{
	"id": "2e3db117-de61-414d-a2e3-13f793f5a75e",
	"created_at": "2026-04-06T00:19:53.331323Z",
	"updated_at": "2026-04-10T03:35:21.466683Z",
	"deleted_at": null,
	"sha1_hash": "0bb9efbed68f5ff9cf366c4204352fa33dba5ab0",
	"title": "PAExec | Server Monitoring Software | Monitor Storage - Power Admin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77222,
	"plain_text": "PAExec | Server Monitoring Software | Monitor Storage - Power\r\nAdmin\r\nBy Power Admin LLC\r\nArchived: 2026-04-05 22:20:01 UTC\r\n“We appreciate all your hard work and dedication to getting the problem resolved. Wish more companies had the\r\nsupport that you guys offer.”\r\nTodd W., Beasley Allen, USA\r\nLaunch Remote Windows Apps\r\nPAExec lets you launch Windows programs on remote Windows computers without needing to install software on\r\nthe remote computer first. For example, you could launch CMD.EXE remotely and have the equivalent of a\r\nterminal session to the remote server. PAExec is useful for doing remote installs, checking remote configuration,\r\netc.\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 1 of 9\n\nPAExec - The Redistributable PsExec\r\nMicrosoft's PsExec tool (originally by SysInternal's Mark Russinovich) is a favorite of system administrators\r\neverywhere. It just has one tiny flaw: Microsoft will not allow PsExec to be redistributed.\r\nWe needed something that we could ship, and not finding a suitable replacement, decided to write our own.\r\nAnyone can download and use PAExec. You can include it in your open source, freeware and even commercial\r\napplications. You may distribute it on your website, on CDs, mail to friends, etc. There is no cryptography built in\r\nso there aren't any export restrictions that we know of. See the License for all the legalese.\r\n[Update: When we wrote PAExec, PsExec was not encrypting data sent across the network, so command lines,\r\ncredentials, etc. would be sent in plain text. PAExec didn't either, but it did do a simple XOR scambling of the\r\ndata, so it was a tiny bit safer. As of version 2.1, PsExec now DOES encrypt data sent across the network.]\r\nIs PAExec Malware?\r\nPAExec is a utility program that system administrators in IT use to do their work. As mentioned above, it is very\r\nsimilar to Microsoft's free PsExec utility. Unfortunately, like most tools, it can be used for good or bad, and some\r\nmalware authors include PAExec and/or PsExec in their malware. Because of this, both PAExec and PsExec\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 2 of 9\n\nsometimes get mislabeled as malware. If this happens to you, you can submit a report to your security software\r\nvendor and tell them they have a false report and point them to this page.\r\nPAExec is used daily by IT personnel, and it is included in many legitimate products, including our software.\r\nNeither PAExec nor PsExec get around any operating system security procedures - they are simply using\r\ndocumented APIs to accomplish their job. There are other similar tools and source code available that do the same\r\nthing.\r\nHow to Remove PAExec\r\nIf you are here because you found PAExec on your computer, it is most likely part of a legitimate software\r\npackage (ours, or from many other vendors). Some companies use this utility to update drivers for example.\r\nPAExec is self-contained and doesn't use an installer. You can simply delete PAExec.exe. This might cause issues\r\nwith whatever other product was using it. We don't have any idea who uses PAExec - it is free on the Internet so\r\nany company can download it and use it in their products, which is also how Microsoft's PsExec is distributed.\r\nExamples\r\n PAExec \\\\{server IP address} -s cmd.exe\r\nCreates a telnet-like session on the remote server, running as Local System.\r\n PAExec \\\\{server IP address} ipconfig\r\nView network configuration on the remote server without needing to do an RDP session.\r\n PAExec \\\\{server IP address} -u {username} -p {password} -i -c MyApp.exe\r\nCopy MyApp.exe to the remote server and run it as {username} so that it shows up on the remote server.\r\nUsage\r\nPAExec uses the same command-line options as PsExec, plus a few additonal options of its own. Run PAExec.exe\r\n/? to see a list of supported options, which are also shown below:\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 3 of 9\n\nPAExec is a freely-redistributable re-implementation of\r\nSysInternal/Microsoft's popular PsExec program. PAExec aims to be a drop\r\nin replacement for PsExec, so the command-line usage is identical, with\r\nadditional options also supported. This work was originally inspired by\r\nTalha Tariq's RemCom.\r\nUsage: PAExec [\\\\computer[,computer2[,...]] | @file]\r\n[-u user [-p psswd]|[-p@ file [-p@d]]]\r\n[-n s] [-l][-s|-e][-x][-i [session]][-c [-f|-v] [-csrc path]]\r\n[-lo path][-rlo path][-ods][-w directory][-d][-][-a n,n,...]