How to use PsExec tools to run commands and manage remote Windows systems
The Windows operating system provides various ways to manage remote systems. Telnet, RDP, VNC are just some of them. But these options are usually associated with a graphical user interface. If we prefer a command line interface, there is an alternative called PsExec.
PsExec is a portable tool from Microsoft that allows you to remotely start processes using the credentials of any user. This is a bit like a remote access program, but instead of controlling the remote computer with the mouse, commands are sent to the computer via the command line.
The official description of PsExec on the Microsoft website: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Note: some anti-virus scanners report that one or more tools are infected with the “remote admin” virus. None of the files in the PsTools package contain viruses, but they were used by viruses, so they cause notifications of unwanted software.
You can use PsExec not only to control processes on the remote computer, but also to redirect the application console output to the local computer, giving the impression that the process is running locally.
What are PsExec and PsTools
In fact, PsExec is just one of the tools in the PsTools package. The PsExec program is used most often, therefore it is usually mentioned, but this instruction will cover both examples of using PsExec and examples of using other tools from the PsTools package.
- PsExec is used to remotely execute commands or obtain a shell on a remote system.
- PsFile is used to list remotely opened files.
- PsGetSid is used to display the security identifier for a remote computer or user.
- PsInfo is used to get detailed information about the remote system.
- PsKill is used to stop a process on a remote system by name or identifier.
- PsList is used to display processes in a remote system in detail.
- PsLoggedOn is used to list registered users on remote systems.
- PsLogList used to display event logs on remote systems.
- PsPasswd is used to change a given user password on a remote system.
- PsPing is used to ping from a remote system
- PsServervice is used to list and manage Windows services on a remote system.
- PsShutdown is used to shut down, log off, pause and restart a remote Windows system.
- PsSuspend is used to pause and resume processes on a remote Windows system.
- PsUptime is used to display the runtime of a remote system.
How to install PsExec (PsTools)
As already mentioned, PsExec is part of PsTools, which is part of Microsoft's Sysinternals. The PsTools software suite is free, download link: https://download.sysinternals.com/files/PSTools.zip
Since all utilities have a command line interface, if you are not familiar the Windows command line at all (for example, you don’t even know how to open it), then first read the article “How to set up the PowerShell environment on Windows and Linux”.
Unzip the downloaded archive, for example, to the PSTools folder.
PsExec does not require installation. But to run executable files on the command line, you need to specify the path to them in the file system. There are two ways to do this:
1. Before starting the programs, go to the folder with the downloaded executable files, for example, I have them in the C:\Users\MiAl\Downloads\PSTools\ folder, then, using the cd command, I go to the folder with the files as follows:
2. Copy the PSTools folder to the C:\Windows\System32\ directory then all the PSTools files will be available as follows:
Choose any option that suits you best.
Requirements to run PsExec
To run PsExec, on a remote computer no software is required – that is, on the computer you will be managing, you do not need to install any client part. But some conditions must be met for PsExec to work, so if the first attempt failed, then check the following requirements.
1. On both machines, i.e. the remote computer (which we will manage) and the local computer (from which we will manage), file and printer sharing must be enabled. To enable them, click on the ‘Network Internet access’ icon near the clock, than click on ‘Open Network & Internet settings’:
Then click ‘Sharing options’:
Then Turn on network discovery and Turn on file and printer sharing and Save changes:
2. In modern Windows 10, my PsExec worked only with the Administrator account, I guess because administrative shares are required.
On Windows servers, the Administrator account is enabled by default.
In older versions of Windows, apparently, turning on the $admin is enough to provide access to the \Windows\ folder. In Windows 10, there is no $admin folder as a network share at all.
3. Verify that network access to files and printers is enabled in the firewall. To do this, press Win+r, enter firewall.cpl there.
In the tab ‘Allow an app or feature through Windows Defender Firewall’
search for “Files and Printers Sharing” and make sure that the checkbox in the “Private” column is checked – if it is not there, then click the “Change settings” button, check the box and click OK.
4. Verify that both computers belong to the same Workgroup.
5. Make sure that you enter the administrator password of the remote computer correctly.
How to enable an administrator account
In my tests on the latest Windows 10 and Windows Server 2019, the PsExec command only works with the Administrator account. Therefore, this section describes how to activate the Administrator user, which is by default present in Windows, but in normal non-server versions, this user is disabled.
User Administrator should be active only on a remote computer, where commands will be executed using PsExec. An administrator account is not required on the local computer.
1. Press the Win+r keys to open the command launch window.
2. Type lusrmgr.msc and press Enter.
3. Open Users.
4. Right-click Administrator and select Properties.
5. Uncheck the “Disable account” checkbox and click OK.
6. Right-click the Administrator account again and select “Set Password”.
7. Specify the password for the administrator account and click OK.
How to run a command on a remote system
The main use of the PsExec command is simply to run the command on a remote system. To run a command on a remote system, we must provide a username and password along with the command to run on the remote computer.
