Everything You Wanted to know About Psexec

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

In the last few years, there have been a number of high-profile cyber attacks. The point of this article is to provide you with some information on how psexec works and what are the potential threats that it poses.

Psexec is a command-line tool that allows users to interact with an operating system remotely. It was designed for systems administrators and IT professionals. This article will answer all your questions about psexec. Read more in detail here: what is psexec.

Everything You Wanted to know About Psexec

PsExec is the only command-line tool that can compete with robocopy in terms of utility. In an IT administrator’s armory, the Sysinternals PsExec tool is as common as they come. Administrators may use this tool to perform commands remotely as if they were on a local machine.

To properly cover the PsExec utility, it was necessary to include it in an ATA Ultimate Guide. This book will teach you what psexec is, what it can do, and how to use it with several examples.

What is the purpose of PsExec.exe?

You may not know what psexec is if you’re new to IT or haven’t needed to execute commands and tools on distant machines.

PsExec, sometimes known as psexec.exe, is a Windows command-line application. It gives administrators the ability to launch applications on both local and distant machines. It’s a free program that’s part of Mark Russinovich’s Sysinternals pstools package, which he created many years ago.

It was created to take the role of technologies like telnet, which compelled you to open ports and introduce security flaws. Although we now have alternative solutions such as PowerShell Remoting and the Invoke-Command PowerShell cmdlet, PsExec remains useful.

Without needing to install any software, PsExec offers complete interaction for console applications. PsExec can open interactive command prompts, operate as a local system on distant systems, perform commands on many machines at once, and more, as you’ll learn in our Ultimate Guide.

Since Windows XP, it has supported all versions of Windows. That is to say, PsExec for Windows 10 is also a thing. It’s a simple tool to use that works on almost anything, but don’t let its simplicity fool you.

Prerequisites

PsExec can operate on your local computer if you have a contemporary Windows operating system installed. However, you’ll want to use psexec to connect to distant systems. To do so, you’ll need to make certain that a few things are in order.

Don’t worry if you don’t have these goods yet or are uncertain. We’ll go through how to use PowerShell to test your remote PCs in the following section.

PsExec is now at version 2.2, which is the version you’ll be learning about in this post.

PSexec installation (With Remote Computer Setup)

PsExec isn’t really installed since it’s only a command-line tool, but it’s near enough. Because there is no need to install it, all you have to do is download and extract it from the PsTools zip file. PsExec is a component of the PsTools set of utilities and is not accessible as a standalone application.

PSExec may be downloaded here.

You may either manually extract the ZIP file or use the PowerShell snippet below to download and extract PsExec from its pstools ZIP file. It’s worth noting that this also eliminates all other PsTools utilities. Many are still useful, but we won’t go through them in this post.

PS> Invoke-WebRequest -Uri ‘https://download.sysinternals.com/files/PSTools.zip’ -OutFile ‘pstools.zip’ PS> Expand-Archive -Path ‘pstools.zip’ -DestinationPath “$env:TEMPpstools” PS> Move-Item -Path “$env:TEMPpstoolspsexec.exe” . PS> Remove-Item -Path “$env:TEMPpstools” -Recurse

Configuration of a Remote Computer

After you’ve downloaded PsExec, make sure the remote machine you’re intending to use it on is up and running. File and Printer Sharing must be enabled, and the admin$ administrative share must be accessible for PsExec to work.

You might open the Windows Firewall applet on all of the remote systems, go to Allowed Apps, and allow File and Printer Sharing on all computers, as seen below.

Because File and Printer Sharing is a known security issue, only activate the Private firewall profile.

Using the Windows Firewall to Allow File and Print SharingUsing the Windows Firewall to Allow File and Print Sharing

Alternatively, you may go to each machine and use the netsh command to open it up:

> netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes

You may also use the Set-NetFirewallRule cmdlet in PowerShell.

