Membership

Hacking Loops

Table of Contents

Join Our Membership To Start Your Cybersecurity Journey Today!

Learn More

A Complete Guide to Installing and Using PsExec

Introduction

PsExec is one of the most powerful tools in the Sysinternals suite developed by Microsoft. It allows administrators to execute commands and run programs on remote systems as if they were sitting right in front of them. Unlike traditional remote desktop tools, PsExec provides command-line control, making it ideal for automation, scripting, and batch operations.

This guide will walk you through everything you need to know about PsExec i.e. from installation to advanced usage.

By the end, you’ll know:

What is PsExec?

PsExec (short for “Process Execute”) is a lightweight telnet replacement that lets you:

It’s widely used by system administrators but is also a favorite among penetration testers because of its ability to move laterally across networks.

At its core, PsExec lets you run processes on remote systems, but the magic lies in how it accomplishes this. Unlike traditional remote desktop tools that require a GUI session, PsExec operates through a clever combination of Windows services and administrative shares.

Here’s what happens when you run a simple PsExec command:

This architecture explains both its power and its potential risks.

Why Use PsExec Over Other Tools?

Setting Up the Environment

Setup a Demo Target Server

We first need to set up a target server where we will be able to run PsExec commands. Let us use azure for spinning up a VM

After setting up username and password, enable RDP and SSH ports so that we can work on the VM later on. 

After successful VM creation, we can see below output

Now let us enable required ports on the Network Security Group (NSG) of this VM. For that, search Network Security Groups and go to the NSG of this VM and go to Inbound Rules

Add below rule in the VM to allow traffic on ports 135, 139 and 445 which are basically required for SMB protocol communication.

We also need to allow these ports on the Windows itself. As this is a test environment, we can also just disable the FW for ease.

After allowing firewall access to the ports, we need to enable the below settings on the target systems

Now verify if the SMB is configured right.

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

The output should be like

If not, enable it using

Set-SmbServerConfiguration -EnableSMB2Protocol $true -Force
Restart-Service lanmanserver

Ensure that below services are running

Get-Service -Name LanmanServer, LanmanWorkstation

The output should be like

Now we need to Grant Remote Logon Rights to the User on remote system

In RUN, type “secpol.msc” and go to 

Navigate to

Local Policies → User Rights Assignment

Find and double-click:

Add the user “test-user” to each of them. Click OK and restart the VM or run:

gpupdate /force

Downloading and Installing PsExec

PsExec is part of the Sysinternals Suite, available for free from Microsoft. Now we will install it on the system from where we will be running commands

Step 1: Download PsExec

Step 2: Extract and Set Up

Unzip the file and place PsExec.exe in a directory included in your system’s PATH (e.g., C:\Windows\System32) so you can run it from anywhere.

Step 3: Verify Installation

Open CMD and type

psexec /?

This will give output something like below which means we can now run our tool from anywhere.

Now lets actually test our connection from host A to host B. Lets say our IP is 10.0.0.5

And the IP of the remote system is 10.0.0.4 then we will run below command to go in the target system

psexec \\10.0.0.4 -u test-user -p test-Password-1 cmd

You can see in the below output that now “ipconfig” returned the remote system IP meaning that we are running commands as we are in the remote system

Note

You should only practice PsExec on private, isolated systems such as a home lab, local virtual machines, or a secure corporate network and never over public internet connections. PsExec relies on SMB (Server Message Block) for file and command transfer, which uses ports like 445 and 139 that are a prime target for cyberattacks. Exposing SMB to the internet is extremely dangerous, as it allows malicious actors to attempt credential theft, remote code execution, and ransomware deployment. In fact, many ISPs actively block SMB traffic for this very reason. If you need to test or learn PsExec, keep both machines in the same private network (e.g., through a VPN, local LAN, or an Azure VNet) and ensure no SMB ports are open to the outside world. This way, you stay safe while gaining hands-on experience without creating a massive security hole.

If you try to execute above commands through public IP, you will mostly get errors e.g.

PS C:\Windows\system32> psexec \\<public IP here> -u test-user -p test-Password-1 cmd

PsExec v2.43 – Execute processes remotely Copyright (C) 2001-2023 Mark Russinovich Sysinternals – www.sysinternals.com

Couldn‘t access <public IP here>: The network path was not found.
Make sure that the default admin$ share is enabled on <public IP here>.

