The PsExec tool allows you to run programs and processes on remote computers. The main advantage of PsExec is the ability to invoke the interactive command-line interface on remote computers, remotely run programs, and execute any commands (in the background, or the interactive mode).
The PsExec utility is one of the most popular programs of the PsTools package from Sysinternals. You can download it on this page (the actual version is the PsExec v2.40).
How to install PsExec on Windows?
In order to use the PsExec tool, simply download the PSTools.zip archive from Microsoft and extract the PsExec64.exe and PsExec.exe files to any folder on your computer (it is convenient to copy it to the default executable folder C:\Windows\System32).
You can run PsExec from the command prompt or PowerShell console. To connect to a remote computer via PsExec, the following conditions must be met:
- TCP/445 (SMB) and UDP/137 (NETBIOS) ports must be open on the remote computer;
- You must have administrator credentials on the remote computer, or the user under which you are running PsExec must be added to the Administrators group on the remote computer;
- The LanmanServer and LanmanWorkstation services must be running on a computer.
You can open these ports on a remote computer using the Windows Firewall Advanced Settings (GUI) or using the commands:
netsh advfirewall firewall add rule name="SMB" dir=in action=allow protocol=TCP localport=445 netsh advfirewall firewall add rule name="NETBIOS" dir=in action=allow protocol=UDP localport=139
How to use PsExec?
The syntax for PsExec is as follows:
psexec \\RemotePCName [-u username[-p password]] command [arguments]
If you did not specify the user name and password, then the remote process starts on the remote computer under your current credentials, which are used to start the PsExec process on your computer. If you need to execute commands on a remote computer under a different user account, keep in mind, that the password is sent over the network to the remote system in plain text.
When you start PsExec for the first time, you need to accept the Sysinternals License Agreement.
To prevent the graphical prompt with the license agreement from being displayed, you can add the /accepteula switch when you first start PsExec.
psexec /accepteula
As an example, we want to purge the DNS cache (with the “ipconfig /flushdns” command) on the remote computer lon-srv01. Run the command:
psexec \\lon-srv01 ipconfig /flushdns
After you run this command, the PsExec copies the psexesvc.exe file to the hidden administrative folder Admin$ of the specified remote computer (C:\Windows\System32\psexesvc.exe). Then it starts the PSEXESVC service on the remote computer using the Windows API. After running PSEXESVC, a connection is established for data transfer between this service, and the PsExec process on your computer.
PsExec then sends your command to be executed on the remote computer and waits for the result. In our example, after ipconfig finishes, all the text output will be transferred to your computer, and the error code will also be returned. If the command was successful, you will see the exit code 0.
If your account doesn’t have the local administrator rights on the remote Windows host, an error will appear:
Couldn’t install PSEXESVC service:
Access Denied
When the work is completed, PsExec stops the service and automatically removes it from the remote computer.
When you run cmd.exe interactively through PsExec under a remote user, you have no way to elevate privileges (as Admin) when the UAC is enabled. To run the commands with the account’s elevated token, use the –h option. This option means that all commands will be executed in the “Run as Administrator” mode.
PsExec: run commands on remote computers
Let’s look at useful examples of using PsExec to execute commands on remote computers.
To restart the remote computer, run the following command:
psexec \\lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"
If you need to run several commands one by one, it’s better to run the PsExec in the interactive mode on the remote computer. To do this, run the command:
psexec \\lon-srv01 cmd
Now all the commands that you typed in the command prompt on your local computer, will be executed on the remote lon-srv01 computer.
To connect to a remote computer under a specific account and run an interactive shell, use the following command:
psexec.exe \\lon-srv01 -u user -p password cmd.exe
You can use PsExec even to run PowerShell commands remotely. For example, the following command will return you the size of the C:\PS directory on the remote computer:
psexec \\lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:\PS | measure Length -Sum).Sum/1MB)"
Note. To run a command remotely in PowerShell, you can use the Invoke-Command cmdlet instead of PsExec.
You can use the -c parameter to specify the name of the local file that you want to copy to the remote computer and execute it there. For example:
psexec \\lon-srv01 -c c:\ps\myapp.exe
You can use PsExec as the easiest way to remotely install software. For example, you have an installer file of a certain program (for example, setup.msi). To copy the msi file to a remote computer and install it, use the following one-liner:
psexec.exe \\lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"
By default, PsExec doesn’t allow to start a GUI program on the remote user’s desktop. PsExec executes commands in the hidden mode (you won’t notice any windows or dialogs on the remote computer where the commands are executed). However, you can change this with the -i option.
For example, the following PsExec command will open the notepad.exe process on the remote computer and display it on the local user’s desktop:
psexec -i \\lon-srv01 notepad
PsExec will wait for a process running on a remote computer to complete. If remote users don’t close the notepad windows on their desktop, your PsExec process will wait indefinitely for it to complete. To prevent PsExec from waiting for the remote process to finish, use the -d switch:
psexec -i -d \\lon-srv01 notepad
Full information about all the parameters of the PsExec can be obtained by simply entering the command psexec in the command line without parameters.
To end a remote PsExec session, type exit, and press Enter.
