How to Run Commands and Programs Remotely Using PsExec

Last Update: Nov 15, 2023 | Published: Oct 03, 2022

Windows

SHARE ARTICLE

PsExec is a command-line utility program for Windows written by none other than Mark Russinovich, the current CTO of Microsoft Azure. It’s still being updated as part of the SysInternals suite of utilities.

PsExec allows you to run programs locally, and, more importantly, on remote computers. You can even kick off similar commands on multiple servers at the same time! I’ll show you how to do that and more in this article.

PsExec is certainly privileged to be in any IT pros ‘top 10 toolbelt of utilities.’ I recently updated my ‘The Complete Guide to Robocopy‘ post – PsExec is just like Robocopy in terms of its sheer sense of power and flexibility.

How to install PsExec

The only core prerequisite on your local computer is to be running a modern, supported version of Windows. PsExec will even run on Windows XP, but, we know that is not a good idea, don’t we?

There are a few more items to be aware of when running commands on remote computers. I’ll get to those in a bit.

The most common way to install PsExec is to download it from the Sysinternals website and install it. To make it easy for you, here is a direct link to the PsTools.zip file.

Setting up remote computers

In order for remote computers to accept your PsExec commands, you need to make sure of two items – ‘File and Printer Sharing’, and the ‘admin$’ share.

File and Printer Sharing uses the TCP port 445. You can verify this is open by using the Windows Firewall control panel on the remote computer and making sure it is enabled for the appropriate network category you’re using. As I am using my Windows Server 2022 Active Directory Hyper-V lab environment, I just need to make sure that is enabled for the Domain profile.

Making sure 'File and Printer Sharing' is set for the appropriate firewall profile
Making sure ‘File and Printer Sharing’ is set for the appropriate firewall profile

You also need to verify that the ‘admin$’ administrative share is enabled and accessible. A quick and easy way to validate this is to open File Explorer, click the Address bar, and type in \\servername\admin$

Hit Enter and it should open up. If you get an error, you’ll need to open Computer Management on the remote computer, expand Shared Folders, and click Shares. Make sure you see the ‘ADMIN$’ share listed.

Validating that the 'ADMIN$' administrative share is enabled on remote computers...
Validating that the ‘ADMIN$’ administrative share is enabled on remote computers…

Security considerations

There are always security-related considerations when you’re going to be accessing a computer remotely. The most important one for PsExec is probably the File and Printer Sharing setting. Make sure you verify what firewall profile you’re using. Then, validate that only that profile has File and Printer Sharing enabled.

Sweet Tip: Running this PowerShell command from my Windows 11 workstation on my domain verifies or enables the ‘File and Printer Sharing’ firewall rule on the ‘Domain’ profile on my four domain controllers. Sure beats logging into each one!

Invoke-Command -ComputerName ws16-dc1, ws16-dc2, ws19-dc3, ws22-dc4 -ScriptBlock { Set-NetFirewallRule -DisplayGroup "File And Printer Sharing" -Enabled True -Profile Domain }

Works like a charm!

Understanding the PsExec syntax

Once you have the PsExec utility extracted, you can simply run it from a command prompt or Terminal window. The first time, you will get prompted for the EULA. Click Accept. Or, run the command with the /accepteula switch and you’re good.

The basic syntax is:

psexec(64) -switches computer command

If you omit the ‘computer’, it will run locally.

Command options

Here’s an inclusive table that shows you all the command switches and arguments possible when running PsExec.