Using the PsExec Tool

Running file on Remote System

psexec normally runs commands already present on the remote machine. If you want to run a local script or program on a remote machine without manually copying it, you use the -c switch.
-c tells PsExec to copy the specified file from your local machine to the remote machine (into its admin$ share), then execute it there.

psexec \\10.0.0.4 -u test-user -p test-Password-1 -c deploy.bat

This will:

Running as SYSTEM (Highest Privileges)

Even if you are an Administrator, some system-level operations require NT AUTHORITY\SYSTEM rights which is the highest privilege account in Windows. Running commands as SYSTEM can give you full access to protected files, registry keys, and services.

Command to perform this operation will be

psexec \\SERVER01 -u Admin -p P@ssw0rd -s cmd

Example Usage

If you want to change the Windows time service configuration, then run the below command

psexec \\10.0.0.4 -u test-user -p test-Password-1 -s sc config w32time start= auto

This will only work as SYSTEM because normal admin might be denied access.

Running on Multiple Computers

Instead of typing commands for each machine, you can pass a list of computers in a text file and PsExec will execute the command on each one.

SERVER01
SERVER02
SERVER03

psexec @servers.txt -u test-user -p test-Password-1 ipconfig

Example usage:

If you want to check the Windows version on multiple servers at once, run below command.

Get-Content .\servers.txt | ForEach-Object {
    psexec \\$_ -u test-user -p test-Password-1 cmd /c “ver”
}

The output will look like

Installing Software Silently

You can remotely install MSI-based software without user interaction (silent mode) using PsExec + msiexec.

psexec \\10.0.0.4 -u test-user -p test-Password-1 msiexec /i “C:\temp\software.msi” /qn

Example usage:

If the MSI is on your local machine and you want PsExec to copy it over before installation.

psexec \\SERVER01 -u test-user -p test-Password-1 -c “C:\localpath\software.msi” msiexec /i software.msi /qn

-c, Copies the file to the remote machine before executing.

Silent Uninstall

If you want to silently remove software

psexec \\SERVER01 -u test-user -p test-Password-1 msiexec /x {PRODUCT-CODE-GUID} /qn

Security Considerations and Risks

PsExec is a powerful tool, but if misused, it can pose serious security risks. Here’s what you need to keep in mind:

1. Authentication Risks

PsExec requires credentials to access remote systems. Passing credentials in plaintext is a bad practice as these are visible in command history. If you do not use -p flag, it will ask for password later on which is better practice.

psexec \\RemotePC -u Admin -p * notepad.exe

You’ll be prompted to enter the password securely.

2. Firewall & Network Security

PsExec works by using SMB on port 445 to access administrative shares such as C$ and ADMIN$. For it to function, the Windows Firewall on the remote machine must allow File and Printer Sharing through port 445, and administrative shares need to be enabled and accessible.

3. Malicious Use (Lateral Movement)

Attackers often leverage PsExec to move laterally across a network after gaining initial access. To mitigate this risk, its usage can be restricted through AppLocker or Software Restriction Policies, and administrators should monitor Windows Event Logs particularly Event ID 4688 for unusual PsExec execution activity.

4. Antivirus & EDR Detection

Some security tools may flag PsExec as a “Potentially Unwanted Program (PUP)” or hacking tool. If it is being used for legitimate administrative purposes, you can resolve this by whitelisting PsExec in your antivirus software.

Key Takeaways

Conclusion

PsExec stands as one of the most versatile tools in Windows system administration, capable of handling tasks ranging from simple remote command execution to large-scale software deployments. Its straightforward design masks significant power, requiring careful and responsible usage.
Effective system administration requires both capability and responsibility. Proper documentation, secure credential handling, and thorough cleanup ensure PsExec remains a powerful asset rather than a security liability. The mark of a skilled administrator lies not just in successful execution but in maintaining control and transparency throughout the process.

By adhering to best practices and continuously refining techniques, PsExec can be leveraged to its full potential while minimizing risks. The result is efficient system management with no unintended traces and only well-maintained infrastructure.

Scroll to Top