How to start a process on a remote machine in C++ under Windows

Question

I'm using Dev-C++ under Windows. My question is how can i start a process on a remote machine? I know that PsExec can do that, but if it's possible, i want to avoid to use it. If someone can give some example code, i would appreciate it :)

Thanks in advance!

kampi

Answer 1

If this was easy, hackers would be starting up malware on all machines exposed to the internet.

PSExec uses the Services Control Manager over a LAN to start a service EXE from 'here', ie the machine where you run it. It requires a lot of security privileges - eg admin rights.

If you don't want to do this, you can look into SSH (there are open source examples) or Remote Command Prompt (in Windows Resource Kit).

Answer 2

You can use WMI... (C# example so you'll have to find the equivalent C++)

    ConnectionOptions connectOptions = new ConnectionOptions();
    connectOptions.Username = "Administrator";
    connectOptions.Password = "TopSecret";
    ManagementScope scope = new ManagementScope(
        @"\\" + machine + @"\root\cimv2",
        connectOptions);

    scope.Connect();
    ManagementPath path = new ManagementPath(@"Win32_Process");
    ManagementClass proc = new ManagementClass(scope, path, new ObjectGetOptions());
    ManagementBaseObject args = proc.GetMethodParameters("Create");
    args["CommandLine"] = "C:\\Windows\\notepad.exe";
    proc.InvokeMethod("Create", args, null);

Answer 3

It would be best if you already have a service running on the remote machine which you can ask to run a program. Windows itself does not provide anything useful out of the box; it does ship with a remote shell service (which is usually deactivated or not even installed).

IIUC, what psexec does is this:

1. copy a the binary onto the remote machine, using an administrative share
2. install the binary remotely as a service, using remote registry operations
3. start the service remotely, using the service control manager API.

If you don't want to use psexec, you could still do the same. Notice that you need quite some privileges to do so.

Answer 4

The simple answer is that you can't. All you can do is send a message to the remote machine asking it to start the process for you. PsExec runs on the remote machine listening for specific messages and starting processes in response to them.

You can either use an existing protocol, like PsExec, or create your own. Creating your own requires that you can install a service on the remote machine. If the remote machine is not under your control then this isn't possible. If you do design your own system you must be careful when designing the protocol as you don't want to inadvertently open a security hole in your system.