PS51> Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True -Profile Private

If you don’t want to go to each machine and have PowerShell Remoting, you may use the Invoke-Command cmdlet to open the firewall on several computers at once if you’re in an Active Directory domain.

PS51> Invoke-Command -ComputerName PC1, PC2, PC3 -ScriptBlock { Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True -Profile Private }

Using the PsExec command

You must first walk before you can run. You’re in for a treat if you’ve never used PsExec before! Before diving into the deep end later in this essay, be sure to read this part first to get your feet wet and understand the fundamentals.

When you start PsExec for the first time on a new machine, the PsExec licensing agreement will appear. To use it, you must first click on the Agree button.

License agreement for PSExec (EULA)License agreement for PSExec (EULA)

If you don’t want the license agreement to be displayed, use the /accepteula switch as shown below to silently accept it.

Later in the post, you’ll discover a couple ways for turning off the EULA popup on both local and remote systems.

Obtaining Assistance

You shouldn’t use any switches while learning PsExec. When you run psexec without any switches, it will display all options along with a short description of what they perform. For your convenience, all of the choices are included in the table below.

Switch Explanation
-a With commas, separate the CPUs on which the program may execute, with 1 being the lowest numbered CPU. To execute the program on CPU 2 and 4, for example, type “-a 2,4”.
-c For execution, copy the supplied program to the remote system. If you don’t use this option, the program must be on the remote system’s system path.
-d Don’t wait for the procedure to finish (non-interactive).
-e The profile of the selected account is not loaded.
-f Even if the file already exists on the remote system, copy the requested application.
-i Run the software so that it interacts with the remote system’s desktop during the selected session. The procedure runs in the console session if no session is provided. Because Windows is incomprehensible, some people have observed getting the best results by always utilizing the -s option with -i.
-h Has the processor been upgraded if the target system is Vista or higher?
-l Run the process as a restricted user (strips the Administrators group and allows only privileges assigned to the Users group). The process operates with Low Integrity on Windows Vista.
-n Connecting to distant computers has a timeout specified in seconds.
-p The password for the user name is optional. If you don’t do so, you’ll be asked to enter a secret password.
-r The name of the remote service with which to develop or communicate.
-s Use the System account to run the remote procedure.
-u Provides an optional user name for computer login.
-v Only copy the provided file if it is newer or has a higher version number than the one on the remote system.
-w Set the process’s working directory (relative to the current directory).
-x On the Winlogon protected desktop, show the user interface (local system only).
-arm Indicates that the remote machine is built on the ARM architecture.
-priority Specifies whether the value is -low, -belownormal, -abovenormal, -high, or -normal.
-realtime Set a different priority for the procedure. Use
-background On Vista, run with low memory and I/O priority.
computer PsExec should start the program on the specified machine or computers. PsExec executes the program on the local system if you don’t supply a computer name, and it runs on the local system if you specify a wildcard (*).
@file The command will be run on each of the machines specified in the file using PsExec.
-accepteula The licensing dialog is not shown when this flag is set.
-nobanner The launch banner and copyright notice should not be shown.

Executing a Basic Remote Command

PsExec just takes two parameters: a machine name and a command to execute. You may just include it after the machine name if you have a command to execute on the remote computer that doesn’t need any parameters like hostname.

The command to execute must be in the user or system path if you don’t supply a complete file path. Also, if your program’s name contains spaces, you may always surround it in spaces, such as “my application.exe.”

> psexec \REMOTECOMPUTER hostname

You can see in the example below that to run the hostname command on the CONTOSODC1 machine, you must first provide its UNC path, then the command. PSExec will then establish a secure connection to the remote machine, run the command, and return the results. In this scenario, the hostname command returned CONTOSODC1 as the computer’s hostname.

PsExec will rapidly quit the remote session and return the exit code the remote process returned if the command isn’t cmd or another console.

Note that the error or exit code provided by psexec is not generated by PsExec. Instead, it’s a result of the command that psexec ran on the remote machine.

