PsExec: Run Commands On Remote Computers

PsExec is a small program that enables IT administrators to run commands and processes on remote computers.

In this guide, you will learn how to use PsExec to run commands, kill processes, install software, restart services, and more on remote computers.

Warning: Attackers can do all kinds of bad things with PsExec such as copy and run malicious files, access your data, and change or gathering system information.

The use of PsExec should be restricted to only run from authorized computers. There are multiple ways to secure the use of PsExec, in this guide I’ll show you how to secure it with the Windows firewall.

Let’s get started.

PsExec Requirements

The remote computer must meet the following requirements:

  • Port TCP/445 open
  • Port UDP/137 open
  • Credentials to the remote computer (domain or local credentials will work).
  • Remote Service Management (RPC) Open – This is not required but PsExec runs extremely slow if the firewall is enabled and this service is blocked.

Video Tutorial

If you don’t like videos then continue reading the details below.

Secure PsExec With The Windows Firewall

I highly recommend you lock down the use of PsExec to run from authorized computers, such as your laptop or a secure workstation. If you don’t lock it down an attacker with compromised credentials can easily run commands and processes on remote computers in your network.

firewall diagram blocking psexec

Here are the steps to allow and secure PsExec.

Step 1: Enable Windows Firewall

First, you need to have the Windows Firewall enabled. Sometimes organizations disable this for convenience reasons and that is a huge mistake. If you have a lot of computers to manage, you can use group policy to manage the firewall settings.

Make sure it is enabled for all profiles (domain, private, public).

windows firewall overview

Step 2: Allow PsExec Ports In Windows Firewall

PsExec requires ports tcp/445 and udp/137 to be open on the remote computer. Below is the PowerShell Command to enable this for the domain profile.

Tip: Use the -RemoteAddress option to limit connections from authorized systems. In this example, I’m only allowing the IP “192.168.100.10” to make connections to the remote computer for the file and printer sharing service. If another IP address tried to connect to the remote computer the Firewall would block it.

Here is the command to enable TCP/445.

New-NetFirewallRule -DisplayName 'TCP/445' -Profile @('Domain') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('445') -RemoteAddress 192.168.100.10

Here is the command to enable UDP/137.

New-NetFirewallRule -DisplayName 'UDP/137' -Profile @('Domain') -Direction Inbound -Action Allow -Protocol UDP -LocalPort @('137') -RemoteAddress 192.168.100.10

In the GUI the Remote IP address settings are on the scope tab.

firewall rule scope

Step 3: Allow Remote Service Management (Optional)

This is not required but PsExec will run extremely slow when this service is blocked. I also use the -RemoteAddress option to limit which IP addresses can connect to the remote computer.

Set-NetFirewallRule -DisplayGroup “Remote Service Management” -Enabled True -Profile domain -RemoteAddress "192.168.100.10"

How to Install PsExec

In this section, I’ll walk through installing PsExec on my local computer.

Step 1: Download PsExec

PsExec is part of the PsTools package provided by Microsoft.

You can download it here.

psexec download page

Step 2: Extract The Download

Unzip the downloaded file (PSTools.zip) and copy it to a path on your hard drive. I’ve copied it to the root of c: (Example c:\pstools).

extract psexec download

Tip: For convenience, you can also copy the PsExec.exe to a system path (such as c:\windows\system32), this will allow you to run the exe without having to change directories from the command prompt.

Step 3: Test Psexec

Let’s test the installation to make sure PsExec is working.

Open the windows command prompt and switch to the pstools directory, then type psexec and press enter. You should see PsExec return the version and command syntax.

In the screenshot below you can see I changed to the “c:\pstools” directory to run the psexec command.

command prompt psexec install directory

Typing psexec is also a quick way to see the syntax and command line options.

PsExec Examples

Using PsExec is very easy to use, the basic syntaxis is:

psexec \\remotecomputer command [arguments]

Example 1: Run Command on a Remote Computer

Use the command below to run a command on a single remote computer.

psexec \\pc1 ipconfig

In this example, I’m running the ipconfig command on remote computer PC1.

psexec single computer

Example 2: Run Command on Multiple Computers

To run PsExec on multiple computers just separate the computers with a comma. Here I’m running ipconfig on pc1 and srv-vm1.

psexec \\pc1,srv-vm1 ipconfig
run psexec on multiple computers

Example 3: Specify Username and Password

To connect to a remote computer using a specific username and password use this command:

psexec \\pc1 -u user -p password ipconfig

Example 4: Kill Process on a Remote Computer

To kill a process on a remote computer use the commands below.

You first need to get the process PID, this can be done with the tasklist command.

psexec \\pc1 tasklist
get running processes with psexec

Find the process PID number then use taskkill to kill the process.

psexec \\pc1 taskkill /pid 2892 /f

Example 5: Install Software

In this example, I’m installing 7zip on the remote computer PC1. The installation file has been copied to the remote computer. You can also use the -c option to copy a file and execute it.

psexec \\pc1 msiexec.exe /i "c:\it\7z2201-x64.msi"

Example 6: Restart Remote Computer

Use this command to restart a remote computer. Here I’m saying to reboot pc1 in 60 seconds.

psexec \\pc1 shutdown /r /t 60

The remote computer will get a pop up message that the computer will reboot.

reboot message

Example 7: Delete a File

This command will delete the file users.txt from the remote computer.

psexec \\pc1 cmd /c del /f c:\it\users.txt

Example 8: Restart Printer Spooler

In this example, I will stop and start the spooler service on a remote computer

psexec \\pc1 net stop spooler

To start the spooler service use this command.

psexec \\pc1 net start spooler

Example 9. Copy and Run a Batch File

The -c option will copy a specified file to a remote computer and execute it.

psexec \\pc1 -c pcinfo.bat

Example 10. Open Command Prompt on Remote Computer

This example will open the command prompt on the remote computer, you can then run whatever command line you need.

psexec \\pc1 cmd

You can see below I open cmd and run multiple commands that all execute on the remote computer. This can be very useful for IT administrators when troubleshooting computer issues and you need a quick way to execute commands on remote computers.

run cmd on remote computer

Example 11: Open a Program

If you want to open a program on the remote computer use the -i option. The -i option runs the program so that it interacts with the desktop. For example, use this command to open notepad.exe on a remote computer.

psexec \\pc1 -i notepad

That is it for this guide, post your feedback in the comments below.

Next, check out my list of the 50 most useful windows commands.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

Leave a Comment