\r\n[-dfr][-noname][-to seconds] cmd [arguments]\r\nStandard PAExec\\PsExec command line options:\r\n -a Separate processors on which the application can run with\r\n commas where 1 is the lowest numbered CPU. For example,\r\n to run the application on CPU 2 and CPU 4, enter:\r\n -a 2,4\r\n \r\n -c Copy the specified program to the remote system for\r\n execution. If you omit this option the application\r\n must be in the system path on the remote system.\r\n \r\n -d Don't wait for process to terminate (non-interactive).\r\n This option is not compatible with -to\r\n \r\n -e Does not load the specified account's profile.\r\n \r\n -f Copy the specified program even if the file already\r\n exists on the remote system. Requires -c\r\n \r\n -i Run the program so that it interacts with the desktop of the\r\n specified session on the specified system. If no session is\r\n specified the process runs in the console session.\r\n \r\n -h If the target system is Vista or higher, has the process\r\n run with the account's elevated token, if available.\r\n \r\n -l [EXPERIMENTAL] Run process as limited user (strips the\r\n Administrators group and allows only privileges assigned to\r\n the Users group). On Windows Vista the process runs with Low\r\n Integrity.\r\n \r\n -n Specifies timeout in seconds connecting to remote computers.\r\n \r\n -p Specifies optional password for user name. If you omit this\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 4 of 9\n\nyou will be prompted to enter a hidden password. Also see\r\n -p@ and -p@d below.\r\n \r\n -s Run the process in the System account.\r\n \r\n -u Specifies optional user name for login to remote\r\n computer.\r\n \r\n -v Copy the specified file only if it has a higher version number\r\n or is newer than the one on the remote system. Requires -c\r\n \r\n -w Set the working directory of the process (relative to\r\n remote computer).\r\n \r\n -x Display the UI on the Winlogon secure desktop (Local System\r\n only).\r\n \r\n -{priority} Specify -low, -belownormal, -abovenormal, -high or\r\n -realtime to run the process at a different priority. Use\r\n -background to run at low memory and I/O priority on Vista.\r\n \r\n computer Direct PAExec to run the application on the remote\r\n computer or computers specified. If you omit the computer\r\n name PAExec runs the application on the local system,\r\n and if you specify a wildcard (\\\\*), PAExec runs the\r\n command on all computers in the current domain.\r\n \r\n @file PAExec will execute the command on each of the computers\r\n listed in the file.\r\n \r\n program Name of application to execute.\r\n \r\n arguments Arguments to pass (note that file paths must be absolute\r\n paths on the target system).\r\nAdditional options only available in PAExec:\r\n \r\n -cnodel If a file is copied to the server with -c, it is normally\r\n deleted (unless -d is specified). -cnodel indicates the file\r\n should not be deleted.\r\n \r\n -clist When using -c (copy), -clist allows you to specify a text\r\n file that contains a list of files to copy to the target.\r\n The text file should just list file names, and the files\r\n should be in the same folder as the text file.\r\n Example: -c -clist \"C:\\test path\\filelist.txt\"\r\n \r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 5 of 9\n\nfilelist.txt might contain:\r\n myapp.exe\r\n mydata.dat\r\n \r\n Myapp.exe and mydata.dat would need to be in C:\\test path\r\n in the example above.\r\n \r\n IMPORTANT: The first file listed is assumed to be the one that\r\n will be executed.\r\n \r\n -clist and -csrc cannot be used together.\r\n \r\n -csrc When using -c (copy), -csrc allows you to specify an\r\n alternate path to copy the program from.\r\n Example: -c -csrc \"C:\\test path\\file.exe\"\r\n \r\n -dbg Output to DebugView (OutputDebugString)\r\n \r\n -dfr Disable WOW64 File Redirection for the new process\r\n \r\n -lo Log Output to file. Ex: -lo C:\\Temp\\PAExec.log\r\n The file will be UTF-8 with a Byte Order Mark at the start.\r\n \r\n -p@ Will read the first line of the given file and use that as the\r\n password. File should be saved as UTF-8 with or without\r\n Byte Order Mark.\r\n \r\n -p@d Deletes the file specified by -p@ as soon as the password is\r\n read.\r\n \r\n -rlo Remote Log Output: Log from remote service to file (on remote\r\n server).\r\n Ex: -rlo C:\\Temp\\PAExec.log\r\n The file will be UTF-8 with a Byte Order Mark at the start.