General view of the command to run on a remote system:
.\psexec \\COMPUTER -u Administrator -p PASSWORD COMMAND ARGUMENTS
In this command:
- \\COMPUTER is the name of the Windows computer or its IP address on the local network
- -u Administrator – if the operating system is in a different language, then the username will also be different, for example, in Russian it is Администратор, in French it is Administrateur.
- -p PASSWORD is Administrator user password. You can skip this option, then the command will ask for a password to enter
- COMMAND is a program that must be run on a remote system. After the command, its options can go.
An example of executing the ipconfig command on a remote computer \\HACKWARE-SERVER on behalf of the Administrator user with the password Aa1:
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 ipconfig
As we can see, the command is executed on the remote system without problems.
On the remote HACKWARE-SERVER computer, the IP address is 192.168.0.53, so the following command is equivalent to the previous:
.\psexec \\192.168.0.53 -u Администратор -p Aa1 ipconfig
Please note that on Windows (as opposed to Linux), the case of letters in computer names, commands and paths does not matter – you can use letters of any case in any places.
How to run a command with arguments in PsExec
The arguments of the program can be specified after the command itself:
.\psexec \\192.168.0.53 -u Администратор -p Aa1 tracert hackware.ru
How to redirect the output of a PsExec command
After the command is launched on the remote system, the command output will be printed into the current standard output, which is our current shell (command line window). This output can be redirected to the file using the > symbol. If we have many remote systems to run commands, this option will be very useful.
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 ipconfig > HACKWARE-SERVER_ifconfig
In this example, the output from the ipconfig command is saved to a file named HACKWARE-SERVER_ifconfig.
To display the contents of a file, you can use the Get-Content command or its shorter alias cat:
Pass The Hash (use a hash instead of a password)
Specifying a password on the command line is bad for security. And the use of interactive input does not allow the use of psexec.exe in scripts. The way out of this situation is to use a password hash.
PsExec cannot directly use the hash (although this is erroneously stated in some instructions). To use the Pass The Hash with PsExec, you need to use the Windows Credential Editor or Mimikatz or Metasploit.
Pass The Hash example with PsExec. First at Mimikatz:
sekurlsa::pth /user:USERNAME /domain:WORKGROUP /ntlm:NTLM_HASH
PsExec then starts without a username and password.
PsExec.exe \\192.168.1.2 cmd.exe
Examples of NTLM hashes and where to get them in the article “How to hack a Windows password”.
How to copy an executable file from local to remote system
Executing commands on a remote system is a very useful feature, but there is another useful feature that will facilitate the work of system administrators and pentesters. PsExec can be used to copy executable files from the local system to the remote system. We use the -c option for the copy operation. Upon completion of the commands, the copied instance will be deleted.
In this example, we will copy cmd.exe. After the copy operation is completed, cmd.exe will be launched on the remote system.
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 -c cmd.exe
As we can see, we get the cmd shell on the remote system.
With the -c option, you can specify any file.
One more example:
psexec \\J3BCD011 -c "Z:\files\ccleaner.exe” cmd /S
In the last example of how to use PsExec, we use the -c option to copy the ccleaner.exe program to the remote computer J3BCD011, and then run the downloaded file with the /S option, which tells CCleaner to enable silent installation (does not require user input). Adding such an argument requires cmd.
How to run a GUI application on a remote system
Windows operating systems provide a graphical interface by default. PsExec can be used to open a GUI application on a remote system in a specified user console. The user console simply means the user's desktop.
In this example, we will run notepad.exe on the remote system. The user of the remote system administrator can interact with this notepad. That is, the program will open on the remote system, and we cannot interact with it on the local system in any way.
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 -i notepad.exe
Since the -i option is used, the program will open in interactive mode, which means that it will actually run on the screen of the remote computer. If -i were omitted in the above command, the command would be executed in stealth mode, which means not showing any dialog boxes or other windows.
We will get our local shell after the remote user closes the notepad. After closing, the exit code will be printed in the psexec console.
How to run a command as a SYSTEM user
When executing commands on a remote system, privileges and process owner will be granted by the user. If we need to change the owner of the remote commands to the SYSTEM user, we specify the -s option.
In this example, we will launch regedit.exe:
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 -i -s regedit.exe
Note that if you need to run a program with SYSTEM privileges on the local computer (this is a much higher privilege than the Administrator), then psexec will also help. For example, to access the Windows registry keys HKEY_LOCAL_MACHINE\SAM\SAM\, just run the command:
psexec -s -i regedit.exe
How to create an interactive shell with a connection to a remote system
So far, we have been executing commands remotely. After executing the command, the connection to the remote system was closed. It is like a session connection. With PsExec we can get a remote shell or command line (similar to SSH in Linux). PsExec connects remotely and provides us with the MS-DOS shell. To get the remote shell, we specify the cmd.exe command on the remote system.
