PsExec: What It Is and How to Use It

Execute commands remotely from a Windows PC

PsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. It’s a bit like a remote access program but instead of controlling the remote computer with a mouse, commands are sent to the computer via Command Prompt.

You can use PsExec to not only manage processes on the remote computer but also redirect an application’s console output to your local computer, making it appear as though the process is running locally.

No software is needed on the remote computer to make PsExec work, but there are a few things to keep in mind if the tool doesn’t run correctly the first time you try it.

How to Set Up PsExec

If PsExec is portable and doesn’t need to be copied to the remote computer, what type of setup does it really need?

The tool works only under certain conditions. Namely, when file and printer sharing is enabled on both the local and remote computer, and when the remote machine has the $admin share set up correctly to provide access to its \Windows\ folder.

You can double-check that file and print sharing is enabled by looking in the Windows Firewall settings:

  1. Enter firewall.cpl in the Run dialog box. One way to open Run is through the WIN+R keyboard shortcut.

  2. Select Allow an app or feature through Windows Firewall from the left side of the window.

    Windows 10 firewall settings

    This might read as Allow an app or feature through Windows Defender Firewall depending on how your computer is setup, but it's the same option.

  3. Make sure File and Printer Sharing has a checkmark in the Private box to its right. If it doesn’t, put a check in that box and select OK.

    File and printer sharing Windows Firewall option in Windows 10

    If you can’t change the firewall settings because they’re greyed out, click Change settings at the top of the window.

  4. You can now exit any open Windows Firewall settings.

With the Windows Firewall now set up correctly for PsExec, you should have no problem accessing the $admin share on the remote machine so long as the following are true:

  • Both computers belong to the same Workgroup
  • You know the password to an administrator’s account on the remote computer

See this tutorial at Wintips.org if you need help doing those things or if you’ve done them correctly but later on, after trying to use PsExec as described below, you get an “access denied” error.

How to Use PsExec

Before using PsExec to execute remote commands, you have to download the program and position Command Prompt in a way where you can utilize the tool correctly.

  1. Download PsExec on the computer that will be running the remote commands. PsExec is available for free from Microsoft at Sysinternals as part of PsTools.

  2. Extract the files from the PsTools.zip download. You can do that by right-clicking the ZIP file and selecting Extract All. Any third-party file extractor will work too.

    Extract PSTools ZIP file
  3. Open the folder where the extracted files are located, and from the navigation bar at the top of the folder, erase what's there and enter cmd.

    Opening Command Prompt from the PSTools folder

    Another way to do this, at least in some versions of Windows, is to Shift+Right Click an empty space in the PsTools folder and choose Open command window here.

  4. This will open Command Prompt in that folder so that you can run commands through PsExec.

    PSTools folder open in Command Prompt for Windows 10
  5. With Command Prompt now open to the folder that contains PsExec.exe, you can start entering commands on the remote machine.

Much like any command line tool, PsExec works only when its syntax is followed exactly. Once you understand how to type commands in the way PsExec understands them, you can control the program from any Command Prompt.

This is how PsExec commands must be entered:

psexec [\\computer[,computer2[,...] | @file\]][-u username [-p password][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c executable [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]

This may look complex and confusing but don't worry! There are some examples at the bottom of this page that you can use to practice.

The above syntax is used to execute any of the following PsExec command arguments:

PsExec Command Options
Parameter Explanation
-a Separate processors on which the application can run, with commas, where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, you'd enter: -a 2,4
-c Copy the specified executable to the remote system for execution. If omitted, the application must be in the system path on the remote system.
-d Don't wait for process to terminate (non-interactive).
-e Doesn't load the specified account’s profile.
-f Copy the specified program even if the file already exists on the remote system.
-i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified, the process runs in the console session.
-h If the target system is Windows Vista or higher, run the process with the account's elevated token, if available.
-l Run the process as a limited user (strips the Administrators group and allows only privileges assigned to the Users group). In Windows Vista, the process runs with Low Integrity.
-n Specifies timeout (in seconds) connecting to remote computers.
-p Specifies optional password for the username. If omitted, you'll be prompted to enter a hidden password.
-r Specifies the name of the remote service to create or interact with.
-s Runs the remote process in the System account.
-u Specifies optional username for login to remote computer.
-v Copies the specified file only if it has a higher version number or is newer than the one on the remote system.
-w Sets the working directory of the process (relative to remote computer).
-x Displays the user interface on the Winlogon secure desktop (local system only).
-priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Windows Vista.
computer Directs PsExec to run the application on the remote computer(s) specified. If omitted, PsExec runs the application on the local system, and if a wildcard (\\*) is specified, PsExec runs the command on all computers in the current domain.
@file PsExec will execute the command on each of the computers listed in the file.
cmd Name of application to execute.
arguments Arguments to pass (note that file paths must be absolute paths on the target system).

PsExec Command Examples

Here are a few examples of how to use PsExec to do things like run remote Command Prompt commands, manage Windows Services, and launch or install programs.

psexec \\192.168.86.62 cmd

One of the easiest ways to use PsExec to run Command Prompt commands on a remote computer is to execute cmd following the machine’s IP address, 192.168.86.62 in this example.

Doing this will launch a regular Command Prompt window within the existing one, and let you enter every command as if you were sitting in front of the remote computer. For example, you could then enter ipconfig to get those results from the other computer, or mkdir to create a new folder, dir to list the folder’s contents, etc.

psexec \\mediaserver01 tracert lifewire.com

Another way to use PsExec is to enter individual commands but without starting a full Command Prompt. In this example, we're executing the tracert command against lifewire.com, and because we’ve specified the remote computer’s name, mediaserver01, the command results are relevant to that machine, not the local one (i.e. the one you're on).

psexec \\FRONTDESK_PC -u tomd -p 3*(tom#87 net start spooler

The PsExec command example shown above starts the Print Spooler service, spooler, remotely on the FRONTDESK_PC computer using the tomd user’s password, 3*(tom#87.

The same command can be used to stop a service remotely, but you’d type "stop" instead of "start."

psexec \\mikelaptopw10 -i -s C:\Windows\regedit.exe
Here, we're using PsExec to launch Registry Editor on the remote machine, mikelaptopw10, in the System account. Because -i is used, the program will open in interactive mode, meaning that it will actually launch on the remote machine's screen.

If -i were omitted from the above command, it would execute in hidden mode to avoid showing any dialog boxes or other windows.

psexec \\J3BCD011 -c "Z:\files\ccleaner.exe” cmd /S

In this last example of how to use PsExec, we’re using -c to copy the ccleaner.exe program to the remote computer J3BCD011, and then executing it with the /S parameter since that's what CCleaner uses to enable a silent install (requiring no user input). Adding an argument like that requires cmd.

PsExec Can Be Dangerous

It's very important to understand how powerful PsExec is and how it could be used to compromise your computer when used in an otherwise unsecure environment.

For example, combining -c, -u, and -p, specifically will let anyone with a network connection to your computer, and knowledge of the admin credentials, execute secret malware with anyone's credentials.

Even that last, perfectly acceptable example in the previous section takes on a whole new purpose when you consider that instead of CCleaner, someone could install anything else they desired, in the background, and no windows pop up to show that anything is happening.

All that said, considering the firewall changes required and administrator credentials knowledge someone would have to have, there's little reason to worry so long as the admin password on the remote computer is complex and other basic security measures have been taken.

Some antivirus programs falsely identify PsExec as a dangerous file, but those warnings can be ignored if you know for sure that the program you're using is from the Microsoft source above. The reason this happens is because malware has been known to use PsExec to transfer viruses.