The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the features of the interactive interface of console applications, without having to manually install the client software. The main advantage of PsExec is the ability to invoke the interactive command-line interface on remote systems and remotely run programs (in the background and the interactive mode) and execute any commands.
The PsExec utility is one of the most popular programs of the PsTools package from Sysinternals. You can download it on this page: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
In order to use the utility, simply copy it to the folder on your computer (it is convenient to copy it to the default executable folder C:\Windows\system32) and run it from the command prompt or PowerShell console.
How Does PsExec Work?
In the resources of the executable file PsExec.exe is another executable file – PSEXESVC, which is a Windows service file. When installing a connection to a remote computer, the PsExec utility copies this file to the hidden administrative folder of the remote computer Admin$ (C:\Windows\system32\psexesvc.exe).
Then PsExec installs and starts the PSEXESVC service using the Windows functions API for managing services. After running PSEXESVC between this service and the PsExec program on your computer, a connection is established for data transfer (command input and output of results). When the work is completed, PsExec stops the service and automatically removes it from the remote computer.
The syntax for PsExec is as follow:
psexec \RemotePCName [-u username[-p password]] command [arguments]
You can not set the user name and password, then the remote process starts on the remote computer from the same account as the PsExec program. If you need to execute commands on a remote system under a different user, keep in mind that the password is sent over the network to the remote system in clear text.
When you start PsExec for the first time, you need to accept Sysinternals License Agreement.
As an example, we will purge the DNS cache on the remote computer lon-srv01:
psexec \lon-srv01 ipconfig /flushdns
The command will be run on the lon-srv01 computer under your credentials. After ipconfig finishes, all text output will be transferred to your computer, and the error code will also be returned. If the command was successful, you will see 0.
If you need to run several commands, it’s best to set up an interactive session with the remote computer. To do this, enter the command:
psexec \lon-srv01 cmd
Now commands that were typed on the local computer will run on the remote lon-srv01 computer.
To end a remote session with the Psexec type exit.
Run the Command Simultaneously on Multiple Computers With PsExec
PsExec allows you to run the command simultaneously on multiple computers. To do this, you can enter the computer names separated by commas: psexec \\PC1,PC2 or save them in a text file and then specify its address: psexec @c:\ps\computer_list.txt. If instead of the computer name you put an asterisk (psexec \\*), then the command will be executed on all computers of the domain.
PsExec has one interesting feature. If you do not specify a computer name, then the command is executed by default on the local system. You can run programs under the system account by using the -s switch. For example, run the CLI session: psexec -s cmd and then check which user you are currently logged on with whoami. As you can see, the console is started from NTauthority\system account.
Using the -c switch, you can specify the name of the file that you want to copy to the remote system and execute there. For example:
psexec \lon-srv01 -c c:\ps\myapp.exe
By default, PsExec executes commands in hidden mode (you won’t notice any windows or dialogs on the remote system where the command is executed). However, you can change this with the -i option. After that, you can specify the session number in which you want to display the console PsExec windows, or you can not specify, then the interface will be displayed in the console session.
Full information about all the parameters of the PsExec can be obtained by simply entering the command psexec in the command line without parameters.