Home Windows Using PsExec to Run Commands On Remote Computers
WindowsMiscellaneous TOP posts:

Using PsExec to Run Commands On Remote Computers

written by Cyril Kardashevsky

PsExec is a handy command line tool for system admins to run commands and programs on remote computers through background or interactive remote sessions. In this article, we will look at the basic features and use cases of PsExec for remote command execution.

PsExec.exe is part of the Sysinternals’ PsTools package. You can download it from this page (the actual version is the PsExec v2.43).

psexec remote cmd

Prerequisites for Using PsExec

Before you start using PsExec, you should check that the computers on your network meet the following prerequisites:

  1. The remote computer must have TCP/445 (SMB) port open in Windows Defender Firewall. You can open this port by enabling the File and Printer Sharing rule in the Windows Defender Firewall settings on a remote computer using (GUI) or with the command: 
    Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True -Profile Private,Domain

    psexec connect to remote computer

  2. Your account must be a member of the local administrative group on the remote computer;
  3. The LanmanServer and LanmanWorkstation services must be running on remote host: 
    get-service LanmanServer,LanmanWorkstation

    psexec cmd

  4. The default Admin$ share must be enabled on the remote computer: 
    net view \\DESKTOP-U97VIM5 /all

    pstools remote cmd

In a workgroup environment, you should also disable Remote UAC, which blocks remote access under local administrator accounts.

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f

How to Install PsExec on Windows

Download the PSTools.zip archive and extract the PsExec64.exe and PsExec.exe files to a folder on the administrator’s computer (it is convenient to copy it to the default executable folder C:\Windows\System32).

The syntax for PsExec is as follows:

psexec \\RemotePCName [-u username[-p password]] command [arguments]

You can list all the available PsExec options by simply typing psexec on the command line without any parameters.

psexec remote cmd example

Note. PsExec is often used by viruses and hackers to exploit security vulnerabilities and to take remote control of infected computers. This is why Psexec.exe may be detected by some anti-virus software as a malware, PUA (Potentially Unwanted Application) hacking tool, or a remote administration tool.

To skip the licence agreement the first time you run PsExec, run it with the /accepteula switch:

psexec /accepteula

psexec remote

You are now ready to connect to the remote computer using PsExec. For example, you need to flush the DNS cache on the remote machine lon-srv01:

psexec \\lon-srv01 ipconfig /flushdns

psexec remote computer

  1. PsExec copies the psexesvc.exe file to the hidden Admin$ share of the remote computer (C:\Windows\System32\psexesvc.exe);
  2. It then starts the PSEXESVC service on the remote computer;
  3. Your local PsExec process connects to the remote PSEXESVC service using a named pipe, sends your command to the remote machine, and waits for the result;
  4. The result of the command output will be returned to your computer, and the error code will be displayed in your console. If the command has been successfully executed, you will see an exit code of 0.
  5. PsExec stops the service and automatically removes it when the task is complete.

Hint. The PSEXESVC service is not automatically deleted when you stop the remote PsExec session by pressing Ctrl+C. You can remove service manually with the command:

sc.exe \\lon-srv01 delete psexesvc

Add the -h switch to your PsExec command to run the remote command with elevated privileges (as an Administrator). This option allows you to bypass UAC restrictions.

Using PsExec to Execute Remote Commands with Examples

Let’s look at some useful examples of using PsExec to execute commands on remote computers.

To restart the remote computer, run the following command:

psexec \\lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"

You can run multiple commands on remote computers. Use the following syntax:

PsExec \\lon-srv01 <options> CMD /C "command_1 & command_2 & ... & command_N"

You can open an interactive PsExec session with a remote computer and run a series of commands consecutively:

psexec \\lon-srv01 cmd

This will open up an interactive command prompt. Any command that you type in the console will be executed on the remote lon-srv01 computer.

how to use psexec to run a command remotely

To stop an interactive PsExec session, run:

Exit

Add the -nobanner option to hide the copyright message that appears each time you run psexec:

psexec cmd remote computer

To connect to a remote computer under a specific account and run an interactive shell, use the following command:

psexec.exe \\lon-srv01 -u user -p password cmd.exe

You can even use PsExec to run PowerShell commands remotely. For example, the following command will return you the size of the C:\PS directory on the remote computer:

psexec \\lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:\PS | measure Length -Sum).Sum/1MB)"

Note. You can use the Invoke-Command cmdlet instead of PsExec to run commands remotely with PowerShell.

