PsExec – Windows CMD Command
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Execute a command-line process on a remote machine.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
Syntax psexec \\computer[,computer[,..] [options] command [arguments] psexec @run_file [options] command [arguments] Options: computer The computer on which psexec will run command. Default = local system To run against all computers in the current domain enter "\\*" @run_file Run command on every computer listed in the text file specified. command Name of the program to execute arguments Arguments to pass (file paths must be absolute paths on the target system) -a n,n,... Set processor affinity to n. Processors are numbered as 1,2,3,4 etc so to run the application on CPU 2 and CPU 4, enter: "-a 2,4" -c Copy the program (command)to the remote system for execution. -c -f Copy even if the file already exists on the remote system. -c -v Copy only if the file is a higher version or is newer than the remote copy. If you omit the -c option then the application must be in the system path on the remote system. -d Don’t wait for the application to terminate. Only use for non-interactive applications. -e Do NOT load the specified account’s profile. (In early versions of PSEXEC: Load the user account's profile, don’t use with -s) -f Copy the specified program even if the file already exists on the remote system. -h Run with the account's elevated token, if available. (Vista or higher) -i Interactive - Run the program so that it interacts with the desktop on the remote system. If no session is specified, the process runs in the console session. -l Limited - Run process as limited user. Run with Low Integrity. Strips the Administrators group and allows only privileges assigned to the Users group. -n s Specify a timeout (s seconds) for connecting to the remote computer. -p psswd Specify a password for user (optional). Passed as clear text. If omitted, you will be prompted to enter a hidden password. -r The name of the remote service to create or interact with. -s Run remote process in the SYSTEM account (use with caution). -u user Specify a user name for login to remote computer(optional). -v Copy the specified file only if it has a higher version number or is newer than the one on the remote system. -w directory Set the working directory of the process (relative to the remote computer). -x Display the UI on the Winlogon desktop (local system only). -low, -belownormal, -abovenormal, -high or -realtime These options will run the process at a different priority. also -background (Vista and above) will run at low memory and I/O priority. -accepteula Suppress the display of the license dialog. |
For PsExec to work, File and Printer sharing must be enabled on the remote computer. This can be done with netsh advfirewall or Group Policy (Local Computer Policy > User Configuration > Administrative Templates > Windows Components > Network Sharing)
You may also have to enable it under Control Panel > Network > Network Adapter > properties.
PsExec can be used to start GUI applications, but in that case, the GUI will appear on the remote machine.
Input is passed to the remote system when you press the enter key – typing Ctrl-C will terminate the remote process.
When you specify a username the remote process will execute in that account and will have access to that account’s network resources.
If you omit username the remote process will run in the same account from which you execute PsExec, but because the remote process is impersonating it will not have access to network resources on the remote system.
If you do specify an alternative username/password, then PsExec will send the login password in cleartext. This can be a security risk if unauthorized network sniffers could intercept traffic between the local and remote systems.
PsExec does not require you to be an administrator of the local filesystem, with the correct password psexec will allow UserA to run commands as UserB – a Runas replacement.
If you kill a PsExec process, you might also need to manually remove the background service:
sc.exe \\workstationf4t delete psexesvc
PsExec can also be used to start a process (on a remote or local machine) as SYSTEM, this is a very privileged account similar to root on a UNIX machine ~ use with extreme caution.
Accept eula
When launched for the first time, PsExec will create the license registry key:
HKCU\Software\Sysinternals\PsExec\EulaAccepted=0x01
Psexec will swallow the first “-accepteula” on the command-line, no matter where it occurs, so when using psexec to run any other ps* utilities, you will have to pass “-accepteula” twice:
psexec -accepteula -s c:\utils\pslist.exe -accepteula
Surround any long filenames “with quotation marks”
Error codes returned by PsExec are specific to the applications you execute, not PsExec.
Internal commands
Internal commands (such as COPY, CD, DIR, etc) are only available within the CMD shell. To run these commands from PsExec you must call CMD /C and then pass the commands as parameters – see the examples below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
Examples: Launch an interactive command prompt on \\workstationf4t, the CMD prompt window will appear locally: (This is equivalent to PowerShell: New-PSSession ServerName ; Start-PSSession ServerName) PSEXEC \\workstationf4t CMD Execute a program that is already installed on the remote system: PSEXEC \\workstationf4t "c:\Program Files\test.exe" Connect to workstationf4t and run IPCONFIG to display the remote PC's IP address: PSEXEC \\workstationf4t ipconfig Connect to workstationf4t and list a directory: PSEXEC \\workstationf4t -s cmd /c dir c:\work Connect to workstationf4t and copy a file from another server: PSEXEC \\workstationf4t -s cmd /c copy \\server21\share45\file.ext c:\localpath Execute IpConfig on the remote system, and display the output locally: PSEXEC \\workstationf4t ipconfig /all Copy the program test.exe to the remote system and execute it interactively, running under the account DannyGlover: PSEXEC \\workstationf4t -c test.exe -u DannyGlover -p Pa55w0rd Run Internet Explorer on the local machine but with limited-user privileges: PSEXEC -l -d "c:\program files\internet explorer\iexplore.exe" Run Regedit on the local machine with SYSTEM privileges: PSEXEC -s -i regedit.exe From PowerShell, run a VBscript on a remote workstation and pass some parameters: PS C:> $script='C:\Program Files\demo.vbs' PS C:> $args = "some more text" PS C:> PSEXEC -s \\workstationf4t c:\windows\system32\cscript.exe $script $args |