Using PsExec to Run Commands Remotely

The PsExec tool allows you to run programs and processes on remote computers and use all the features of the interactive interface of console applications (you don’t need to manually install the client software). The main advantage of PsExec is the ability to invoke the interactive command-line interface on remote computers, remotely run programs, and execute any commands (in the background, or the interactive mode).

The PsExec utility is one of the most popular programs of the PsTools package from Sysinternals. You can download it on this page (the actual version is the PsExec v2.34).

psexec connect to remote computer

In order to use the PsExec tool, simply copy it to the folder on your computer (it is convenient to copy it to the default executable folder C:\Windows\System32), and run it from the command prompt or PowerShell console.

How Does PsExec Work?

In the resources of the executable file PsExec.exe, there is another executable file – PSEXESVC, which is a Windows service file. When establishing a connection to a remote computer, the PsExec utility copies this file to the hidden administrative folder Admin$ of the remote computer (C:\Windows\System32\psexesvc.exe). In order for PsExec to connect to a remote computer, the LanmanServer and LanmanWorkstation services must be running on a computer. The SMB port (TCP/445) and UDP/137 ports should be opened on the firewalls between source and target computers.

Then PsExec installs and starts the PSEXESVC service using the Windows API functions for managing services. After running PSEXESVC, a connection is established for data transfer between this service, and the PsExec process on your computer. When the work is completed, PsExec stops the service and automatically removes it from the remote computer.

Using PsExec to Run Command on Remote Computer

The syntax for PsExec is as follow:

psexec \\RemotePCName [-u username[-p password]] command [arguments]

If you did not specify the user name and password, then the remote process starts on the remote computer under your current credentials, which are used to start the PsExec process on your computer. If you need to execute commands on a remote computer under a different user account, keep in mind, that the password is sent over the network to the remote system in plain text.

When you start PsExec for the first time, you need to accept the Sysinternals License Agreement.

psexec run command on remote computer

As an example, we want to purge the DNS cache on the remote computer lon-srv01. Run the command:

psexec \\lon-srv01 ipconfig /flushdns

psexec remote cmd

The command will run on the lon-srv01 computer under your credentials. After ipconfig finishes, all the text output will be transferred to your computer, and the error code will also be returned. If the command was successful, you will see the exit code 0.

To restart the remote computer, run the following command:

psexec \\lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"

If you need to run several commands one by one, it’s better to run the PsExec in the interactive mode on the remote computer. To do this, run the command:

psexec \\lon-srv01 cmd

Now all the commands that you typed in the command prompt on your local computer, will be executed on the remote lon-srv01 computer.

psexec run as administrator

To connect to a remote computer under a specific account and run an interactive shell, use the following command:

psexec.exe \\lon-srv01 -u user -p password cmd.exe

You can use PsExec even to run PowerShell commands remotely. For example, the following command will return you the size of the C:\PS directory on the remote computer:

psexec \\lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:\PS | measure Length -Sum).Sum/1MB)"

Note. To run a command remotely in PowerShell, you can use the Invoke-Command cmdlet instead of PsExec.

You can use the -c parameter to specify the name of the local file that you want to copy to the remote computer and execute it there. For example:

psexec \\lon-srv01 -c c:\ps\myapp.exe

You can use PsExec as the easiest way to remotely install software. For example, you have an installer file of a certain program (for example, setup.msi). To copy the msi file to a remote computer and install it, use the following one-liner:

psexec.exe \\lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"

By default, PsExec doesn’t allow to start a GUI program on the remote user desktop. PsExec executes commands in the hidden mode (you won’t notice any windows or dialogs on the remote computer where the commands are executed). However, you can change this with the -i option.

For example, the following PsExec command will open the notepad.exe process on the remote computer and display it on the local user’s desktop:

psexec -i \\lon-srv01 notepad

PsExec will wait for a process running on a remote computer to complete. If remote users don’t close the notepad windows on their desktop, your PsExec process will wait indefinitely for it to complete. To prevent PsExec from waiting for the remote process to finish, use the -d switch:

psexec -i -d \\lon-srv01 notepad

Full information about all the parameters of the PsExec can be obtained by simply entering the command psexec in the command line without parameters.


To end a remote PsExec session, type exit, and press Enter.

Using PsExec to Run Processes as the LOCAL SYSTEM Account

PsExec has one interesting and useful feature. If you don’t specify a computer name, then the command will be executed from the local system authority by default. You can run programs under the SYSTEM account by using the -s switch. For example, run the CLI session:

psexec -s cmd

Then check which user you are currently logged on with the whoami command. As you can see, the console is started from NTAuthority\System account.

psexec cmd remote

Running Commands on Multiple Remote Computers with PsExec

PsExec allows you to run the command simultaneously on multiple remote computers. To do this, you can set the computer names separated by commas: psexec PC1,PC2 “ipconfig /all” or save them in a text file, and then specify a path to this file: psexec @c:\ps\computer_list.txt ipconfig. If instead of the computer name you will put an asterisk (psexec *), then the command will be executed on all computers in your domain (you can use this trick only on a domain-joined computer).

