Using PsExec to Run Commands On Remote Computers

PsExec is a useful system administrator tool that allows you to execute commands and run programs on remote computers. PsExec’s killer feature is that it allows the administrator to establish an interactive session with a remote computer and use it to remotely run programs, and execute any commands (in the background, or in interactive mode). PsExec only provides a command line console interface to the console and can be used as lightweight telnet replacement.

PsExec is part of Sysinternals’ PsTools package. You can download it on this page (the actual version is the PsExec v2.43).

Table of Contents

Prerequisites for Using PsExec

The following requirements must be met for PsExec to connect to a remote computer:

The remote computer must have TCP/445 (SMB) and UDP/137 (NETBIOS) ports open and the File and Printer Sharing exception should be enabled in Windows Defender Firewall. It is recommended that these ports are only opened for the Private and Domain Network profiles to reduce security risks.
You can allow File and Printer Sharing feature on a remote computer in the Windows Defender Firewall settings (GUI) or using the command:
```
Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True -Profile Private
```
Your account must have local administrative rights on the target remote computer;
The LanmanServer and LanmanWorkstation services must be running on remote host:
```
get-service LanmanServer , LanmanWorkstation
```
The default admin$ share must be enabled on the remote computer.

Make sure ADMIN% (Remote Admin) and other Windows admin shares (C$, IPC$) are published on the remote computer:

net view \ \\DESKTOP-U97VIM5/all

psexec

Make sure ADMIN% (Remote Admin) and other Windows admin shares (C$, IPC$) are published on the remote computer:

If the list of admin shares on the remote computer is empty, run the following command on the remote computer to publish default admin shares:

reg add HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /f /v AutoShareWks /t REG_DWORD /d 0

Then restart the remote computer.

You must also disable Remote UAC, which blocks remote access under administrator accounts on workgroup computers:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f

How to Install PsExec on Windows?

To use the PsExec tool, simply download the PSTools.zip archive from Microsoft and extract the PsExec64.exe and PsExec.exe files to any folder the administrator’s computer (it is convenient to copy it to the default executable folder C:\Windows\System32).

You can now connect to the remote computer using PsExec.

The syntax for PsExec is as follows:

psexec \\RemotePCName [-u username[-p password]] command [arguments]

You can list all the available PsExec options by simply typing psexec on the command line without any parameters.

Note. Some anti-virus software may detect Psexec.exe as a malware, PUA (potentially unwanted application), hacking tool or a remote administration tool. You can be sure that PsExec does not contain viruses if you have downloaded it from the Microsoft website. However, PsExec is often used by viruses and hackers to exploit security vulnerabilities and to take remote control of infected computers.

If you have not specified a username and password, the PsExec process will start on the remote computer using your current credentials. PsExec encrypts user credentials when transmitted over the network as of version 2.1 (in previous versions, the password was sent in clear text).

You must accept the Sysinternals license agreement when you run PsExec for the first time.

To prevent the graphical license agreement prompt from being displayed, you can add the /accepteula switch the first time you run PsExec.

psexec /accepteula

In the following example, we will use PSExec to flush the DNS cache on the remote machine lon-srv01:

psexec \\lon-srv01 ipconfig /flushdns

Note. If there are spaces in the path to the program, you must enclose it in double quotation marks:
psexec \\lon-srv01 "c:\\Program Files (x86)\app1\app.exe"

How does PsExec work?

PsExec copies the psexesvc.exe file to the hidden administrative folder Admin$ of the remote computer (C:\Windows\System32\psexesvc.exe);
Then it starts the PSEXESVC service on the remote computer via the Windows Service Control Manager API;
Your local PsExec process connects to the remote PSEXESVC service using a named pipe, sends your command to the remote machine, and waits for the result;
The text output of the command will be sent to your computer and the error code will be displayed in your console. If the command was successful, you will see the exit code 0.
PsExec stops the service and automatically removes it from the remote computer when the task is complete.

Hint. If you finish the remote PsExec session by pressing the Ctrl-C key, the PSEXESVC service will not be deleted automatically. You can remove this service manually with the command:
sc.exe \\lon-srv01 delete psexesvc

When you run cmd.exe interactively through PsExec under a remote user, you have no way to elevate privileges (as Admin) when the UAC is enabled. To run the commands with the account’s elevated token, use the –h option. This option causes all commands in the PsExec session to run in the “Run as Administrator” mode.

PsExec Usage Examples

Let’s look at some useful examples of using PsExec to execute commands on remote computers.

To restart the remote computer, run the following command:

psexec \\lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"

If you need to run several commands one by one, it’s better to run the PsExec in the interactive mode on the remote computer. To do this, run the command:

psexec \\lon-srv01 cmd

This will open up an interactive command prompt. All of the commands that you type in the console will be executed on the remote lon-srv01 computer.

