12

I am using psexec.exe to run programs in a different security context. However the programs start but it does not seem to be running in the specified security context.

In its minimal form:

psexec -u wsadmin -p password cmd

Starts a new cmd window if I type in that window whoami

C:\Windows\system32>whoami
win-k1r7g38nlkt\wsadmin

C:\Windows\system32>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
wsadmin
The command completed successfully.

As you can see I am definately the other user. And I can confirm that this user is member of the "Administrators group"

C:\Windows\system32>mkdir test
Access is denied.

If I use runas with the specified user it works as supposed. But I need to supply the password on the commandline.

Dave M
  • 13,138
  • 25
  • 36
  • 47
Tuim
  • 277
  • 1
  • 2
  • 7

4 Answers4

12

On Windows Vista and later, if UAC is enabled, a process launched by psexec -- even when run from an administrator account -- must have its elevate token set in order to get full privileges. This can be done by passing the -h attribute in the psexec command line. So, you would change your command to:

psexec -h -u wsadmin -p password cmd

For more info, run psexec /?:

    -h    If the target system is Vista or higher, has the process
          run with the account's elevated token, if available.
nhinkle
  • 37,198
  • 36
  • 140
  • 177
  • 11
    Unfortunately this gives me "Couldn't install PSExec service access is denied" – Tuim Jan 28 '13 at 10:39
  • Are you also running the initial command from an elevated command prompt, or are you using it as a local run-as? – nhinkle Jan 28 '13 at 11:02
  • The original command runs a 'user' security context. I can not use run-as for specific reasons. – Tuim Jan 28 '13 at 11:20
  • 1
    Use "Elevated command prompt" or "Elevated PowerShell prompt" via "Start > Type "PowerShell" > Right-click "Windows PowerShell" > Select "Run as Administrator" then run the psexec command including the `-h` option. – Underverse Feb 21 '17 at 03:56
  • @Underverse, Is it possible to use psexec from user CMD, not from admin PS? I wanna use psexec exactly for transition CMD into admin context :) – Suncatcher Dec 10 '17 at 10:24
  • @Suncatcher The only difference should be to use `/` instead of `-` for switches for CMD prompt to call psexec. `psexec.exe /u "username" /p "password" /accepteula /i /h "c:\\Windows\System32\\cmd.exe"` in a CMD prompt vs `psexec.exe -u "username" -p "password" /accepteula -i -h PowerShell.exe  -NoExit` in PowerShell. In both cases the CMD/PowerShell window must be run as administrator.  Otherwise the `Couldn't install PsExec service:` message is thrown. – Underverse Dec 11 '17 at 23:58
  • Bad (( I saw this as answer to question "how to elevate CMD". – Suncatcher Dec 12 '17 at 09:31
6

It took me hours to find a working way to PsExec between two Windows 7 Computers with non-Admin user starting PsExec ... Disabling UAC (EnableLUA=0, ConsentPromptBehaviorAdmin=0, LocalAccountTokenFilterPolicy=1) did not work, turning off the Firewalls did not work...

Here I found the working way - thanks JelmerS: (Info from PSexec is not connecting to machine using supplied username and password)

This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec:

cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE 
psexec.exe \\MACHINE_NAME_HERE -i notepad
cmdkey.exe /delete:MACHINE_NAME_HERE
Community
  • 1
Peter Feldhammer
  • 61
  • 1
  • 1
  • 1
    Note - If you don't want your password in the command line history, you can just use /pass with no password, and you will get a prompt to enter one. – Joe the Coder Sep 27 '18 at 16:13
2

I have found a solution:

Turns out that when you have UAC enabled psexec does not work as supposed.
Whenever HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is set to 0 psexec works as expected.

Tuim
  • 277
  • 1
  • 2
  • 7
  • 4
    The other way around this that doesn't require changing the registry is to just add the `-h` flag to the `psexec` command. This tells it to run the command with the elevated token, which is equivalent to launching a process "as administrator" from the context menu. – nhinkle Jan 28 '13 at 10:09
  • 5
    Setting `EnableLUA` to `0` disables `Admin Approval Mode`, which is basically the core of UAC. As a result the UAC will get disabled. [Source](http://technet.microsoft.com/en-us/library/cc772207%28v=ws.10%29.aspx). – Vlastimil Ovčáčík Jul 27 '13 at 13:06
  • For me the -h flag did not work and disabling UAC was troubling, but I found a [better alternative](https://stackoverflow.com/questions/828432/psexec-access-denied-errors) – mTorres Nov 16 '19 at 11:39
  • do i have to do this for **from** where I am running psexec(host) or for the target (remote) that will have the execution ? – Ahmed Can Unbay Feb 27 '23 at 01:08
0

Here is what worked for me, it doesn't get rid of UAC completely but turns it off for administrators

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control:Run All Administrators in Admin Approval Mode - Disabled

cristobalhernandez
  • 1
  • Which isn't really a great idea. In addition how is this an improvement in comparison to the other available solutions? – Seth Jan 11 '17 at 14:23