Wednesday, 11 July 2012

Using PsExec to execute a process remotely

Every now and then, people (particularly admins) need to be able to execute processes/commands remotely against a machine. PsExec proves to be more than handy in such cases. One of the big advantages of using Psexec is that like many other utilities out there, you can execute preocesses remotely. However, unlike most of them, it does not require you to install/store software on the remote systems that you wish to access.

The simplest example of 'remoting' into another system and firing up the terminal would be achieved by simply executing the following script :-
PsExec.exe \\RemoteMachine cmd.exe
It lets you execute commands on the remote machine as if you are logged in. However, I intentionally left out a couple of details. The user you are executing this command against, needs to be added as an user on the remote computer. However, frequently the need is to execute a process in some other account on the remote system. In such cases, you can provide user details as such :-
PsExec.exe \\RemoteMachine -u Domain\username -p password cmd.exe
When you specify a username the remote process will execute in that account, and will have access to that account's network resources. If you omit username the remote process will run in the same account from which you execute PsExec, but because the remote process is impersonating it will bot have access to network resourcess on the remote system. Also, PsExec does not require you to be an admin of the local system. Some command are available only in the CMD shell, and hence the user needs to call "cmd /c".

Another important aspect of PsExec, which would have been noticed by the astute readers is that when you first run PsExec, it asks you to accept an eula. In case a script using Psexec is run by different users and scripts (in order to automate stuff), Psexec requires an extra argument, and that's "accepteula". Not having this argument would mean that the script hangs waiting for a user to accept the eula.
PsExec.exe -accepteula \\RemoteMachine -u Domain\username -p password cmd.exe
In case a particular executable needs to be run and passed parameters, the command looks like :-
PsExec.exe -accepteula \\RemoteMachine -u Domain\username -p password executable arguments
As can probably be seen, its a nifty little tool which can be immensely helpful, particularly if telnet or any other utility is not installed on the remote system, either due to restrictions on installing software or otherwise.

5 comments:

  1. Nice post, but as I feared PsExec is text based and you are exposing your username and password. Don't you think its a big security hole??

    ReplyDelete
  2. Yes, the password is sent in clear text by PsExec, and this is a security problem. But I guess that's the price one has to pay for not having any utility on the remote system (there is no way for the remote system to decrypt an encrypted password). However, for one-off cases, particularly if no utility is set up on the remote system to facilitate remoting, its a decent tool. Also, the password in needed in certain cases only, not all.

    ReplyDelete
  3. Is it available only with server editions of windows??I can't find it on Windows XP.

    ReplyDelete
  4. Its not shipped with the OS. Its a part of PsTools and you cab get it from http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

    ReplyDelete
  5. If sending credentials in the clear is your only drawback to using PSexec on your network, might I recommend PAexec
    [available here --> https://www.poweradmin.com/paexec/ ]

    I realize this thread is ancient and dead, but I stumbled upon it over a year later so I suppose others will too...

    ReplyDelete