Sysinternals PsInfo

September 25, 2012 by Steven Swafford

In the area of digital forensics information gathering and documentation is critical. While there are a number of available tools available I want to focus on PsInfo which is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date.

General Use

psinfo [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter]

\\computer	Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\*), the command runs on all computers in the current domain.
@file	Run the command on each computer listed in the text file specified.
-u	Specifies optional user name for login to remote computer.
-p	Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-h	Show list of installed hotfixes.
-s	Show list of installed applications.
-d	Show disk volume information.
-c	Print in CSV format.
-t	The default delimiter for the -c option is a comma, but can be overriden with the specified character.
filter	Psinfo will only show data for the field matching the filter. e.g. “psinfo service” lists only the service pack field.

At this point if you drop out to a command prompt and execute psinfo.exe without any switches you will be presented the default system information.

The default output provides a great deal of information which must be documented in the case of forensic data which may or may not be needed should the case be turned over to law enforcement and possibly tried in a court of law. The information that we have at this point in time includes the uptime of the system, processor type, processor speed, physical memory and much more. At this point the details that PsInfo provides should become clear as to how this tool can be of value. At this point in time I want to demonstrate the capabilities with the various command line switches.

Installed Software

psinfo -s

Here is a tip, to capture this data to a text file execute the following.

psinfo -s > mylog.txt

This example will result in the data being wrote to a text file named mylog.txt which will be located in the same directory from which you executed PsInfo.

Disk Volumes

psinfo -d

Hotfix Details

psinfo -h

Conclusion

What do you think? Does PsInfo have a home in the digital forensics field? This tool is powerful in the sense it provides a quick and easy mechanism in which to collect data on a given computer or even a set of computers. I could even see the value in using PsInfo as an automated task to collect data over a period of time.

Author: Steven Swafford

Highly motivated information technology professional with 16+ years of experience. Working as a software engineer Steven develops and maintains web based software solutions. As a skilled professional he is focused on the design and creation of software. Because communication skills are extremely important Steven continues to expand his knowledge in order to communicate clearly with all facets of business. Recently Steven has been leading efforts to standardize software development tools and technology, plans and coordinates web accessibility as applied to IT Solutions, and he is tackling application security in terms of best practices and implementation of the Security Development Life-cycle.