Execution of the psexec remote command was successful.Execution of the psexec remote command was successful.

On Remote Computers, How PsExec Works

To execute applications on distant computers, PsExec goes through a few phases.

  1. In C:Windows, create a PSEXESVC.exe file.
  2. Create and start the PsExec Windows service on the remote machine.
  3. Execute the application as psexesvc.exe’s parent process.
  4. The PsExec Windows service will be disabled and uninstalled after the installation is complete.

You may need to manually delete the service using the sc command if the procedure isn’t working properly.

Executing a Basic Local Command

PsExec is primarily known for executing commands on distant systems, but it may also be used to execute instructions locally.

You may execute commands locally by omitting the computer name, as shown below.

> psexec <local command or EXE file>

Why would you do anything like this? One reason may be to run commands as the SYSTEM account on the local machine. As you’ll see later, you may use the -s flag to execute any program as SYSTEM locally or remotely.

Take a peek at the short movie below for more information. For psexec to begin a new command session as NT AUTHORITYSYSTEM, you just need to give the -s option along with the command interpreter executable.

As SYSTEM, run PsexecAs SYSTEM, run Psexec

Commands for PsExec (Getting More Advanced)

After you’ve mastered the fundamentals, you may go on to more sophisticated psexec methods. PsExec is capable of much more than just running a command on a single machine.

Using numerous computers to run instructions

PsExec isn’t restricted to execute commands on a single remote machine. This software can also copy programs and conduct instructions on several computers at the same time.

There are a few different methods to execute PsExec on many machines at the same time.

Computer Names Separated by a Comma

When you execute a command on a single remote computer, you usually use a single computer name, such as REMOTECOMPUTER. You may also use commas to separate numerous computers, as seen below.

> psexec \REMOTECOMPUTER1,REMOTECOMPUTER2,REMOTECOMPUTER3

In an Active Directory domain, all computers are listed.

Use a wildcard if you’re running PsExec on an Active Directory domain-joined computer and want to execute a command on all machines in that domain.

PsExec will try to execute a command on every machine in your Active Directory domain. PsExec will try to connect to every computer in the domain the executing computer is a member of and perform the hostname command as shown below.

> psexec \* hostname PsExec v2.2 – Execute processes remotely Copyright (C) 2001-2016 Mark Russinovich Sysinternals – www.sysinternals.com Enumerating domain…

You’ll get the problem if you use an asterisk to locate all machines in a domain when the local computer is in a workgroup. There has been a system error: 6118.

When you use a wildcard, PsExec is forced to use the command net view /all to discover all machines in the domain. Due to its reliance on NetBIOS, this is an out-of-date method of retrieving computer data.

Getting Data from a File

Another way you can run commands on multiple computers at once is to use a text file. Using the syntax @<filename.txt>, PsExec will read every line in the text file as if it were a computer name. It will then process each computer individually.

An example of using PowerShell to produce a text file with line-delimited machine names and using it as input for psexec can be seen below.

Copying programs from a local computer to a distant computer

psexec will transfer any local software to the remote machine before executing it if the -c option is used.

Perhaps you have an EXE in the C:Tools folder on your local computer that you’d want to launch on a distant machine. You may use the following syntax to accomplish so:

> psexec \REMOTECOMPUTER -c C:Toolsprogram.exe

PsExec will copy the file if you use the -c option without specifying an executable file, but you will get an error claiming that the system cannot locate the file supplied. Because PsExec will constantly try to execute the file you copied, this occurs.

If you need to copy files to remote computers prior to Using the PsExec command, use the Copy-Item PowerShell cmdlet instead.

Using Alternate Credentials to Run Remote Processes

Another common use of PsExec is to execute commands using different accounts. PsExec will try to connect to the remote machine using the account with which you are now logged in by default. It will, in particular, spoof your account on the remote machine.

