Windows operating system provides different ways to manage remote systems. Telnet, RDP, VNC are some of them. But these options are generally bound to a graphical user interface. If we prefer a command-line interface there is an alternative named Psexec.
Psexec is actually a toolset consisting of following tools.
PSexecused to execute commands at remote or get a shell from a remote systemPsFileused to list file and folders at remote systemPsGetSidused to display security identifier for remote computer or userPsInfoused to get detailed information about the remote systemPsKillused to kill process at the remote system according to name or IDPsListused to list processes in detail at the remote systemPsLoggedOnused to list logged on users in the remote systemsPsLogListused to list event logs resides on the remote systemsPsPasswdused to change given user password on the remote systemPsPingused to ping from remote systemPsServerviceused to list and manage Windows services on the remote systemPsShutdownused to shutdown, log off, suspend and restart remote Windows systemPsSuspendused to suspend and resume processes on the remote Windows system.PsUptimeused to display remote system uptime
Most of the these tools are provided in 32 and 64 bit architecture. The binaries can be used accordingly.
Download Psexec Tools
PStools is developed by Mark Russinovich and can be downloaded from the following link. PStools is part of the “Sysinternals” suite which provides a lot of tools for system management and internal features. PStools can be downloaded from the Sysinternals web site.
https://download.sysinternals.com/files/PSTools.zip
Run Command Remote System
Most basic usage of the Psexec command is just running simply command on the remote system. In order to run a command on the remote system, we should provide a user name and password with the command to be run on a remote system. The syntax of the Ps exec is like below.
psexec [Computer_name or IP] [options] [command] [command_arguments]
In this example we will run ipconfig command on the remote system where its IP address is 192.168.122.66 . The username is Administrator and password is 123456Ww .
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig
As we can see the command is executed in the remote system without any problem.
Redirect Psexec Command Output
After running the command on the remote system, the command output will be printed into the current standard output, which is our current shell. This output can be redirected into a file with >. If we have a lot of remote systems to run the command this option will be very useful.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig > 192.168.122.66_ifconfig
In this example the ipconfig command output is saved into file named 192.168.122.66_ipcopnfig .
Pass The Hash
In the previous example, we have provided the user password. The only option is not the clear text user password. We can also provide the hash value of the user token. Following the example, we provide the hash of the user token.
$ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t ipconfig
Copy Command From Local To The Remote System
Running commands on the remote system is a very useful feature but there is another useful feature that will easy system administrators and pen-testers jobs. Psexec can be used to copy the command from the local system to the remote system. We will use the option -c to copy. Once the commands finished the remote instance will be deleted.
In this example we will copy the cmd.exe . After copy operation is finished cmd.exe will be started on the remote system.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -c cmd.exe
As we can see we get a cmd shell on the remote system.
Run Command As System User
While running commands on the remote system the privileges and process owner will be the provided user. If we need to change the remote commands owner user to the System user we will provide -s option.
In this example we will use regedit.exe
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -s regedit.exe
Run GUI Application On the Remote System
Windows operating systems provide GUI by default. Psexec can be used to open GUI application on the remote system in the specified user console. User console simply means user desktop.
In this application, we will start notepad.exe on the remote system. The remote system Administrator user can interact with this notepad.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -i notepad.exe
We will get our local shell after the remote user closes the notepad. After close the exit code will be printed to the psexec console.
Create Interactive Shell On The Remote System
Up to now, we have run commands remotely. After the execution of the command finished the remote system connection is closed. This is like a session connection. Psexec provides a remote shell or command line. Psexec connects remote and gives us an MS-DOS shell. In order to get a remote shell, we will provide cmd.exe command in the remote system.
$ psexec \\192.168.122.66 -u Administrator -p 123456Ww cmd.exe
Run Regedit with System Privileges
Windows registry can be managed with the GUI tool named “Regedit”. Regedit can be accessed with the current user but in some cases editing the local system registry with the “System” privileges can be required. We can open the “Regedit” with system privileges with the following psexec command.
