/PsTools-Plugin.jpg