You may connect to the remote machine with a different user account by using the -u and optional -p switches. The username and password will be encrypted and sent to the remote machine for authentication via PsExec.

If you’re in a workgroup, for example, you’ll always need to give the username you want to use to log in to the distant machine.

If both machines are Active Directory members, be sure to include the domain name in the user account name.

> psexec \REMOTECOMPUTER hostname -u contoso.localdomainadmin -p [email protected]$$word

Note that psexec impersonates your logged-in account on the remote machine if you don’t use the -u parameter. It won’t be able to access any network resources.

Using the LOCAL SYSTEM Account to Run Processes

The -s option is one of the most beneficial benefits of executing PsExec under a different account. This setting enables PsExec (and your remotely executed program) to operate under the LOCAL SYSTEM account on the remote (or local) machine.

I didn’t include the name of the remote machine in the list below. PsExec will happily execute on your local machine as well. I’m using the -s option to inform PsExec to start a local command prompt as the LOCAL SYSTEM account in this case.

As a LOCAL SYSTEM, run psexecAs a LOCAL SYSTEM, run psexec

Add the machine name to the reference as shown below to launch a command prompt as LOCAL SYSTEM on a distant computer:

> psexec -s \REMOTECOMPUTER cmd

Remotely launching GUI applications

-i is another helpful PsExec switch. PsExec does not enable remote-executed commands to open any windows on the remote machine by default. This is useful since you won’t be able to view the screen if you’re running commands remotely.

However, it’s possible that you’ll need to set up applications for your users. You will not be utilizing the program yourself, but an end-user will. Use the -i switch in such scenario.

On a distant computer, you may need to open a notepad window. It’s not an issue. PsExec will launch Notepad if you run notepad.exe with the -i option.

> psexec -i \REMOTECOMPUTER notepad

Using the interactive mode of psexecUsing the interactive mode of psexec

However, when the interactive window appears, remember to use the -d option to disconnect. PsExec will wait for the process it ran to finish by default. PsExec will never restore control if the remote process (in this example, Notepad) is left running.

PsExec will not wait for the remote process to complete if you use the -d option with -i. Instead, as soon as the remote procedure is completed, it will disconnect and restore control to you.

Changing the Output

Any output transmitted from the remote process to your local session will be relied on by Psexec. This output will usually be sent to your local console. However, if you want to redirect it, you may use standard redirection operators.

For example, if you’d like to run a command and silence all output, you could redirect output and errors to null using ^> nul ^2^&1.

It’s worth noting that the special characters are hidden under a hat. ( ).

Use Cases for PsExec

Once you’ve learned how to use psexec, you’ll inevitably come across various specific use cases. In this section, you’ll learn some real-world use cases and examples Using the PsExec command.

Getting a Remote Command Prompt to Work (psexec cmd)

Launching PsExec as an interactive command prompt is one of the most prevalent usage cases. PsExec does more than only execute instructions from afar. It also has the ability to transmit command output to your console. As a result, it may serve as a good telnet (if anybody still uses it) or PowerShell Enter-PSSession alternative.

To perform a remote command, open the cmd program and type the name of the remote machine. The Windows command interpreter is known as Cmd. PsExec will cheerfully return a blinking cursor and a prompt since it allows interactive usage.

Using a distant computer's command promptUsing a distant computer’s command prompt

The world is your oyster at this stage. You may use this “nested” command terminal to run commands on your local computer, and they will be executed on the distant machine.

Type exit to quit the command prompt. PsExec will terminate the cmd process on the remote computer and switch attention back to the local machine.

To exit an interactive cmd session, do not use Ctrl-C. Always utilize the escape button. The psexec session on the remote machine will continue to execute if you press Ctrl-C.

Remote Software Installation

PsExec may be used as a rudimentary software deployment mechanism. Perhaps you have an MSI installer named setup.msi that you need to execute on one or more distant PCs. This installer must be transferred to the remote PCs and then run with a few options using the msiexec.exe program.