ParameterDescription
-aSeparate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: “-a 2,4”
-cCopy the specified executable to the remote system for execution. If you omit this option the application must be in the system path on the remote system.
-dDon’t wait for process to terminate (non-interactive).
-eDoes not load the specified account’s profile.
-fCopy the specified program even if the file already exists on the remote system.
-iRun the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. This flag is required when attempting to run console applications interactively (with redirected standard IO).
-hIf the target system is Vista or higher, has the process run with the account’s elevated token, if available.
-lRun process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.
-nSpecifies timeout in seconds connecting to remote computers.
-pSpecifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-rSpecifies the name of the remote service to create or interact with.
-sRun the remote process in the System account.
-uSpecifies optional user name for login to remote computer.
-vCopy the specified file only if it has a higher version number or is newer on than the one on the remote system.
-wSet the working directory of the process (relative to remote computer).
-xDisplay the UI on the Winlogon secure desktop (local system only).
-prioritySpecifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Vista.
computerDirect PsExec to run the application on the remote computer or computers specified. If you omit the computer name, PsExec runs the application on the local system, and if you specify a wildcard (\\*), PsExec runs the command on all computers in the current domain.
@filePsExec will execute the command on each of the computers listed in the file.
cmdName of application to execute.
argumentsArguments to pass (note that file paths must be absolute paths on the target system).
-accepteulaThis flag suppresses the display of the license dialog.
Command Options for PsExec

There are no specific error codes for PsExec. Any exit or error codes you see will be from the commands you run remotely on the other computer(s).

How to use PsExec to run commands on a local PC

Although PsExec’s prowess and reputation stem from running commands on remote systems, you can run commands locally if you wish. If you don’t include the ‘computer’ switch, PsExec will execute the command on your local system. Here is an example.

psexec -s cmd
whoami
hostname
Running a remote command on another computer with PsExec
Running a remote command on another computer

As you can see, a new session of cmd.exe is started using the ‘-s’ switch which opens it using the local SYSTEM account. Then, the output to the ‘whoami’ and ‘hostname’ commands are returned. Yes, I know, pretty basic.

How to use PsExec to run commands on a single remote computer

As we get more advanced, we start to delve into running commands remotely, saving oodles of time. Let’s try running some commands remotely from our Windows 11 workstation to my domain controllers.

psexec \\ws19-dc3 hostname
Another simple PsExec command running on a remote Domain Controller (DC)
Another simple command running on a remote Domain Controller (DC)

Although this is still pretty simplistic, it can be very handy when setting up new servers or troubleshooting some TCP/IP or Active Directory headaches.

How to use PsExec to run commands on multiple remote computers

Now, let’s hit Warp 9 and engage! I’ll next introduce you to the true power of the dark side…wait, I keep getting these two mixed up. Let me start again.

The robustness and efficiency of PsExec really shines when we start running multiple commands on multiple remote computers. 

Using comma-separated computer names

The first and most straightforward method is to use comma-separated computer names. You probably noticed a variation of this towards the beginning of my post. Let’s run the hostname command on all four of my domain controllers.

psexec \\ws16-dc1,ws16-dc2,ws19-dc4,ws22-dc4 ipconfig
Running 'ipconfig /all' on my four DCs! with PsExec
Running ‘ipconfig /all’ on my four DCs!

Now, THAT is handy! An easy way to get each computer’s IP address. And this is just off the top of my head. Many IT pros can probably think of a lot of examples of running commands at the command line on many computers takes time… not anymore!

Using a text file containing multiple computer names

You also have the option to use a text file containing computer names as input for remote computers. I created a computers.txt file and added my 4 DC hostnames, one on each line. I can now use this command to accomplish the same task.

psexec @computers.txt whoami
Using a text file to run commands on multiple remote computers with PsExec
Using a text file to run commands on multiple remote computers

Sweet tip: Need to gather a list of all your domain’s computer object hostnames quickly? Here’s a PowerShell command you can run using Get-AdComputer.

(Get-AdComputer -Filter *).Name | Out-File computers.txt 

Excellent!

Using a wildcard to run a process on all computers in a domain

Now here is a powerful option you have with PsExec: Using a wildcard character to run a command on all the computers in a domain.

It goes without saying that there is some planning required here before executing this. You need to verify your remote prerequisites are in place. You also need to know the ramifications. You aren’t likely to run ‘format c:’ on all your domain computers. I know, I know, but careful planning is advised.

Obviously running ‘ipconfig /flushdns’ could be immensely helpful to quickly blanket your domain with a LAN DNS update!

psexec \\* ipconfig /flushdns

PsExec command examples

Here, we will discover more intermediate and advanced options you have with PsExec in terms of performing more robust tasks on remote computers. I guarantee you’ll find several of these useful in your day-to-day duties as an IT pro or systems engineer!