The -c parameter allows you to specify the name of a local file you want to copy and run on a remote computer. For example:

psexec \\lon-srv01 -c c:\ps\myscript.bat

Note. You must enclose the path in double quotation marks if it contains spaces. For example:

psexec \\lon-srv01 "c:\\Program Files (x86)\app1\app.exe"

You can use PsExec to remotely install software from the MSI installers. For example, you can copy the local MSI file to the remote computer and start the installation with the following one-liner:

psexec.exe \\lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"

By default, PsExec doesn’t allow to start a GUI program on the remote user’s desktop. When the PsExec commands are executed, the user of the remote computer doesn’t see any prompts or dialogs.

Add the -i option if you want to display the program on the remote user’s desktop:

psexec -i \\lon-srv01 notepad

PsExec waits for a process on a remote computer to finish. If remote users don’t close notepad windows, PsExec can wait indefinitely. Use the -d switch to avoid PsExec waiting for the remote process to finish.

psexec -i -d \\lon-srv01 notepad

How to Run Command as LOCAL SYSTEM Account Using PsExec

PsExec has one interesting and useful feature. You can run any command on the local computer under the SYSTEM account by using the -s switch. For example, open the command prompt:

psexec -s cmd

Check which user you are currently logged on with the whoami command. As you can see, the console is started from the NTAuthority\System account.

psexec run command on remote computer

How to Use PsExec to Run Commands on Multiple Remote Computers

PsExec allows you to run the command on multiple remote computers simultaneously. You can specify the list of remote computers separated by commas:

psexec \\PC1,PC2,PC3,PC33 "ipconfig /all"

Or save a list of computers to a text file (one hostname on each line), and then specify the path to that file:

psexec @c:\ps\computer_list.txt ipconfig

To redirect the results of running commands on remote computers to a text log file:

PsExec @C:\Tools\computer_list.txt CMD /C "hostname & ipconfig" >> C:\Tools\log2.txt

remote cmd psexec

Common PsExec Errors

PsExec access denied errors

In some cases, you can get the following error when trying to connect a remote computer using PsExec:

Couldn’t access computername
The network path was not found
Make sure the default admin$ share is enabled on computername.

psexec cmd remote

Check that the remote computer is powered on and is not blocking SMB connections (TCP port 445). You can test the connection using the Test-NetConnection PowerShell command:

Test-NetConnection -ComputerName pc99 -Port 445

If your account doesn’t have the local administrator rights on the remote Windows host, an error will appear:

Couldn’t install/start PSEXESVC service:
Access Denied

PsExec: logon failure

When connecting to a remote computer, the following PsExec error may appear:

PsExec could not start cmd.exe on PCName:
Logon failure: the user has not been granted the requested logon type at this computer.

In this case, you need to add the following options to your PsExec command:

PsExec.exe -i –h \\PCName yourcommand

PSExec error code 1

If PsExec returns “error code 1” when you run a batch file on a remote computer you are probably using the exit command in your bat file. Change the exit command to:

exit / b 0

Such a command terminates the batch file, closes cmd.exe, and sets the return code to zero.

kardashevsky cyril

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

1 comment

Remi April 14, 2022 - 7:14 am

This is great, it has helped me accomplish what I wanted to do which is to disable Hyper-V on 60+ machines at once.
1. Saved a text file on my C:\temp\PC_List.txt
– no comas needed in text file, just copy all computernames (one on each lines)
2. Saved Batch file with the command “bcdedit /set hypervisorlaunchtype off” at same location
– C:\temp\HyperV_Disable.bat
3. Ran PsExec using following syntax:
PsExec.exe @c:\temp\PC_List.txt -h -u domain_name\admin_name -c “c:\temp\HyperV_Disable.bat

Took a long time to run because it connects on each PC one at a time, but I got there!

Reply

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.