Skip to main content

PSExec as a Helper in Troubleshooting

What

The PS Tools from Microsoft (from SysInternals)  are a terrifically powerful tool to help you troubleshoot when all else fails.  In this article we'll look at how you can use PSExec to help troubleshoot an ill-behaving FileWave Client.

When/Why

From time to time, things don't work right.  None of us would be employed if this weren't the case, so let's look on the bright-side of that!  But what to do if a FileWave client on a Windows device is misbehaving, and you can't communicate through normal FileWave channels?  PSEXEC to the rescue.

How

Assumptions made in the following:
1) You have download PSTools, and unzipped
2) That you launched a cmd prompt as a domain admin user (makes credentials issue easier to deal with)
3) That you have changed directory into the directory where PSTools is located

We'll start by simply connecting to the remote computer by name in an interactive PSEXEC shell:

psexec64 \\computername -h cmd

You'll end up in a shell like the below ('exit' will allow you to leave that shell)

image.png

Now, what's remarkable about this is that shell is running as your domain admin account, and you can do anything on it you can do from the command line.  This article isn't meant to be a Windows CLI primer, but the following are some examples of things we could do if we assume we have a device that isn't reporting in correctly:

  1. Check the FileWave Client Service:
    • sc query filewavewinclient
      image.png
  2. Stop the FW Client Service

    • sc stop filewavewinclient
  3. Restart the FW Client Service

    • sc start filewavewinclient
  4. If the service won't start or stop, maybe we need to kill it forcefully by:
    1. Looking for the client process
      • tasklist | findstr fwcld
      • image.png


    2. And then killing it by PID
      • taskkill /PID 16264 /F
  5. Check the FW Client Log for entries from today
    • type c:\programdata\filewave\fwclient\fwcld.log | findstr mm-dd
    • (where mm-dd is today's date such as 05-16)
  6. Get the IP of the workstation
    • ipconfig
  7. Restart the device (which is obviously destructive to any existing user)
    • shutdown -r -t 0 -f
  8. Determine if there are other users logged in
    • quser
    • image.png