$ psexec -s -i regedit.exe
Psexec Tools
Up to now generally, we provided commands to run remote systems. As a system administrator daily operations do not change frequently. Psexec toolkit provides some simple commands to run directly without adding command as a parameter. We will look at these tools below.
List File On the Remote System With PsFile
PsFile command can be used to to list or close opened files. The syntax is very similar to the PSexec command. In this example we will list files located at C:\Users\ on the remote system.
$ psfile \\192.168.122.66 -u Administrator -p 123456Ww
List SID’s On The Remote System With PsGetSid
SID is used to identify Windows users in a more detailed fashion. We can list provided users SID with PsGetSid command like below.
$ psgetsid \\192.168.122.66 -u Administrator -p 123456Ww
Get Remote System Information With PSInfo
PsInfo is a tool used to get remote system information like Uptime, Version, Windows variant etc.
$ psinfo \\192.168.122.66 -u Administrator -p 123456Ww
Following information about the remote system is provided by PsInfo
Uptimeshows how many days and hours the system is runningKernel Versionshows operating system kernelProduct Typeshows the version of the operating systemProduct VersionKernel Build NumberRegistered OrganizationRegistered OwnerIE Versionshows Internet Explorer versionSystem Rootshow where is operation system is installedProcessorshows processor or thread countProcessor Speed- Processor Type` shows detailed processor version and name
Physical MemoryVideo Drivershows currently loaded driver name
List Process At The Remote System With PsList
Processes running on the remote system can be easily listed with PsList command.
$ pslist \\192.168.122.66 -u Administrator -p 123456Ww
The output will provide following information about remote system processes.
Nameis the executable file namePidis the processes ID which identifies processesPriis priority which effects process performance in heavyload timesThdis thread numberHndis opened file handler countCPU Timeis total used CPU resource as timeElapsed Timeis time from start of the process.
Kill Process At The Remote System With PsKill
Processes running on the remote system can be easily killed with the PsKill command. In order to kill process we should provide the process id or process name as argument. We will kill remote process with process id 2064 .
$ pskill \\192.168.122.66 -u Administrator -p 123456Ww 2064
We get message saying Process 2064 on 192.168.122.66 killed....
List Event Logs On The Remote System With PsLogList
Remote system logs can be dumped into local system easily with PsLogList command. If we use this command without any extra parameter it will dump all event logs from remote system which will fill out command line. So for the example we will limit for last 5 minutes event logs with -m option.
$ psloglist \\192.168.122.66 -u Administrator -p 123456Ww -m 5
Change Password On The Remote System With PsPasswd
Remote system users passwords can be changed easily with PSPasswd command. In this example we will change user Administrator password to the 123456Aa .
$ pspasswd \\192.168.122.66 -u Administrator -p 123456Ww Administrator 123456Aa
Ping With PsPing
Another useful tool is PsPing which will create ICMP packets to ping . This command will run local system.
$ psping google.com
Manage Service On The Remote System With PsService
PsService command is used to list, start, stop services on the remote system.
List Services
We can list remote service with query option.
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa query
Start Service Remotely
Remote service can be started with start option. In this example we will start the service named ALG service.
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa start ALG
After service started the information about the service is printed.
Stop Service Remotely
We will stop the ALG service in the following example.
$ psservice \\192.168.122.66 -u Administrator -p 123456Aa stop ALG
Shutdown, Reboot, Suspend Remote System With PSShutdown
Remote system can be shut down with PSShutdown command like below.
$ psshutdown \\192.168.122.66 -u Administrator -p 123456Aa -k
Great article. Thank you for doing this. How do you get the Hash of the password?
Hi,
There are different ways but most used way is using mimikatz especially in penetration tests.
Best article on psexec that I have ever come across. Thank you for the detailed information.