PsExec is a small program that enables IT administrators to run commands and processes on remote computers.
In this guide, you will learn how to use PsExec to run commands, kill processes, install software, restart services, and more on remote computers.
Warning: Attackers can do all kinds of bad things with PsExec such as copy and run malicious files, access your data, and change or gathering system information.
The use of PsExec should be restricted to only run from authorized computers. There are multiple ways to secure the use of PsExec, in this guide I’ll show you how to secure it with the Windows firewall.
Let’s get started.
The remote computer must meet the following requirements:
- Port TCP/445 open
- Port UDP/137 open
- Credentials to the remote computer (domain or local credentials will work).
- Remote Service Management (RPC) Open – This is not required but PsExec runs extremely slow if the firewall is enabled and this service is blocked.
If you don’t like videos then continue reading the details below.
Secure PsExec With The Windows Firewall
I highly recommend you lock down the use of PsExec to run from authorized computers, such as your laptop or a secure workstation. If you don’t lock it down an attacker with compromised credentials can easily run commands and processes on remote computers in your network.
Here are the steps to allow and secure PsExec.
Step 1: Enable Windows Firewall
First, you need to have the Windows Firewall enabled. Sometimes organizations disable this for convenience reasons and that is a huge mistake. If you have a lot of computers to manage, you can use group policy to manage the firewall settings.
Make sure it is enabled for all profiles (domain, private, public).
Step 2: Allow PsExec Ports In Windows Firewall
PsExec requires ports tcp/445 and udp/137 to be open on the remote computer. Below is the PowerShell Command to enable this for the domain profile.
Tip: Use the -RemoteAddress option to limit connections from authorized systems. In this example, I’m only allowing the IP “192.168.100.10” to make connections to the remote computer for the file and printer sharing service. If another IP address tried to connect to the remote computer the Firewall would block it.
Here is the command to enable TCP/445.
New-NetFirewallRule -DisplayName 'TCP/445' -Profile @('Domain') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('445') -RemoteAddress 192.168.100.10
Here is the command to enable UDP/137.
New-NetFirewallRule -DisplayName 'UDP/137' -Profile @('Domain') -Direction Inbound -Action Allow -Protocol UDP -LocalPort @('137') -RemoteAddress 192.168.100.10
In the GUI the Remote IP address settings are on the scope tab.
Step 3: Allow Remote Service Management (Optional)
This is not required but PsExec will run extremely slow when this service is blocked. I also use the -RemoteAddress option to limit which IP addresses can connect to the remote computer.
Set-NetFirewallRule -DisplayGroup “Remote Service Management” -Enabled True -Profile domain -RemoteAddress "192.168.100.10"
How to Install PsExec
In this section, I’ll walk through installing PsExec on my local computer.
Step 1: Download PsExec
PsExec is part of the PsTools package provided by Microsoft.
You can download it here.
Step 2: Extract The Download
Unzip the downloaded file (PSTools.zip) and copy it to a path on your hard drive. I’ve copied it to the root of c: (Example c:\pstools).
Tip: For convenience, you can also copy the PsExec.exe to a system path (such as c:\windows\system32), this will allow you to run the exe without having to change directories from the command prompt.
Step 3: Test Psexec
Let’s test the installation to make sure PsExec is working.
Open the windows command prompt and switch to the pstools directory, then type psexec and press enter. You should see PsExec return the version and command syntax.
In the screenshot below you can see I changed to the “c:\pstools” directory to run the psexec command.
Typing psexec is also a quick way to see the syntax and command line options.
Using PsExec is very easy to use, the basic syntaxis is:
psexec \\remotecomputer command [arguments]
Example 1: Run Command on a Remote Computer
Use the command below to run a command on a single remote computer.
psexec \\pc1 ipconfig
In this example, I’m running the ipconfig command on remote computer PC1.
Example 2: Run Command on Multiple Computers
To run PsExec on multiple computers just separate the computers with a comma. Here I’m running ipconfig on pc1 and srv-vm1.
psexec \\pc1,srv-vm1 ipconfig
Example 3: Specify Username and Password
To connect to a remote computer using a specific username and password use this command:
psexec \\pc1 -u user -p password ipconfig
Example 4: Kill Process on a Remote Computer
To kill a process on a remote computer use the commands below.
You first need to get the process PID, this can be done with the tasklist command.
psexec \\pc1 tasklist
Find the process PID number then use taskkill to kill the process.
psexec \\pc1 taskkill /pid 2892 /f
Example 5: Install Software
In this example, I’m installing 7zip on the remote computer PC1. The installation file has been copied to the remote computer. You can also use the -c option to copy a file and execute it.
psexec \\pc1 msiexec.exe /i "c:\it\7z2201-x64.msi"
Example 6: Restart Remote Computer
Use this command to restart a remote computer. Here I’m saying to reboot pc1 in 60 seconds.
psexec \\pc1 shutdown /r /t 60
The remote computer will get a pop up message that the computer will reboot.
Example 7: Delete a File
This command will delete the file users.txt from the remote computer.
psexec \\pc1 cmd /c del /f c:\it\users.txt
Example 8: Restart Printer Spooler
In this example, I will stop and start the spooler service on a remote computer
psexec \\pc1 net stop spooler
To start the spooler service use this command.
psexec \\pc1 net start spooler
Example 9. Copy and Run a Batch File
The -c option will copy a specified file to a remote computer and execute it.
psexec \\pc1 -c pcinfo.bat
Example 10. Open Command Prompt on Remote Computer
This example will open the command prompt on the remote computer, you can then run whatever command line you need.
psexec \\pc1 cmd
You can see below I open cmd and run multiple commands that all execute on the remote computer. This can be very useful for IT administrators when troubleshooting computer issues and you need a quick way to execute commands on remote computers.
Example 11: Open a Program
If you want to open a program on the remote computer use the -i option. The -i option runs the program so that it interacts with the desktop. For example, use this command to open notepad.exe on a remote computer.
psexec \\pc1 -i notepad
That is it for this guide, post your feedback in the comments below.
Next, check out my list of the 50 most useful windows commands.