{ "id": "31076c51-efba-4147-9035-e42422dad9fc", "created_at": "2026-04-06T00:19:35.600785Z", "updated_at": "2026-04-10T03:35:21.572124Z", "deleted_at": null, "sha1_hash": "72007bfa390c819c87d8240b151d512231f0e5a3", "title": "PsExec - Sysinternals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65083, "plain_text": "PsExec - Sysinternals\r\nBy markruss\r\nArchived: 2026-04-05 16:50:25 UTC\r\nBy Mark Russinovich\r\nPublished: April 11, 2023\r\nDownload Download PsTools (5 MB)\r\nIntroduction\r\nUtilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on\r\nremote systems, but they can be a pain to set up and require that you install client software on the remote systems\r\nthat you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other\r\nsystems, complete with full interactivity for console applications, without having to manually install client\r\nsoftware. PsExec's most powerful uses include launching interactive command-prompts on remote systems and\r\nremote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote\r\nsystems.\r\nNote: some anti-virus scanners report that one or more of the tools are infected with a \"remote admin\" virus. None\r\nof the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.\r\nInstallation\r\nJust copy PsExec onto your executable path. Typing \"psexec\" displays its usage syntax.\r\nUsing PsExec\r\nSee the July 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of PsExec.\r\nUsage:\r\npsexec [\\\\\\\\computer[,computer2[,...] | @file]][-u user [-p psswd]][-n s][-r servicename][-h][-l][-s|-e][-x][-i\r\nParameter Description\r\n-a\r\nSeparate processors on which the application can run with commas where 1 is the lowest\r\nnumbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: \"-a 2,4\"\r\n-c\r\nCopy the specified executable to the remote system for execution. If you omit this option the\r\napplication must be in the system path on the remote system.\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\r\nPage 1 of 4\n\nParameter Description\r\n-d Don't wait for process to terminate (non-interactive).\r\n-e Does not load the specified account’s profile.\r\n-f Copy the specified program even if the file already exists on the remote system.\r\n-i\r\nRun the program so that it interacts with the desktop of the specified session on the remote\r\nsystem. If no session is specified the process runs in the console session. This flag is required\r\nwhen attempting to run console applications interactively (with redirected standard IO).\r\n-h\r\nIf the target system is Vista or higher, has the process run with the account's elevated token, if\r\navailable.\r\n-l\r\nRun process as limited user (strips the Administrators group and allows only privileges\r\nassigned to the Users group). On Windows Vista the process runs with Low Integrity.\r\n-n Specifies timeout in seconds connecting to remote computers.\r\n-p\r\nSpecifies optional password for user name. If you omit this you will be prompted to enter a\r\nhidden password.\r\n-r Specifies the name of the remote service to create or interact with.\r\n-s Run the remote process in the System account.\r\n-u Specifies optional user name for login to remote computer.\r\n-v\r\nCopy the specified file only if it has a higher version number or is newer on than the one on the\r\nremote system.\r\n-w Set the working directory of the process (relative to remote computer).\r\n-x Display the UI on the Winlogon secure desktop (local system only).\r\n-priority\r\nSpecifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different\r\npriority. Use -background to run at low memory and I/O priority on Vista.\r\ncomputer\r\nDirect PsExec to run the application on the remote computer or computers specified. If you\r\nomit the computer name, PsExec runs the application on the local system, and if you specify a\r\nwildcard (\\\\*), PsExec runs the command on all computers in the current domain.\r\n@file PsExec will execute the command on each of the computers listed in the file.\r\ncmd Name of application to execute.\r\narguments Arguments to pass (note that file paths must be absolute paths on the target system).\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\r\nPage 2 of 4\n\nParameter Description\r\n-\r\naccepteula\r\nThis flag suppresses the display of the license dialog.\r\n-nobanner This flag suppresses the startup banner and copyright message.\r\nYou can enclose applications that have spaces in their name with quotation marks e.g.\r\npsexec \\\\marklap \"c:\\\\long name app.exe\"\r\nInput is only passed to the remote system when you press the Enter key. Typing Ctrl-C terminates the remote\r\nprocess.\r\nIf you omit a user name, the process will run in the context of your account on the remote system, but will not\r\nhave access to network resources (because it is impersonating). Specify a valid user name in the Domain\\User\r\nsyntax if the remote process requires access to network resources or to run in a different account. Note that the\r\npassword and command are encrypted in transit to the remote system.\r\nError codes returned by PsExec are specific to the applications you execute, not PsExec.\r\nExamples\r\nThis article I wrote describes how PsExec works and gives tips on how to use it:\r\nThe following command launches an interactive command prompt on \\\\marklap :\r\npsexec -i \\\\marklap cmd\r\nThis command executes IpConfig on the remote system with the /all switch, and displays the resulting output\r\nlocally:\r\npsexec -i \\\\marklap ipconfig /all\r\nThis command copies the program test.exe to the remote system and executes it interactively:\r\npsexec -i \\\\marklap -c test.exe\r\nSpecify the full path to a program that is already installed on a remote system if its not on the system's path:\r\npsexec -i \\\\marklap c:\\bin\\test.exe\r\nRun Regedit interactively in the System account to view the contents of the SAM and SECURITY keys::\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\r\nPage 3 of 4\n\npsexec -i -d -s c:\\windows\\regedit.exe\r\nTo run Internet Explorer as with limited-user privileges use this command:\r\npsexec -l -d \"c:\\program files\\internet explorer\\iexplore.exe\"\r\nDownload Download PsTools (5 MB)\r\nPSTools\r\nPsExec is part of a growing kit of Sysinternals command-line tools that aid in the administration of local and\r\nremote systems named PsTools.\r\nRuns on:\r\nClient: Windows 8.1 and higher.\r\nServer: Windows Server 2012 and higher.\r\nSource: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\r\nhttps://technet.microsoft.com/en-us/sysinternals/bb897553.aspx\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" ], "report_names": [ "bb897553.aspx" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72007bfa390c819c87d8240b151d512231f0e5a3.pdf", "text": "https://archive.orkl.eu/72007bfa390c819c87d8240b151d512231f0e5a3.txt", "img": "https://archive.orkl.eu/72007bfa390c819c87d8240b151d512231f0e5a3.jpg" } }