To stop an interactive PsExec session, run the command:

Exit

Add the -nobanner option to hide the copyright message that appears each time you run psexec:

To connect to a remote computer under a specific account and run an interactive shell, use the following command:

psexec.exe \\lon-srv01 -u user -p password cmd.exe

You can even use PsExec to run PowerShell commands remotely. For example, the following command will return you the size of the C:\PS directory on the remote computer:

psexec \\lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:\PS | measure Length -Sum).Sum/1MB)"

Note. You can use the Invoke-Command cmdlet instead of PsExec to run commands remotely with PowerShell.

The -c parameter allows you to specify the name of a local file you want to copy and run on a remote computer. For example:

psexec \\lon-srv01 -c c:\ps\myapp.exe

You can use PsExec as the easiest way to install software remotely. For example, you have an installer file of a certain program (for example, setup.msi). To copy the msi file to a remote computer and install it, use the following one-liner:

psexec.exe \\lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"

By default, PsExec doesn’t allow to start a GUI program on the remote user’s desktop. PsExec executes commands in the hidden mode (you won’t see any windows or dialogs on the remote computer where the commands are executed). However, you can change this with the -i option.

For example, the following PsExec command will open the notepad.exe process on the remote computer and display it on the user’s desktop:

psexec -i \\lon-srv01 notepad

PsExec will then wait for this process to be completed on the remote computer.

PsExec will wait for a process running on a remote computer to complete. If remote users don’t close the notepad windows on their desktop, your PsExec process will wait indefinitely for it to complete. You can use the -d switch to prevent PsExec from waiting for the remote process to finish:

psexec -i -d \\lon-srv01 notepad

Using PsExec to Run Command as LOCAL SYSTEM Account

PsExec has one interesting and useful feature. You can run any command or program on the local computer under the SYSTEM account by using the -s switch. For example, run the CLI session:

psexec -s cmd

Check which user you are currently logged on with the whoami command. As you can see, the console is started from the NTAuthority\System account.

How to Use PsExec to Run Commands on Multiple Remote Computers

PsExec allows you to run the command on multiple remote computers simultaneously. To do this, you can set the computer names separated by commas:

psexec \\PC1,PC2,PC3,PC33 “ipconfig /all”

Or save a list of computers to a text file (one hostname on each line), and then specify the path to that file:

psexec @c:\ps\computer_list.txt ipconfig

If instead of the computer name you will put an asterisk (psexec \\*), then the command will be executed on all computers in your domain (you can use this trick only on a domain-joined computer).

For example, the following command will copy your run.bat file to all computers listed in the text file c:\ps\computer_list.txt, and execute this batch (the -h argument is used to run batch elevated):

PsExec.exe @c:\ps\computer_list.txt -h -u .administrator -p $upper0P@$ -c "c:\ps\run.bat"

Common PsExec Errors

PsExec access denied error

In some cases, you can get the following error when trying to connect a remote computer using PsExec:

Couldn’t access computername
The network path was not found
Make sure the default admin% share is enabled on computername.

Make sure the remote computer is accessible over the network via SMB (TCP port 445). You can test the connection to the remote computer using the following Test-NetConnection PowerShell command:

Test-NetConnection -ComputerName pc99 -Port 445

Check the command response. If TcpTestSucceeded is not equal to True, this means that this port is blocked by the firewall.

If your account doesn’t have the local administrator rights on the remote Windows host, an error will appear:

Couldn’t install/start PSEXESVC service:
Access Denied

PsExec: logon failure

When connecting to a remote computer, the following PsExec error may appear:

PsExec could not start cmd.exe on PCName:
Logon failure: the user has not been granted the requested logon type at this computer.

In this case, you need to add the following options to your PsExec command:

PsExec.exe -i –h \ PCName yourcommand

PSExec error code 1

If PsExec returns “error code 1” when you run a batch file on a remote computer, you are most likely using the exit command in your bat file. Change the exit command to

exit / b 0

Such a command terminates the batch file, closes cmd.exe, and sets the return code to zero.

Windows

1 comment

Remi April 14, 2022 - 7:14 am

This is great, it has helped me accomplish what I wanted to do which is to disable Hyper-V on 60+ machines at once.
1. Saved a text file on my C:\temp\PC_List.txt
– no comas needed in text file, just copy all computernames (one on each lines)
2. Saved Batch file with the command “bcdedit /set hypervisorlaunchtype off” at same location
– C:\temp\HyperV_Disable.bat
3. Ran PsExec using following syntax:
PsExec.exe @c:\temp\PC_List.txt -h -u domain_name\admin_name -c “c:\temp\HyperV_Disable.bat

Took a long time to run because it connects on each PC one at a time, but I got there!