Using PsExec to run processes as the LOCAL SYSTEM account
PsExec has one interesting and useful feature. If you don’t specify a computer name, then the command will be executed from the local system authority by default. You can run programs under the SYSTEM account by using the -s switch. For example, run the CLI session:
psexec -s cmd
Then check which user you are currently logged on with the whoami command. As you can see, the console is started from the NTAuthority\System account.
Run a command on multiple remote computers with PsExec
PsExec allows you to run the command simultaneously on multiple remote computers. To do this, you can set the computer names separated by commas:
psexec \\PC1,PC2,PC3,PC33 “ipconfig /all”
or save them in a text file, and then specify a path to this file:
psexec @c:\ps\computer_list.txt ipconfig
If instead of the computer name you will put an asterisk (psexec \\*), then the command will be executed on all computers in your domain (you can use this trick only on a domain-joined computer).
For example, the following command will copy your run.bat file to all computers listed in the text file c:\ps\computer_list.txt, and execute this batch (the –h argument is used to run batch elevated):
PsExec.exe @c:\ps\computer_list.txt -h -u .administrator -p $upper0P@$ -c "c:\ps\run.bat"
Common PsExec errors
PsExec access denied error
In some cases, you can get the following error when trying to connect a remote computer using PsExec:
Couldn’t access computername
The network path was not found
Make sure the default admin% share is enabled on computername.
Make sure the remote computer is accessible over the network via SMB (TCP port 445). You can test the connection to the remote computer using the following PowerShell command:
Test-NetConnection -ComputerName pc99 -Port 445
Check the command response. If TcpTestSucceeded is not equal to True, this means that this port is blocked by the firewall.
You can open the SMB port in Windows Defender Firewall on a remote computer by enabling the “File and Printer Sharing” rule using the following command:
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
Make sure ADMIN% (Remote Admin) and other Windows admin shares (C$, IPC$) are published on the remote computer:
net view \\pc99 /all
If the list of admin shares on the remote computer is empty, run the following command on it locally:
net share
If there are no administrative shares, you need to publish them with the command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0
Then restart the remote computer.
Fixing the Error: “Could not start PsExec service”
In some cases, when connecting to a remote computer through PsExec, you may receive an error:
Could not start PSEXESVC service on PC:
Access is denied.
If you encountered such an error, try to use one of the following solutions:
- Make sure your user is a member of the local administrators’ group on the remote computer;
- If the username on a remote computer differs from the current security context, try to specify remote user credentials as follows:
psexec \\PC1 -u PC1\user1 -p adminpassword -h -i cmd
(be sure to use the –h option in your PsExec command);
- On a remote computer in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System try to change the parameter ‘LocalAccountTokenFilterPolicy’ value to 1. When UAC is enabled, this will allow you to run commands on a remote computer with administrator permissions;
- Try temporarily disabling Windows Firewall on the remote computer.
PsExec: logon failure
When connecting to a remote computer, the following PsExec error may appear:
PsExec could not start cmd.exe on PCName:
Logon failure: the user has not been granted the requested logon type at this computer.
In this case, you need to add the following options to your PsExec command:
PsExec.exe -i –h \ PCName yourcommand
PSExec error code 1
If PsExec returns “error code 1” when you run a batch file on a remote computer, you are most likely using the exit command in your bat file. Change the exit command to
exit / b 0
Such a command terminates the batch file, closes cmd.exe, and sets the return code to zero.
11 comments
this really helped out thanks for this section i have been scouring the internet and this really helps thanks!
When I run psexec I am trying to run as a different user from a different domain but usual login is from a different domain.
“The security database on the server does not have a computer account for this workstation trust relationship”
You have to have an account you know is live on that machine or know a domain account on the domain that machine is on.
What do the command with a parameter-m ? Ex: psexec.exe -u user -p password \\remoteserver -c -f C:\myfolder\file.exe -m
how can i run this command psexec \lon-srv01 ipconfig /flushdns
on multiple machines at a time. Please let me know there is any method like that.
I’m trying to run
But write to me
‘psexe’ is not recognized as an internal or external command,
operable program or batch file.
Although I installed the application
Extract the .zip to C:/WINDOWS/system32
Hello,
do you know if it is possible to permanently install PSEXESVC service on the remote computer to avoid PsExec startup slowness?
Thank you!
Make sure you cd to, and that you’re running the command from the directory where psexec is located. Once there, you may also need to use .\ (for current directory) in front of psexec like .\psexec
Is it possible to enable the LocalAccountTokenFilterPolicy from local machine to remote using PsExec like,
psexec -u admin -p password \ipaddress -h -s -d C:\Windows\System32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
from local machine to remote?
When I tried I got message
PsExec v2.2 – Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals – www sysinternals com
Couldn’t access ipaddress Access is denied.
This is great, it has helped me accomplish what I wanted to do which is to disable Hyper-V on 60+ machines at once.
1. Saved a text file on my C:\temp\PC_List.txt
– no comas needed in text file, just copy all computernames (one on each lines)
2. Saved Batch file with the command “bcdedit /set hypervisorlaunchtype off” at same location
– C:\temp\HyperV_Disable.bat
3. Ran PsExec using following syntax:
PsExec.exe @c:\temp\PC_List.txt -h -u domain_name\admin_name -c “c:\temp\HyperV_Disable.bat
Took a long time to run because it connects on each PC one at a time, but I got there!