-
Question
-
The command below:
psexec \[hostname] -u [domain][userid] -p [password] "cmd.exe"returns error: Could not start PSEXESVC service on [hostname]: %1 is not a valid Win32 application.
I noticed that that C:Windows on [hostname] contains a «psexesvc.exe» with size 0 bytes. From what I’ve found online so far, psexec copies psexesvc. Any ideas what may be going on here?
Thanks in advance!
-
Edited by
PBrain007
Monday, June 24, 2019 9:49 PM
-
Edited by
All replies
-
Probably an antivirus or APplocker blocking the installation of the PSExecSvc…
Thanks
-mario -
Just tried again after disabling anti-virus. Still see the same behavior.
Thanks for your suggestion!
-
Is it still an installed service PSEXECSVC?
you can check with SC query and if it is uninstall it with SC delete..Did you already deleted the file from c:windows and rebooted the machine?
Thanks
-mario
-
I did these steps:
C:WindowsSystem32>sc delete psexesvc
[SC] DeleteService SUCCESSDeleted the PSExesvc under c:Windows
Rebooted the machine. Then tried psexec. Still see the same error and psexesvc file with zero bytes size
PsExec v2.2 — Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals — www.sysinternals.comCould not start PSEXESVC service on
[hostname]:
%1 is not a valid Win32 application.Thank you!
-
It’s time for Process Monitor..
perform the same step as before, delete the service and reboot the machine, then start process monitor on the host where you would like to start the psexecsvc. Start to capture a trace just before running on the remote machine the psexec command.
Save the trace in pml native format saving all the events and share the trace.
Thanks
-mario -
Try manually copy PsExecsvc into C:Windows of the computer.
-
I ran into the same problem, it was because the remote system, did not have enough Disk Space, I had to access c$ (\remotesystemc$) and deleted a few files and voila! psexec started in the remote system
I’m trying to use PsExec to start a process on a remote machine. I posted this question on SO, but I realized it’s probably better suited here. I also have spent a few hours trying to figure this out, and haven’t really gotten anywhere.
Here is one of the questions I’ve looked at, as well as a couple of forum posts. The second link is the one I’m interested in. One of the posters suggests using net use to see if the credentials I’m trying to use with PsExec work for that, and they do. When I try to run PsExec, I’m running it from an administrator instance of cmd, and I use this command:
PsExec.exe \[MachineName] -u [domain][user] -p [password] cmd
This is unsuccessful, and returns:
Could not start PSEXESVC service on [MachineName]:
Access is denied.
However, when I issued this command in the same instance of cmd:
net use \[MachineName] /user:[domain][user]
I was prompted for a password, to which I entered [password], and it returned:
The command completed successfully.
This seems like all the relevant information to me, and it also seemed that way in the other posts I looked at, but I’m not sure what else to add. I’ve spent a couple hours trying to figure this out, with no success. I’d appreciate any help, and let me know if you need any other information from me.
The PsExec tool allows you to run programs and processes on remote computers. The main advantage of PsExec is the ability to invoke the interactive command-line interface on remote computers, remotely run programs, and execute any commands (in the background, or the interactive mode).
The PsExec utility is one of the most popular programs of the PsTools package from Sysinternals. You can download it on this page (the actual version is the PsExec v2.40).
How to install PsExec on Windows?
In order to use the PsExec tool, simply download the PSTools.zip archive from Microsoft and extract the PsExec64.exe and PsExec.exe files to any folder on your computer (it is convenient to copy it to the default executable folder C:WindowsSystem32).
You can run PsExec from the command prompt or PowerShell console. To connect to a remote computer via PsExec, the following conditions must be met:
- TCP/445 (SMB) and UDP/137 (NETBIOS) ports must be open on the remote computer;
- You must have administrator credentials on the remote computer, or the user under which you are running PsExec must be added to the Administrators group on the remote computer;
- The LanmanServer and LanmanWorkstation services must be running on a computer.
