Sysinternals Freeware - Mark Russinovich & Bryce Cogswell
Sponsored by Winternals

PsExec

Copyright © 2001-2006 Mark Russinovich
Last Updated: July 10, 2006 v1.72

Introduction

Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.

Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.

Installation

Just copy PsExec onto your executable path. Typing "psexec" displays its usage syntax.

PsExec works on NT 4.0, Win2K, Windows XP and Server 2003 including x64 versions of Windows.

Usage

See the July 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of PsExec.

usage: psexec [\\computer[,computer[,..] | @file ][-u user [-p psswd]][-n s][-l][-s|-e][-i][-x][-c [-f|-v]][-d][-w directory][-<priority>][-a n,n,...] cmd [arguments]

computer
Direct PsExec to run the application on the computer or computers specified. If you omit the computer name PsExec runs the application on the local system and if you enter a computer name of "\\*" PsExec runs the applications on all computers in the current domain.
@file
Directs PsExec to run the command on each computer listed in the text file specified.
-a
Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: "-a 2,4"
-c
Copy the specified program to the remote system for execution. If you omit this option then the application must be in the system's path on the remote system.
-d
Don't wait for application to terminate. Only use this option for non-interactive applications.
-e
Loads the specified account's profile.
-f
Copy the specified program to the remote system even if the file already exists on the remote system.
-i
Run the program so that it interacts with the desktop on the remote system.
-l
Run process as limited user (strips the Administrators group and allows only priviliges assigned to the Users group).
-n
Specifies timeout in seconds connecting to remote computers.
-p
Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-s
Run remote process in the System account .
-u
Specifies optional user name for login to remote computer.
-v
Copy the specified file only if it has a higher version number or is newer on than the one on the remote system.
-w
Set the working directory of the process (relative to the remote computer).
-x
Display the UI on the Winlogon desktop (local system only).
-priority
Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority.
program
Name of the program to execute.
arguments
Arguments to pass (note that file paths must be absolute paths on the target system)

You can enclose applications that have spaces in their name with quotation marks e.g. "psexec \\marklap "c:\long name\app.exe". Input is only passed to the remote system when you press the enter key, and typing Ctrl-C terminates the remote process.

If you omit a username the remote process runs in the same account from which you execute PsExec, but because the remote process is impersonating it will not have access to network resources on the remote system. When you specify a username the remote process executes in the account specified, and will have access to any network resources the account has access to. Note that the password is transmitted in clear text to the remote system.

You can use the current version of PsExec as a Runas replacement when you target the local system because PsExec does not require you to be an administrator.

Examples

This article I wrote describes how PsExec works and gives tips on how to use it:

http://www.winnetmag.com/Windows/Issues/IssueID/714/Index.html

The following command launches an interactive command prompt on \\marklap:

psexec \\marklap cmd

This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally:

psexec \\marklap ipconfig /all

This command copies the program test.exe to the remote system and executes it interactively:

psexec \\marklap -c test.exe

Specify the full path to a program that is already installed on a remote system if its not on the system's path:

psexec \\marklap c:\bin\test.exe

Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys::

psexec -i -d -s c:\windows\regedit.exe

To run Internet Explorer as with limited-user privileges use this command:

psexec -l -d "c:\program files\internet explorer\iexplore.exe"

PsTools

PsExec is part of a growing kit of Sysinternals command-line tools that aid in the adminstration of local and remote Windows NT/2K systems named PsTools.

Download PsExec (50 KB)

Download PsTools

Back to Top