Verified June 2026 · tested with PsExec v2.43 on Windows 11 24H2, Windows 10 22H2 & Server 2022/2025
Quick Reference: Essential Commands
Need to run something remotely right now? Here are the most common PsExec commands:
# Open an interactive command prompt on a remote computer
psexec \\PC-01 cmd
# Run a single command remotely and stream the output back
psexec \\PC-01 ipconfig /all
# Run a remote command as LocalSystem (SYSTEM)
psexec -s \\PC-01 cmd
# Run with explicit credentials (prompts for the password if -p is omitted)
psexec \\PC-01 -u CORP\admin cmd
# Copy a local program to the target and run it
psexec \\PC-01 -c C:\Tools\setup.exe
# Launch and don't wait for it to finish; accept the EULA silently
psexec -d -accepteula \\PC-01 powershell.exe
Which command do you need?
- Run a command or open a shell remotely →
psexec \\host - Run something as SYSTEM →
-s - Authenticate with specific credentials →
-u/-p - Push a script or EXE to the target first →
-c - Run interactively or fire-and-forget →
-i/-d
Jump to the section you need below.
psexec: Run a Program Remotely
PsExec targets a host by its UNC name — \\COMPUTERNAME or \\10.0.0.5. It copies a small service (PSEXESVC.exe) to the target's ADMIN$ share, starts it, runs your program, relays stdin/stdout/stderr back over a named pipe, and then cleans the service up when the process exits.
Windows 10Windows 11Server 2016+Sysinternals download⚠ Needs ADMIN$ + admin rights
psexec Syntax
psexec \\computer[,computer2,...] [options] program [arguments]
You can target one host, a comma-separated list, \\* for every computer in the domain, or @file.txt to read host names from a text file.
Core Option Reference
| Option | Description |
|---|---|
\\computer | Target host by UNC name; \\* = all domain computers; @file = list from a file |
-u {user} | Run as this user on the remote machine (e.g. CORP\admin) |
-p {password} | Password for -u; omit it to be prompted (keeps it out of history) |
-s | Run as the LocalSystem (SYSTEM) account |
-i [session] | Run interactively in the console session (or a specific session number) |
-d | Don't wait — launch and return immediately |
-c | Copy the program to the remote machine before running it |
-f | With -c, force overwrite if the file already exists |
-v | With -c, copy only if the file is newer than the remote copy |
-w {dir} | Set the working directory on the remote machine |
-accepteula | Silently accept the Sysinternals EULA (for scripts) |
-nobanner | Suppress the startup banner and version text |
psexec Usage Examples
# Run a single command and stream the result back to your console
psexec \\PC-01 hostname
psexec \\PC-01 ipconfig /all
# Open a fully interactive remote command prompt
psexec \\PC-01 cmd
# Open a remote PowerShell session
psexec \\PC-01 powershell.exe
# Run the same command across several machines at once
psexec \\PC-01,PC-02,PC-03 ipconfig /flushdns
# Run against every computer listed in a text file
psexec @servers.txt -accepteula systeminfo
Tip: When you run
psexec \\PC-01 cmd, the prompt that opens is a remote shell — every command you type runs on PC-01, not your workstation. Typeexitto close it and let PsExec remove the temporary service.
Run as SYSTEM: the -s Switch
-s runs the remote process under the LocalSystem account (NT AUTHORITY\SYSTEM) instead of the credentials you connected with. SYSTEM has full local privileges, which is why it's used for servicing tasks — and why defenders watch it so closely.
LocalSystem context⚠ Heavily abused — expect EDR alerts
# Open a SYSTEM-level command prompt on the remote machine
psexec -s \\PC-01 cmd
# Confirm the context (should print: nt authority\system)
psexec -s \\PC-01 cmd /c whoami
# Run a tool that requires SYSTEM (e.g. reading a protected registry hive)
psexec -s \\PC-01 reg query "HKLM\SECURITY"
# Open a SYSTEM PowerShell locally (target = this machine, no \\host)
psexec -s -i powershell.exe
Warning:
psexec -sgrants full SYSTEM-level control of the target. This exact pattern is a hallmark of ransomware and lateral-movement attacks, so most EDR products will alert on it. Only run it for documented, authorized administration, from a trusted management host, and expect it to generate security telemetry.
Credentials: -u and -p
By default PsExec connects to the remote machine using your current logged-on credentials (pass-through authentication). Use -u and -p to authenticate as a different account — for example a domain admin when you're logged on as a standard user.
Explicit authDomain or local accounts
| Option | Behaviour |
|---|---|
-u DOMAIN\user | Authenticate to the target as this account |
-u .\localadmin | Use a local account on the target (note the .\) |
-p {password} | Supply the password inline (visible in history — avoid in scripts) |
(omit -p) | PsExec securely prompts for the password without echoing it |
# Prompt for the password instead of typing it on the command line (preferred)
psexec \\PC-01 -u CORP\admin cmd
# Authenticate with a local admin account on the target
psexec \\PC-01 -u .\Administrator powershell.exe
# Inline credentials (use only when unavoidable; ends up in shell history)
psexec \\PC-01 -u CORP\admin -p "P@ssw0rd!" hostname
Warning: Passing
-pinline writes the cleartext password into your command history, scrollback, and any process/EDR logging that captures command lines. Omit-pso PsExec prompts you, or use a secrets manager — never hard-code passwords in shared scripts.
