Using PsExec to Run Commands Remotely

The PsExec allows you to run programs and processes on remote systems, using all the features of the interactive interface of console applications, without having to manually install the client software. The main advantage of PsExec is the ability to invoke the interactive command-line interface on remote computers and remotely run programs (in the background or the interactive mode) and execute any commands.

The PsExec utility is one of the most popular programs of the PsTools package from Sysinternals. You can download it on this page: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (the actual version is the PsExec v2.2).

psexec

In order to use the PsExec tool, simply copy it to the folder on your computer (it is convenient to copy it to the default executable folder C:Windowssystem32) and run it from the command prompt or PowerShell console.

How Does PsExec Work?

In the resources of the executable file PsExec.exe is another executable file – PSEXESVC, which is a Windows service file. When installing a connection to a remote computer, the PsExec utility copies this file to the hidden administrative folder Admin$ of the remote computer (C:Windowssystem32psexesvc.exe). In order for PsExec to connect to a remote computer, the LanmanServerand LanmanWorkstation services must be running on a computer and the SMB port (445 TCP) should be opened on the firewalls between source and target computers.

Then PsExec installs and starts the PSEXESVC service using the Windows API functions for managing services. After running PSEXESVC between this service and the PsExec program on your computer, a connection is established for data transfer (command input and output of results). When the work is completed, PsExec stops the service and automatically removes it from the remote computer.

Using PsExec to Run Command on Remote Computer

The syntax for PsExec is as follow:

psexec RemotePCName [-u username[-p password]] command [arguments]

If you did not specify the user name and password, then the remote process starts on the remote computer from the same account as the PsExec program. If you need to execute commands on a remote system under a different user, keep in mind that the password is sent over the network to the remote system in a plain text.

When you start PsExec for the first time, you need to accept Sysinternals License Agreement.

psexec remote cmd

As an example, we will purge the DNS cache on the remote computer lon-srv01:

psexec lon-srv01 ipconfig /flushdns

psexec examples

The command will be run on the lon-srv01 computer under your credentials. After ipconfig finishes, all text output will be transferred to your computer, and the error code will also be returned. If the command was successful, you will see the error code 0.

To restart the remote computer, run the following command:

psexec lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"

If you need to run several commands one by one, it’s better run the PsExec in the interactive mode with the remote computer. To do this, run the command:

psexec lon-srv01 cmd

Now all the commands that you type in the command prompt on your local computer will be executed on the remote lon-srv01 computer.

psexec multiple computers

To connect to a remote computer under a specific account and run an interactive shell, use the following command:

psexec.exe lon-srv01 -u user -p password cmd.exe

You can use PsExec even to run PowerShell commands on a remote computer. For example, the following command will return you the size of the C:PS directory on the remote computer:

psexec lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:PS | measure Length -Sum).Sum/1MB)"

Note. In PowerShell instead of PsExec you can use the Invoke-Command cmdlet to run command remotely.

You can use PsExec as the easiest way to remotely install software. For example, you have an installer file of a certain program, setup.msi. To copy msi file to a remote computer and install it, use the following command:

psexec.exe lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"

PsExec has one interesting feature. If you do not specify a computer name, then the command is executed by default from the local system authority. You can run programs under the SYSTEM account by using the -s switch. For example, run the CLI session: psexec -s cmd and then check which user you are currently logged on with the whoami command. As you can see, the console is started from NTAuthoritySystem account.

psexec example

You can use the -c parameter to specify the name of the local file that you want to copy to the remote computer and execute there. For example:

psexec lon-srv01 -c c:psmyapp.exe

By default, PsExec executes commands in the hidden mode (you won’t notice any windows or dialogs on the remote computer where the commands is executed). However, you can change this with the -i option. After that, you can specify the session number in which you want to display the console PsExec windows, or you can not specify, then the interface will be displayed in the console session.

Full information about all the parameters of the PsExec can be obtained by simply entering the command psexec in the command line without parameters.

psexec commands

To end a remote PsExec session, type exit and press Enter.

Run the Command Simultaneously on Multiple Computers With PsExec

PsExec allows you to run the command simultaneously on multiple remote computers. To do this, you can enter the computer names separated by commas: psexec PC1,PC2 “ipconfig /all” or save them in a text file and then specify a path to this file: psexec @c:pscomputer_list.txt ipconfig. If instead of the computer name you put an asterisk (psexec *), then the command will be executed on all computers in your domain (you can use this trick only on a domain-joined computer).

For example the following command will copy your run.bat file to all computers listed in the text file c:pscomputer_list.txt and execute this batch (the –h argument is used to run batch elevated):

PsExec.exe @c:pscomputer_list.txt -h -u .administrator -p $upper0P@$ -c "c:psrun.bat"

Running CMD on a Remote Computer as Administrator Using the PsExec

When you run cmd.exe interactively through PsExec under a remote user, you have no way to elevate privileges (as Admin) when UAC is enabled. To run the commands with the account’s elevated token, use the –h option. This option means that all commands will be executed in the “Run As Administrator” mode.

Fixing the Error: “Could not Start PsExec service”

In some cases, when connecting to a remote computer through PsExec, you may receive an error:

Could not start PSEXESVC service on PC:

Access is denied.

If you encountered such an error, try to use one of the following solutions:

  1. Make sure that your user is a member of the local administrators group on the remote computer;
  2. If the user connection to a remote computer is different from the current security context, try to specify remote user credentials as follows:
    psexec PC1 -u PC1user1 -p adminpassword -h -i cmd

    (be sure to use the –h option in your PsExec command);

  3. On a remote computer in the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem try to change the parameter ‘LocalAccountTokenFilterPolicy’ value to 1. When UAC is enabled, this will allow you to run commands on a remote computer with the administrator permissions;
  4. Try temporarily disabling Windows Firewall on the remote computer.

9 comments

  1. this really helped out thanks for this section i have been scouring the internet and this really helps thanks!

  2. When I run psexec I am trying to run as a different user from a different domain but usual login is from a different domain.
    “The security database on the server does not have a computer account for this workstation trust relationship”

  3. how can i run this command psexec \lon-srv01 ipconfig /flushdns
    on multiple machines at a time. Please let me know there is any method like that.

  4. I’m trying to run
    But write to me
    ‘psexe’ is not recognized as an internal or external command,
    operable program or batch file.
    Although I installed the application

  5. Hello,
    do you know if it is possible to permanently install PSEXESVC service on the remote computer to avoid PsExec startup slowness?

    Thank you!

  6. Make sure you cd to, and that you’re running the command from the directory where psexec is located. Once there, you may also need to use .\ (for current directory) in front of psexec like .\psexec

  7. Is it possible to enable the LocalAccountTokenFilterPolicy from local machine to remote using PsExec like,

    psexec -u admin -p password \ipaddress -h -s -d C:\Windows\System32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    from local machine to remote?

    When I tried I got message

    PsExec v2.2 – Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals – www sysinternals com

    Couldn’t access ipaddress Access is denied.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.