Running a remote command

A great example of running a remote command is starting CMD, the command prompt on the remote computer.

psexec \\ws19-dc3 cmd
Running the command prompt on a domain controller interactively
Running the command prompt on a domain controller interactively

This is actually very cool, and very useful. How often have you RDP’ed (made a Remote Desktop connection) to a server to run a command prompt? I know, every day. This is very efficient.

Remember to type ‘exit‘ to end the session. If you don’t, that session will continue to run on the remote server until you reboot it.

Opening GUI applications remotely

You also have the option of launching GUI applications on the remote computer’s ‘Console’ session. You can utilize the ‘-i’ switch for this purpose.

psexec -i \\ws16-dc2 notepad
Running Notepad on the remote machine with PsExec
Running Notepad on the remote machine

I didn’t have much luck. The Notepad window started on WS16-DC2, but the window was black with a funny grey title bar.

However, there was nothing I could do but click in the upper-right corner of the window and click the unseen ‘X’ to close the program. The window closed and then my PsExec session exited normally. If anyone has any comments or tips on what I may be doing wrong, please leave me a comment below, thank you!

Enabling PowerShell Remoting

Maybe you’d rather use PowerShell Remoting to handle your remote access duties. Have no fear, PsExec is here. You can use PsExec to initiate the ‘winrm quickconfig’ command to enable your access.

psexec \\ws16-dc2 -s c:\windows\system32\winrm.cmd quickconfig -quiet
Enabling and verifying remote management is ready on a remote system
Enabling and verifying remote management is ready on a remote system

Awesome! This is also something I do when building a new server so I can manage it remotely. If you’re building twenty or a hundred new servers at a crack, this is a tool for your belt.

Installing or copying a program to a remote computer

How about using PsExec as a simple software deployment tool? Well, you’re in luck. This probably isn’t the coolest feature, but, if your users happen to be more on the beginner end of computer knowledge, this actually could help immensely.

Here’s a command you could use to copy the Teams installer MSI file to the remote computer using the SYSTEM account. It will then run msiexec.exe to start the installer.

psexec \\ws19-dc3 -i -s "msiexec.exe /i Teams64.msi" -c Teams64.msi

The only thing the user on the remote computer needs to do is click Next, Next, and Finish!

Common PsExec mistakes

One final topic to cover, and don’t worry, it’s a small one. 🙂 Error and Exit codes, again, will almost exclusively be reported by the remote command on the other computer, not PsExec itself.

However, having a small list of the most common codes in Windows certainly helps.

ERROR CODEEXPLANATION
-2146232576Typically returned by Windows Update when an error occurs.
0Command executed successfully
1Incorrect function. A problem happened. That’s about it.
1603Fatal error during installation. This typically is returned by msiexec.
2The system cannot find the file specified
4The system cannot open the file.
5Access is denied.
6The handle is invalid.
6118The list of servers for this workgroup is not currently available
Common Windows Error Codes

Utilizing PsExec across your Wide Area Network (WAN)

As our new ‘hybrid’ world continues to unfold, you will undoubtedly be supporting remote users across many different networks. When you need to access remote computers and they aren’t part of your LAN (the same subnet), you can still use PsExec.

However, you just need to make sure you specify the FQDN (Fully Qualified Domain Name) of the computer and include the user and password credentials of a local user, unless they are on a VPN and their machine is AD domain-joined.

Here is an example:

psexec \\labmachine03.contoso.com -u userlogin cmd.exe

As long as appropriate firewalls are configured to allow port 445 to the computer, you will be fine. You will be prompted to enter the password for ‘userlogin’ when you execute the command.

Conclusion

I don’t know about you, but I am really excited to learn more in-depth knowledge of these very useful utilities, commands, and programs for IT Pros. PsExec is no exception. It has long been the gold standard for efficient remote access.

However, times they are a-changin’. PowerShell has been around for quite a few years and certainly is very robust in this arena. Plus, Microsoft has done a fantastic job of writing new GUI applications for remote computer/server management, notably Windows Admin Center and Server Manager, built into Windows Server.

Thank you for reading!

SHARE ARTICLE