You can open these ports on a remote computer using the Windows Firewall Advanced Settings (GUI) or using the commands:
netsh advfirewall firewall add rule name="SMB" dir=in action=allow protocol=TCP localport=445 netsh advfirewall firewall add rule name="NETBIOS" dir=in action=allow protocol=UDP localport=139
How to use PsExec?
The syntax for PsExec is as follows:
psexec \RemotePCName [-u username[-p password]] command [arguments]
If you did not specify the user name and password, then the remote process starts on the remote computer under your current credentials, which are used to start the PsExec process on your computer. If you need to execute commands on a remote computer under a different user account, keep in mind, that the password is sent over the network to the remote system in plain text.
When you start PsExec for the first time, you need to accept the Sysinternals License Agreement.
To prevent the graphical prompt with the license agreement from being displayed, you can add the /accepteula switch when you first start PsExec.
psexec /accepteula
As an example, we want to purge the DNS cache (with the “ipconfig /flushdns” command) on the remote computer lon-srv01. Run the command:
psexec \lon-srv01 ipconfig /flushdns
After you run this command, the PsExec copies the psexesvc.exe file to the hidden administrative folder Admin$ of the specified remote computer (C:WindowsSystem32psexesvc.exe). Then it starts the PSEXESVC service on the remote computer using the Windows API. After running PSEXESVC, a connection is established for data transfer between this service, and the PsExec process on your computer.
PsExec then sends your command to be executed on the remote computer and waits for the result. In our example, after ipconfig finishes, all the text output will be transferred to your computer, and the error code will also be returned. If the command was successful, you will see the exit code 0.
If your account doesn’t have the local administrator rights on the remote Windows host, an error will appear:
Couldn’t install PSEXESVC service:
Access Denied
When the work is completed, PsExec stops the service and automatically removes it from the remote computer.
When you run cmd.exe interactively through PsExec under a remote user, you have no way to elevate privileges (as Admin) when the UAC is enabled. To run the commands with the account’s elevated token, use the –h option. This option means that all commands will be executed in the “Run as Administrator” mode.
PsExec: run commands on remote computers
Let’s look at useful examples of using PsExec to execute commands on remote computers.
To restart the remote computer, run the following command:
psexec \lon-srv01 "cmd.exe" "/c shutdown /f /r/ /t 60"
If you need to run several commands one by one, it’s better to run the PsExec in the interactive mode on the remote computer. To do this, run the command:
psexec \lon-srv01 cmd
Now all the commands that you typed in the command prompt on your local computer, will be executed on the remote lon-srv01 computer.
To connect to a remote computer under a specific account and run an interactive shell, use the following command:
psexec.exe \lon-srv01 -u user -p password cmd.exe
You can use PsExec even to run PowerShell commands remotely. For example, the following command will return you the size of the C:PS directory on the remote computer:
psexec \lon-srv01 powershell -ExecutionPolicy RemoteSigned -command "'{0:N2}' -f ((gci C:PS | measure Length -Sum).Sum/1MB)"
Note. To run a command remotely in PowerShell, you can use the Invoke-Command cmdlet instead of PsExec.
You can use the -c parameter to specify the name of the local file that you want to copy to the remote computer and execute it there. For example:
psexec \lon-srv01 -c c:psmyapp.exe
You can use PsExec as the easiest way to remotely install software. For example, you have an installer file of a certain program (for example, setup.msi). To copy the msi file to a remote computer and install it, use the following one-liner:
psexec.exe \lon-srv01 -c setup.msi –i –s "msiexec.exe /i setup.msi"
By default, PsExec doesn’t allow to start a GUI program on the remote user’s desktop. PsExec executes commands in the hidden mode (you won’t notice any windows or dialogs on the remote computer where the commands are executed). However, you can change this with the -i option.
For example, the following PsExec command will open the notepad.exe process on the remote computer and display it on the local user’s desktop:
psexec -i \lon-srv01 notepad
PsExec will wait for a process running on a remote computer to complete. If remote users don’t close the notepad windows on their desktop, your PsExec process will wait indefinitely for it to complete. To prevent PsExec from waiting for the remote process to finish, use the -d switch:
psexec -i -d \lon-srv01 notepad
Full information about all the parameters of the PsExec can be obtained by simply entering the command psexec in the command line without parameters.