Copy and Run: -c (and friends)
If the program you want to run isn't already on the target, -c copies it there first, runs it from the remote %SystemRoot%, and removes it afterward. This is the classic "push a script and execute it" pattern.
Stages the binaryPairs with -f / -v
| Option | Behaviour |
|---|---|
-c | Copy the specified program to the target before running it |
-f | Force overwrite if the file already exists on the target |
-v | Copy only if the local file is a newer version than the remote one |
-w {dir} | Run the program from this working directory on the target |
# Copy a local installer to the target and execute it
psexec \\PC-01 -c C:\Tools\setup.exe /quiet
# Push a batch script and run it, forcing an overwrite of any old copy
psexec \\PC-01 -c -f C:\Scripts\cleanup.cmd
# Copy a PowerShell script up, then invoke it with powershell.exe
psexec \\PC-01 -c -f C:\Scripts\inventory.ps1 ^
powershell.exe -ExecutionPolicy Bypass -File inventory.ps1
# Run a remote command without copying anything (the program must already exist)
psexec \\PC-01 powershell.exe -Command "Get-Service spooler"
Note: When you use
-c, the first argument after the options is the local file PsExec copies. To run an interpreter against a copied script, copy the script with-cand then namepowershell.exe/cmd.exeand the script that now lives on the target, as in the third example above.
Session Control: -i and -d
By default PsExec runs the remote program non-interactively in session 0 and waits for it to exit (returning its exit code). Two switches change that behaviour:
-i [session]makes the program interactive on the user's desktop so they can see and use its window.-d(don't wait) launches the program and returns immediately, leaving it running on the target.
-i = visible to the user-d = fire and forget
# Pop a window on the logged-on user's desktop (e.g. for a support session)
psexec -i \\PC-01 notepad.exe
# Target a specific session number (find it with: query session)
psexec -i 2 \\PC-01 cmd
# Start a long-running process and return immediately
psexec -d \\PC-01 C:\Tools\longjob.exe
# Combine: launch an interactive app and don't wait for it to close
psexec -i -d \\PC-01 mmc.exe
Note: Without
-i, a remote GUI program runs in the hidden session 0 and the interactive user never sees it. Without-d, your console blocks until the remote program exits — fine for quick commands, but it will hang on anything that never returns (likenotepadleft open).
Troubleshooting: Common PsExec Errors
Each row is deep-linkable — share a specific error with …#psx-access-denied, and the row highlights on arrival.
| Error / Symptom | Meaning | Fix |
|---|---|---|
Access is denied | No admin rights on the target, or ADMIN$ is unreachable | Use an account with local admin on the target; verify net use \\PC-01\ADMIN$ works |
The network path was not found | SMB (TCP 445) blocked or the host is offline/unresolvable | Enable File and Printer Sharing, allow port 445 through the firewall, confirm name resolution |
Couldn't install PSEXESVC service | PsExec can't copy/start its service on the target | Confirm ADMIN$ is shared and writable, the Server (LanmanServer) service is running, and you're elevated |
| EULA dialog appears / script hangs | First-run Sysinternals license prompt blocks automation | Add -accepteula to the command |
error code 1326 (logon failure) | Wrong username or password supplied to -u/-p | Re-check the credentials; for a local account use .\\Administrator |
error code 5 (access denied via UAC) | Remote UAC token filtering blocks local accounts over the network | Use a domain admin, or set LocalAccountTokenFilterPolicy=1 on the target (understand the risk) |
| Blocked / quarantined by AV or EDR | PsExec and PSEXESVC are flagged as lateral-movement tooling | Add a scoped exclusion on the management host, or use a sanctioned admin path; never disable AV broadly |
| Remote GUI app never appears | Program launched in session 0 without -i | Add -i (optionally with a session number) to surface it on the user's desktop |
Requirements Checklist
PsExec is agentless, but the target must allow three things:
- ADMIN$ reachable — PsExec copies
PSEXESVC.exeto theADMIN$administrative share. Test withnet use \\PC-01\ADMIN$. - SMB / File and Printer Sharing — TCP 445 must be open through the Windows Firewall (the built-in "File and Printer Sharing" rule group).
- Local administrator rights — you (or the
-uaccount) must be a local admin on the remote machine to install the temporary service.
If all three are in place and PsExec still fails, the troubleshooting table above covers the usual culprits.
Version and Compatibility Notes
- PsExec is part of the Sysinternals suite — download PsTools (or the full Sysinternals suite) from Microsoft. There is nothing to install;
psexec.exe(andpsexec64.exe) run standalone. - Windows 11 / 10 / Server: PsExec works identically across modern Windows. The first run on each machine writes the EULA-accepted registry value; use
-accepteulain scripts so they never wait on the dialog. - 64-bit targets: PsExec ships both 32- and 64-bit service binaries and picks the right one automatically; you can force the 64-bit service with
psexec64. - Built-in alternatives: For remote command execution,
Invoke-CommandandEnter-PSSession(PowerShell Remoting over WinRM) are Microsoft's first-party path and are usually preferred in managed environments. PsExec remains invaluable when WinRM isn't available or you specifically need SYSTEM (-s) or an interactive (-i) process. - Security posture: Because PsExec is so widely abused, treat its use as auditable. Run it from a hardened management host, prefer credential prompting over inline
-p, and expect SYSTEM (-s) usage to generate EDR alerts — that visibility is a feature, not a bug.
