How To Use Psexec Tools To Run Commands and Get Shell Remote Windows Systems?
Windows operating system provides different ways to manage remote systems. Telnet, RDP, VNC are some of them. But these options are generally bound to a graphical user interface. If we prefer command line interface there is an alternative named Psexec.
Psexec is actually a toolset consisting of following tools.
PSexecused to execute commands at remote or get a shell from a remote system
PsFileused to list file and folders at remote system
PsGetSidused to display security identifier for remote computer or user
PsInfoused to get detailed information about the remote system
PsKillused to kill process at the remote system according to name or ID
PsListused to list processes in detail at the remote system
PsLoggedOnused to list logged on users in the remote systems
PsLogListused to list event logs resides on the remote systems
PsPasswdused to change given user password on the remote system
PsPingused to ping from remote system
PsServerviceused to list and manage Windows services on the remote system
PsShutdownused to shutdown, log off, suspend and restart remote Windows system
PsSuspendused to suspend and resume processes on the remote Windows system.
PsUptimeused to display remote system uptime
Most of the these tools are provided in 32 and 64 bit architecture. The binaries can be used accordingly.
PStools is developed by Mark Russinovich and can be downloaded from following link
As writing this post latest version of PsTools was 2.45 .
Run Command Remote System
Most basic usage of the Psexec command is just running simply command on the remote system. In order to run command on the remote system we should provide user name and password with the command to be run on remote system. The syntax of the Ps exec is like below.
psexec [Computer_name or IP] [options] [command] [command_arguments]
In this example we will run
ipconfig command on the remote system where its IP address is
192.168.122.66 . The username is
Administrator and password is
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig
As we can see the command is executed in the remote system without any problem.
Redirect Psexec Command Output
After running command on the remote system the command output will be printed into the current standard output which is our current shell. This output can be redirected into a file with
> . If we have a lot of remote systems to run command this option will be very useful.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig > 192.168.122.66_ifconfig
In this example the
ipconfig command output is saved into file named
Pass The Hash
In previous example we have provided the user password. The only option is not the clear text user password. We can also provide the hash value of the user token. Following example we provide the hash of the user token.
$ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t ipconfig
Copy Command From Local To The Remote System
Running commands on the remote system is very useful feature but there is another useful feature which will easy system administrators and pentesters jobs. Psexec can be used to copy command from local system to the remote system. We will use
-c option in order to copy operation. Once the commands finished the remote instance will be deleted.
In this example we will copy the
cmd.exe . After copy operation is finished cmd.exe will be started on the remote system.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -c cmd.exe
As we can see we get a cmd shell on the remote system.
Run Command As System User
While running commands on the remote system the privileges and process owner will be the provided user. If we need to change the remote commands owner user to the
System user we will provide
In this example we will use
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -s regedit.exe
Run GUI Application On the Remote System
Windows operating systems provides GUI by default. Psexec can be used to open GUI application on the remote system in the specified user console. User console simply means user desktop.
In this application we will start
notepad.exe on the remote system. The remote system
Administrator user can interact with this notepad.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -i notepad.exe
We will get our local shell after the remote user closes the notepad. After close the exit code will be printed to the psexec console.
Create Interactive Shell On The Remote System
Upto now we have run commands remotely. After the execution of the command finished the remote system connection is closed. This is like sessioned connection. Psexec provides remote shell or command line. Psexec connects remote and give us a MS-DOS shell. In order to get a remote shell we will provide
cmd.exe command in the remote system.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww cmd.exe
Up to now generally we provided commands to run remote systems. As a system administrator daily operations do not change frequently. Psexec toolkit provides some simple commands to run directly without adding command as parameter. We will look these tools below.
List File On the Remote System With PsFile
PsFile command can be used to to list or close opened files. The syntax is very similar to the PSexec command. In this example we will list files located at
C:\Users\ on the remote system.
$ psfile \\192.168.122.66 -u Administrator -p 123456Ww
List SID’s On The Remote System With PsGetSid
SID is used to identify Windows users in a more detailed fashion. We can list provided users SID with
PsGetSid command like below.
$ psgetsid \\192.168.122.66 -u Administrator -p 123456Ww
Get Remote System Information With PSInfo
PsInfo is a tool used to get remote system information like Uptime, Version, Windows variant etc.
$ psinfo \\192.168.122.66 -u Administrator -p 123456Ww
Following information about the remote system is provided by
Uptimeshows how many days and hours the system is running
Kernel Versionshows operating system kernel
Product Typeshows the version of the operating system
Kernel Build Number
IE Versionshows Internet Explorer version
System Rootshow where is operation system is installed
Processorshows processor or thread count
- Processor Type` shows detailed processor version and name
Video Drivershows currently loaded driver name
List Process At The Remote System With PsList
Processes running on the remote system can be easily listed with
$ pslist \\192.168.122.66 -u Administrator -p 123456Ww
The output will provide following information about remote system processes.
Nameis the executable file name
Pidis the processes ID which identifies processes
Priis priority which effects process performance in heavyload times
Thdis thread number
Hndis opened file handler count
CPU Timeis total used CPU resource as time
Elapsed Timeis time from start of the process.
Kill Process At The Remote System With PsKill
Processes running on the remote system can be easily killed with the
PsKill command. In order to kill process we should provide the process id or process name as argument. We will kill remote process with process id
$ pskill \\192.168.122.66 -u Administrator -p 123456Ww 2064
We get message saying
Process 2064 on 192.168.122.66 killed....
List Event Logs On The Remote System With PsLogList
Remote system logs can be dumped into local system easily with
PsLogList command. If we use this command without any extra parameter it will dump all event logs from remote system which will fill out command line. So for the example we will limit for last 5 minutes event logs with
$ psloglist \\192.168.122.66 -u Administrator -p 123456Ww -m 5
Change Password On The Remote System With PsPasswd
Remote system users passwords can be changed easily with
PSPasswd command. In this example we will change user
Administrator password to the
$ pspasswd \\192.168.122.66 -u Administrator -p 123456Ww Administrator 123456Aa
Ping With PsPing
Another useful tool is
PsPing which will create ICMP packets to ping . This command will run local system.
$ psping google.com
Manage Service On The Remote System With PsService
PsService command is used to list, start, stop services on the remote system.
We can list remote service with
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa query
Start Service Remotely
Remote service can be started with
start option. In this example we will start the service named
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa start ALG
After service started the information about the service is printed.
Stop Service Remotely
We will stop the
ALG service in the following example.
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa stop ALG
Shutdown, Reboot, Suspend Remote System With PSShutdown
Remote system can be shut down with
PSShutdown command like below.
$ psshutdown \\192.168.122.66 -u Administrator -p 123456Aa -k