To end a remote PsExec session, type exit, and press Enter.
Using PsExec to run processes as the LOCAL SYSTEM account
PsExec has one interesting and useful feature. If you don’t specify a computer name, then the command will be executed from the local system authority by default. You can run programs under the SYSTEM account by using the -s switch. For example, run the CLI session:
psexec -s cmd
Then check which user you are currently logged on with the whoami command. As you can see, the console is started from the NTAuthoritySystem account.
Run a command on multiple remote computers with PsExec
PsExec allows you to run the command simultaneously on multiple remote computers. To do this, you can set the computer names separated by commas:
psexec \PC1,PC2,PC3,PC33 “ipconfig /all”
or save them in a text file, and then specify a path to this file:
psexec @c:pscomputer_list.txt ipconfig
If instead of the computer name you will put an asterisk (psexec \*), then the command will be executed on all computers in your domain (you can use this trick only on a domain-joined computer).
For example, the following command will copy your run.bat file to all computers listed in the text file c:pscomputer_list.txt, and execute this batch (the –h argument is used to run batch elevated):
PsExec.exe @c:pscomputer_list.txt -h -u .administrator -p $upper0P@$ -c "c:psrun.bat"
Common PsExec errors
PsExec access denied error
In some cases, you can get the following error when trying to connect a remote computer using PsExec:
Couldn’t access computername
The network path was not found
Make sure the default admin% share is enabled on computername.
Make sure the remote computer is accessible over the network via SMB (TCP port 445). You can test the connection to the remote computer using the following PowerShell command:
Test-NetConnection -ComputerName pc99 -Port 445
Check the command response. If TcpTestSucceeded is not equal to True, this means that this port is blocked by the firewall.
You can open the SMB port in Windows Defender Firewall on a remote computer by enabling the “File and Printer Sharing” rule using the following command:
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
Make sure ADMIN% (Remote Admin) and other Windows admin shares (C$, IPC$) are published on the remote computer:
net view \pc99 /all
If the list of admin shares on the remote computer is empty, run the following command on it locally:
net share
If there are no administrative shares, you need to publish them with the command:
reg add HKLMSYSTEMCurrentControlSetServiceslanmanserverparameters /f /v AutoShareWks /t REG_DWORD /d 0
Then restart the remote computer.
Fixing the Error: “Could not start PsExec service”
In some cases, when connecting to a remote computer through PsExec, you may receive an error:
Could not start PSEXESVC service on PC:
Access is denied.
If you encountered such an error, try to use one of the following solutions:
- Make sure your user is a member of the local administrators’ group on the remote computer;
- If the username on a remote computer differs from the current security context, try to specify remote user credentials as follows:
psexec \PC1 -u PC1user1 -p adminpassword -h -i cmd
(be sure to use the –h option in your PsExec command);
- On a remote computer in the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem try to change the parameter ‘LocalAccountTokenFilterPolicy’ value to 1. When UAC is enabled, this will allow you to run commands on a remote computer with administrator permissions;
- Try temporarily disabling Windows Firewall on the remote computer.
PsExec: logon failure
When connecting to a remote computer, the following PsExec error may appear:
PsExec could not start cmd.exe on PCName:
Logon failure: the user has not been granted the requested logon type at this computer.
In this case, you need to add the following options to your PsExec command:
PsExec.exe -i –h PCName yourcommand
PSExec error code 1
If PsExec returns “error code 1” when you run a batch file on a remote computer, you are most likely using the exit command in your bat file. Change the exit command to
exit / b 0
Such a command terminates the batch file, closes cmd.exe, and sets the return code to zero.
I have a powershell script on a remote windows box that finds the folder pointed to by a junction. The contents of the script looks like this:
return fsutil reparsepoint query C:foobarjunction_name | where-object { $_ -imatch 'Print Name:' } | foreach-object { $_ -replace 'Print Name:s*','' }
When I run this on the remote box, it executes as expected 
However, when I try to run this remotely from my local machine:
C:Usersfoo>C:pstoolsPsExec.exe \remote_server_name "powershell D:barmy_script.ps1"
I get errors:
PsExec could not start powershell D:barmy_script.ps1 on
remote_server_name: The filename, directory name, or volume label
syntax is incorrect.