The example below shows how you can use PsExec to remotely deploy software. This example transfers setup.msi to the remote machine and then runs the MSI installation as the SYSTEM account interactively.

> psexec.exe \REMOTECOMPUTER –i –s “msiexec.exe /i setup.msi” -c setup.msi

Using the /accepteula switch to accept the EULA

As previously stated, you will be required to accept an EULA the first time PsExec is started. The /accepteula switch might be used, but you could also “stage” it in the registry.

PsExec generates a registry key at HKCUSoftwareSysinternalsPsExec when it is initially run. It generates a registry variable named EulaAccepted with a DWORD value of 1 instead of that registry key.

Simply create this key/value on the systems you want to execute PsExec on, using your preferred technique for modifying the registry on remote computers. There’s no need to execute /accepteula once it’s been generated!

Using PowerShell and PsExec together

All we had before PowerShell was PsExec. We now have choices. In certain cases, PowerShell may take the role of PsExec, while in others, it can compliment it.

Using PowerShell to Create Computer Names

You may use PowerShell instead of utilizing * to locate all machines in the domain. You can not only choose specific machines using PowerShell, but you can also avoid utilizing the firewall-prone net view /all behavior.

You may generate a string in PowerShell that has all machine names separated by a comma. You may then provide the string to PsExec, which will process each one as if it were manually written.

An example of using the Get-AdComputer cmdlet from the ActiveDirectory PowerShell module is shown below.

PS51> psexec “\$((Get-AdComputer -Filter *).Name -join ‘,’)” hostname

Remotely Enabling PowerShell Remoting

If you’d prefer utilize PowerShell Remoting than PsExec to enable remote PCs, you may do so using PsExec.

You may rapidly switch on PowerShell Remoting across several machines by executing Enable-PSRemoting or the winrm.cmd batch file on distant PCs.

Below you can see an example of calling the winrm.cmd batch file on a remote computer running as the SYSTEM account. Because the output from that command isn’t needed, it’s silenced with 2>&1> $null.

$computerName = ‘REMOTECOMPUTER’ psexec “\$Computername” -s c:windowssystem32winrm.cmd quickconfig -quiet 2&>&1> $null

Error Messages from PsExec

It’s worth repeating that the majority of Code of Errors provided by PsExec come from the remote process, not from PsExec. However, having a basic grasp of these Code of Errors and what they could imply is beneficial.

This comprehensive collection of Windows Code of Errors is a good place to start if you’re looking for a reference on all Windows Code of Errors.

The following is a list of frequent Code of Errors reported by PsExec.

Code of Error Explanation
-2146232576 When an error occurs, Windows Update usually returns this message.
0 The command was successfully performed.
1 The function is incorrect. There was an issue. That’s all there is to it.
1603 During installation, there was a fatal error. msiexec usually returns this value.
2 The system is unable to locate the given file.
4 The file cannot be opened by the system.
5 Access has been revoked.
6 The handle isn’t working.
6118 This workgroup’s server list is not yet accessible.

Your Suggestions

The ATA Ultimate Guides are rather large. There’s a lot of information in them, and I’m sure I’ll miss something or make a mistake here and there. Please let me know if you see any errors or believe anything should be added to this tutorial in the comments. I’d be pleased to give you credit in the article.

Credits

  • Many thanks to Mathias (comments) for his valuable input.

The “how to use psexec in cmd” is a command-line tool that can be used to execute commands on remote systems. This article will teach you everything you need to know about the tool.

Frequently Asked Questions

What is PsExec used for?

A: It is a command line tool that can be used to execute processes remotely from the command prompt.

Is PsExec an exploit?

What protocol does PsExec use?

A: PsExec is a command-line tool that uses the SSH protocol.

Related Tags

  • download psexec
  • psexec examples
  • how to use psexec
  • how to install psexec
  • psexec syntax