\r\n \r\n -to Timeout in seconds. The launched process must exit within this\r\n number of seconds or it will be terminated. If it is terminated,\r\n the exit code will be -10\r\n This option is not compatible with -d\r\n Ex: -to 15\r\n Terminate the launched process after 15 seconds if it doesn't\r\n shut down first\r\n \r\n -noname In order to robustly handle multiple simultaneous connections to a server,\r\n the source server's name is added to the remote service name and\r\n remote PAExec executable file. If you do NOT want this behavior,\r\n use -noname\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 6 of 9\n\nThe application name, copy source, working directory and log file\r\nentries can be quoted if the path contains a space. For example:\r\nPAExec \\\\test-server -w \"C:\\path with space\" \"C:\\program files\\app.exe\"\r\nLike PsExec, input is sent to the remote system when Enter is pressed,\r\nand Ctrl-C stops the remote process and stops PAExec.\r\nPAExec will scramble the parameters to protect them from casual wire sniffers, but they\r\nare NOT encrypted. Note that data passed between PAExec and the remote program is NOT\r\nscrambled or encrypted. If encryption is needed, use PsExec v2.1 or newer.\r\nPAExec will return the error code it receives from the application that was\r\nlaunched remotely. If PAExec itself has an error, the return code will be\r\none of:\r\n -1 = internal error\r\n -2 = command line error\r\n -3 = failed to launch app (locally)\r\n -4 = failed to copy PAExec to remote (connection to ADMIN$ might have\r\n failed)\r\n -5 = connection to server taking too long (timeout)\r\n -6 = PAExec service could not be installed/started on remote server\r\n -7 = could not communicate with remote PAExec service\r\n -8 = failed to copy app to remote server\r\n -9 = failed to launch app (remotely)\r\n -10 = app was terminated after timeout expired\r\n -11 = forcibly stopped with Ctrl-C / Ctrl-Break\r\n \r\nUpdate Notes:\r\nVersion (and some downloads)\r\nSHA1 Checksum\r\n1.31 - Better handle checks which quiets some false errors. Using a new compiler that no longer supports\r\nWindows XP/Server 2003.\r\n4e150e7cbffa43fb120876221343af15b3332049\r\n1.31 (XP) - Same as 1.31 but compiled with older compiler which still supports XP/2003\r\n4a3233161a909774ecbbc37c8b811b312acd2e7d\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 7 of 9\n\n1.30 - Interactive mode works better when no credentials are given.\r\n61e56575c7565833fe5bfe26c8c0795bfcbbe3b0\r\n1.29 - Tries to use given credentials before making remote connection, handles input redirects, hides destination\r\nwindow if -i not given\r\n0FC135B131D0BB47C9A0AAF02490701303B76D3B\r\n1.28 - Won't create an interactive PAExec service, can run locally as non-administrator if credentials given.\r\n5fd0c019e47d19ec1bcef2a0664bd4f7625dc15c\r\n1.27 - Added exdiva logging to see why the local computer list can't be obtained\r\n1fb0e4efaf0ee0dabc525ff37059a76486311642\r\n1.26 - -s option works on non-English versions of Windows\r\n31754ee85d21ce9188394a939c15a271c2562f93\r\n1.25 - Allow -s and -h options. -h will be silently ignored when combined.\r\n3238e8522bd0e9e1a1de8ba5e845bd44131d38b8\r\n1.24 - Some fixes when launching apps locally\r\nea9c9799394ab8e6a1374832d5e3eec6830d5e56\r\n1.22 - More effort to delete the PAExec-{pid}-{source} service on the target computer, compiling with a new\r\ncompiler\r\nf9ff4582f6c3d68c84aa2d1da913b51b440ae68e\r\n1.21 - Added -p@ and -p@d options\r\n820dee796573b93f154cfa484c35354e41ef7a51\r\n1.19 - Silently ignore /accepteula\r\n8f1646da42c1602de60a61eb6bf10ae10394593b\r\n1.18 - Reworked the -i flag. Added the -noname flag.\r\n1daf79b3aa3172446b829b04d7478ac8cc0ea130\r\n1.17 - Uses a uniquely-named service and executable filename so multiple instances can run at once\r\ne742288f30a4c052add983a96ea005e8bfb0bbde\r\n1.16 - Improved error logging\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 8 of 9\n\n1.15 - Better clean up of service with multiple clients connecting\r\n1.14 - Better support for interactive sessions\r\n1.13 - Fix so -h fails gracefully on x64 XP and 2003\r\n1.12 - Fix to -cnodel option. -u and -s can be specified together\r\n1.11 - Fix to the -h implementation\r\n1.10 - Added support for -h, and blank passwords\r\n1.9 - Running with -d will show PID of started process\r\n1.8 - Minor improvement to command-line parsing\r\n1.7 - Multiple PAExec's can be running against the same target computer\r\n1.6 - Added the -to option\r\n1.5 - Fixed some command-line parsing problems\r\n1.4 - Added the -clist option for copying lists of files\r\n1.3 - Works on Windows 2000 now\r\nSource: https://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nhttps://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.poweradmin.com/paexec/https://www.poweradmin.com/paexec/"
	],
	"report_names": [
		"paexec"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0bb9efbed68f5ff9cf366c4204352fa33dba5ab0.pdf",
		"text": "https://archive.orkl.eu/0bb9efbed68f5ff9cf366c4204352fa33dba5ab0.txt",
		"img": "https://archive.orkl.eu/0bb9efbed68f5ff9cf366c4204352fa33dba5ab0.jpg"
	}
}