Any ideas what this error is telling me (given that I can run the script directly on the remote box with no issues)?
Thx!
asked Sep 29, 2015 at 6:04
1- maybe you should avoid psexec and take advantage of powershell remoting
invoke-command -computername remote_server_name -scriptblock {. "D:barmy_script.ps1"}
2- if you want to keep psexec, look at the starting directory switch -w
PsExec.exe \remote_server_name -w D:bar "powershell -file my_script.ps1"
answered Sep 29, 2015 at 6:53
Loïc MICHELLoïc MICHEL
24.8k9 gold badges73 silver badges102 bronze badges
7
PS Remoting would be the best way to go here and I’d actually put up a good fight for opening up TCP/5985 on your machines. The minuscule security risk is, by far, worth the management benefits you’ll get with it.
Worst case scenario use the WMI Win32_Process class. Something like this might work.
$wmiParams = @{
'ComputerName' = 'Somecomputer'
'Class' = 'Win32_Process'
'Name' = 'Create'
'Args' = 'fsutil reparsepoint query C:foobarjunction_name > C:temp.txt'
}
Invoke-WmiMethod @wmiParams
Get-Content \somecomputerc$temp.txt | where-object { $_ -imatch 'Print Name:' } | foreach-object { $_ -replace 'Print Name:s*', '' }
answered Sep 29, 2015 at 14:34
Adam BertramAdam Bertram
3,7334 gold badges22 silver badges28 bronze badges
I managed to get the following to work:
PsExec.exe \remote_server_name powershell.exe D:barmy_script.ps1
However, the powershell session did not close as expected and remained in a hanging state after my script returned so calling it via cmd as detailed here seems to fix that:
PsExec.exe \remote_server_name cmd /c "echo . | powershell.exe D:barmy_script.ps1"
Thanks for all of the suggestions…
answered Sep 30, 2015 at 2:26
Pat MustardPat Mustard
1,8428 gold badges31 silver badges58 bronze badges
-
Question
-
The command below:
psexec \[hostname] -u [domain][userid] -p [password] "cmd.exe"returns error: Could not start PSEXESVC service on [hostname]: %1 is not a valid Win32 application.
I noticed that that C:Windows on [hostname] contains a «psexesvc.exe» with size 0 bytes. From what I’ve found online so far, psexec copies psexesvc. Any ideas what may be going on here?
Thanks in advance!
-
Edited by
PBrain007
Monday, June 24, 2019 9:49 PM
-
Edited by
All replies
-
Probably an antivirus or APplocker blocking the installation of the PSExecSvc…
Thanks
-mario -
Just tried again after disabling anti-virus. Still see the same behavior.
Thanks for your suggestion!
-
Is it still an installed service PSEXECSVC?
you can check with SC query and if it is uninstall it with SC delete..Did you already deleted the file from c:windows and rebooted the machine?
Thanks
-mario
-
I did these steps:
C:WindowsSystem32>sc delete psexesvc
[SC] DeleteService SUCCESSDeleted the PSExesvc under c:Windows
Rebooted the machine. Then tried psexec. Still see the same error and psexesvc file with zero bytes size
PsExec v2.2 — Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals — www.sysinternals.comCould not start PSEXESVC service on
[hostname]:
%1 is not a valid Win32 application.Thank you!
-
It’s time for Process Monitor..
perform the same step as before, delete the service and reboot the machine, then start process monitor on the host where you would like to start the psexecsvc. Start to capture a trace just before running on the remote machine the psexec command.
Save the trace in pml native format saving all the events and share the trace.
Thanks
-mario -
Try manually copy PsExecsvc into C:Windows of the computer.
-
I ran into the same problem, it was because the remote system, did not have enough Disk Space, I had to access c$ (\remotesystemc$) and deleted a few files and voila! psexec started in the remote system