For example, the following command will copy your run.bat file to all computers listed in the text file c:\ps\computer_list.txt, and execute this batch (the –h argument is used to run batch elevated):

PsExec.exe @c:\ps\computer_list.txt -h -u .administrator -p $upper0P@$ -c "c:\ps\run.bat"

Running CMD on a Remote Computer as Administrator Using the PsExec

When you run cmd.exe interactively through PsExec under a remote user, you have no way to elevate privileges (as Admin) when the UAC is enabled. To run the commands with the account’s elevated token, use the –h option. This option means that all commands will be executed in the “Run as Administrator” mode.

PsExec Errors

PsExec Access Denied Error

In some cases, you can get the following error when trying to connect a remote computer using PsExec:

Couldn’t access computername

The network path was not found

Make sure the default admin% share is enabled on computername.

psexec remote computer

Make sure the remote computer is accessible over the network via SMB (TCP port 445). You can test the connection to the remote computer using the following PowerShell command:

Test-NetConnection -ComputerName pc99 -Port 445

Check the command response. If TcpTestSucceeded is not equal True, this means that this port is blocked by the firewall.

You can open SMB port in Windows Defender Firewall on remote computer by enabling the “File and Printer Sharing” rule using the following command:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes

Make sure ADMIN% (Remote Admin) and other Windows admin shares (C$, IPC$) are published on the remote computer:

net view \\pc99 /all

If the list of admin shares on the remote computer is empty, run the following command on it locally:

net share

If there are no administrative shares, you need to publish them with the command:

reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0

Then restart your computer.

Fixing the Error: “Could not Start PsExec service”

In some cases, when connecting to a remote computer through PsExec, you may receive an error:

Could not start PSEXESVC service on PC:

Access is denied.

If you encountered such an error, try to use one of the following solutions:

  1. Make sure your user is a member of the local administrators’ group on the remote computer;
  2. If the username on a remote computer differs from the current security context, try to specify remote user credentials as follows:
    psexec \\PC1 -u PC1\user1 -p adminpassword -h -i cmd

    (be sure to use the –h option in your PsExec command);

  3. On a remote computer in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System try to change the parameter ‘LocalAccountTokenFilterPolicy’ value to 1. When UAC is enabled, this will allow you to run commands on a remote computer with the administrator permissions;
  4. Try temporarily disabling Windows Firewall on the remote computer.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.


  1. this really helped out thanks for this section i have been scouring the internet and this really helps thanks!

  2. When I run psexec I am trying to run as a different user from a different domain but usual login is from a different domain.
    “The security database on the server does not have a computer account for this workstation trust relationship”

    1. You have to have an account you know is live on that machine or know a domain account on the domain that machine is on.

  3. What do the command with a parameter-m ? Ex: psexec.exe -u user -p password \\remoteserver -c -f C:\myfolder\file.exe -m

  4. how can i run this command psexec \lon-srv01 ipconfig /flushdns
    on multiple machines at a time. Please let me know there is any method like that.

  5. I’m trying to run
    But write to me
    ‘psexe’ is not recognized as an internal or external command,
    operable program or batch file.
    Although I installed the application

  6. Hello,
    do you know if it is possible to permanently install PSEXESVC service on the remote computer to avoid PsExec startup slowness?

    Thank you!

  7. Make sure you cd to, and that you’re running the command from the directory where psexec is located. Once there, you may also need to use .\ (for current directory) in front of psexec like .\psexec

  8. Is it possible to enable the LocalAccountTokenFilterPolicy from local machine to remote using PsExec like,

    psexec -u admin -p password \ipaddress -h -s -d C:\Windows\System32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    from local machine to remote?

    When I tried I got message

    PsExec v2.2 – Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals – www sysinternals com

    Couldn’t access ipaddress Access is denied.

  9. This is great, it has helped me accomplish what I wanted to do which is to disable Hyper-V on 60+ machines at once.
    1. Saved a text file on my C:\temp\PC_List.txt
    – no comas needed in text file, just copy all computernames (one on each lines)
    2. Saved Batch file with the command “bcdedit /set hypervisorlaunchtype off” at same location
    – C:\temp\HyperV_Disable.bat
    3. Ran PsExec using following syntax:
    PsExec.exe @c:\temp\PC_List.txt -h -u domain_name\admin_name -c “c:\temp\HyperV_Disable.bat

    Took a long time to run because it connects on each PC one at a time, but I got there!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.