But let's start by looking at information about the current system and user:
echo %USERNAME% whoami cmd /C ver
Now create a shell to another computer:
.\psexec \\HACKWARE-SERVER -u Администратор -p Aa1 cmd.exe
First, note that the command prompt has changed (instead of PowerShell, it has become CMD).
Now look at the information about the current user and system:
echo %USERNAME% whoami ver
As you can see, we are now on the command line of another computer – this is an interactive shell.
The local user is hackware-mial\mial, and after connecting, the user becomes hackware-server\administrator. The local system has version 10.0.18363.720, and the remote system has version 10.0.17763.1039.
So far, we have examined the capabilities of the PsExec utility, which is the most popular in the PsTools package. But in PsTools there are many more utilities for typical actions that are regularly performed by system administrators. Let's consider them further.
How to list remote open files using PsFile
The PsFile command can be used to view or close remotely opened files. The syntax is very similar to the PSexec command. In this example, we will list all files opened remotely.
.\psfile \\HACKWARE-SERVER -u Администратор -p Aa1
How to get the SID list on a remote system with PsGetSid
SID is used for more detailed identification of Windows users. We can list the SID of the provided users using the PsGetSid command, as shown below.
.\psgetsid \\HACKWARE-SERVER -u Администратор -p Aa1
How to get information about a remote system with PSInfo
PsInfo is a tool used to retrieve information about a remote system, such as operating time, version, version of Windows, etc.
.\psinfo \\HACKWARE-SERVER -u Администратор -p Aa1
The following information about the remote system is provided in PsInfo:
- Uptime shows how many days and hours the system is running.
- Kernel Version shows the kernel of the operating system
- Product Type shows Operating System Version
- Product Version
- Kernel Build Number
- Registered Organization
- Registered Owner
- IE Version shows Internet Explorer Version
- System Root shows where the operating system is installed
- Processor shows the number of processors or threads
- Processor Speed
- Processor type shows the detailed version and processor name
- Physical memory
- Video driver shows the name of the loaded driver
How to get processes in a remote system with PsList
Processes running on a remote system can be easily listed using the PsList command.
.\pslist \\HACKWARE-SERVER -u Администратор -p Aa1
The output will provide the following information about the processes of the remote system.
- Name is the name of the executable file
- Pid is a process ID that identifies processes
- Pri is a priority that affects process performance during periods of high load.
- Thd is the thread number
- Hnd is a counter of open file handlers
- CPU Time is the total use of CPU resources
- Elapsed Time is the time from the start of the process.
How to kill a process on a remote system with PsKill
Processes running on a remote system can be easily stopped using the PsKill command. To kill a process, we must specify the process identifier or process name as an argument. We will kill the remote process with process ID 2064.
.\pskill \\HACKWARE-SERVER -u Администратор -p Aa1 2064
How to get a list of event logs on a remote system using PsLogList
Remote system logs can be easily uploaded to the local system using the PsLogList command. If we use this command without any additional parameters, it will output all the event logs from the remote system that will populate the console window. So for example, with the -m option, we will limit the output to the last 5 minutes of the event logs.
.\psloglist \\HACKWARE-SERVER -u Администратор -p Aa1 -m 5
How to change the password on a remote system using PsPasswd
Remote system user passwords can be easily changed using the PsPasswd command. In this example, we will change the administrator password to 123456Aa.
.\pspasswd \\HACKWARE-SERVER -u Администратор -p Aa1 Администратор 123456Aa
Ping with PsPing
Another useful tool is PsPing, which creates ICMP packets for checking communications. The command in the example runs on the local system (but can be run remotely as well).
To start ping from a remote computer:
.\psping \\HACKWARE-SERVER -u Администратор -p Aa1 google.com
Managing Services on a Remote System Using PsService
The PsService command is used to view, start, stop services on a remote system.
How to list services
We can list remote services with the query option.
.\psservice \\HACKWARE-SERVER -u Администратор -p Aa1 query
How to start the service remotely
A remote service can be started with the start option. In this example, we will start the service named mysql.
.\psservice \\HACKWARE-MIAL -u Администратор -p 1234 start mysql
After starting the service, information about it will be displayed.
How to stop the service remotely
In the following example, we will stop the mysql service:
.\psservice \\HACKWARE-MIAL -u Администратор -p 1234 stop mysql
How to shut down, reboot, pause a remote system with PsShutdown
You can disable the remote system using the PsShutdown command, as shown below.
.\psshutdown \\HACKWARE-SERVER -u Администратор -p Aa1 -k
Last Updated on
- Concealed control of a Windows-based computer (using Metasploit) (48.3%)
- How to download files from servers (48.3%)
- Pupy manual: how to create a backdoor (47.5%)
- How to control computers via backdoor (47.5%)
- Pass-the-hash attack (how to use NTLM without cracking a password) (46%)
- Brute-Force Router Web Forms (RANDOM - 1.4%)