How to use psexec without admin privileges on target machine?

Question

Is it possible to use psexec to execute a command on a remote machine without having admin privileges on the remote machine?

I tried running psexec \\<machine> -u <username> -p <password>, where <username> and <password> are non-admin credentials, but I get an "access denied" error

I can remote desktop into the remote machine with the same credentials without any problems.

My local machine is running Windows 7 Enterprise 64-bit, and the remote machine is running Windows Server 2008 64-bit. I do have admin privileges on the local machine.

EDIT: To all the people who are downvoting this question: I am not trying to circumvent any sort of security measure. I can already run the process on the remote machine by remote desktop-ing into the remote machine and running it. I'm simply looking for a command-line way to do something I can already do through a GUI.

It's a poor question because on this site we object to end users asking us how to circumvent security systems. Maybe you should have a read of this one: http://meta.serverfault.com/questions/1659/handling-illegal-immoral-questions-and-answers, followed by a read of the FAQ. — John Gardeniers, Jun 15 '11 at 03:10
I am **not** trying to circumvent any security system. I am trying to do something I can already do through a GUI, through the command-line instead, which I find more convenient. Please explain to me how that constitutes circumventing a security system. — HighCommander4, Jun 15 '11 at 03:29
There are many times when a person who is an administrator has good reasons for finding a way to run a process without using full administrative rights. Sometimes, of course, it's not possible or not practical, but if a few tweaks to the system can make the difference between opening a system up fully vs. configuring it to be accessed using a more limited account, then it's often good to do the work needed to run under the more limited account. — Shannon Wagner, Jun 10 '12 at 10:25
I administrate Windows, Linux and UNIX hosts in my job role and if I were to address a user's question by attacking him for asking the question I would soon be out of a job. This person is not requesting a method for circumventing administrative rights. He is asking for a method of using PSEXEC with limited rights to run a process that he already has rights to run through the GUI. — Robert Ebers, Mar 05 '14 at 19:52

score 28 · Accepted Answer · edited May 23 '17 at 12:41

As found at: https://stackoverflow.com/questions/534426/psexec-help-needed

You need to have admin rights on the target as part of psexec starts up a windows service on the target, and you need admin rights to be able to do that.

psexec copies a psexecsvc file to the admin share and then using remote management starts up a service using that file. It opens up named pipes and uses that for further communication. When it's finished it tidies up after itself.

Although I can't find OFFICIAL documentation that says the same thing.

Guido van Brakel · Answer 2 · 2011-06-15T22:01:53.610

4

Ask to be local admin on the machine.

Edit: Or run the command as a scheduled task. Or use the -l switch in PsExec:Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. See here:http://technet.microsoft.com/en-us/sysinternals/bb897553. Sorry to say but RTFM!

For example: To run Internet Explorer as with limited-user privileges use this command:

psexec -l -d "c:\program files\internet explorer\iexplore.exe"

Note that the password is transmitted in clear text to the remote system.

edited Jun 15 '11 at 22:01

answered Jun 15 '11 at 00:01

Guido van Brakel

942
5
10

1

The sysadmins won't allow this, and it shouldn't be necessary. It's not necessary on Linux. – HighCommander4 Jun 15 '11 at 01:08
4

@HighCommander4, what difference does it matter whether or not it's necessary on Linux? This is a Windows environment. Stop comparing apples to oranges. – John Gardeniers Jun 15 '11 at 02:02
2

@John: I was just explaining that I'm not trying to do anything that should require admin privileges. I have two machines, with an account on each, and I'm trying to remotely start a process on one machine from the other machine. This seems to me a very natural thing to do, and it seems absurd to require admin privileges to do it. – HighCommander4 Jun 15 '11 at 02:46
@HighCommander4, what you are trying to do, which is administratively access a remote computer, DOES require admin access on Windows. While that may seem absurd to you it makes perfect sense to those who have to administer a Windows network. – John Gardeniers Jun 15 '11 at 03:07
5

@John: What is "administrative" about running a program on your own account? – HighCommander4 Jun 15 '11 at 03:29
PSExec is meant for administrative access. Or run the command as a scheduled task. Or use the -l switch in PsExec:Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. See here:http://technet.microsoft.com/en-us/sysinternals/bb897553 – Guido van Brakel Jun 15 '11 at 22:00

score 1 · Answer 3 · edited Jun 15 '11 at 02:01

1

Nope, not in a useful way. Why would you want to do this and not be an admin?

edited Jun 15 '11 at 02:01

John Gardeniers

27,262
12
53
108

answered Jun 14 '11 at 22:19

tony roth

3,844
17
14

I don't have an admin account on the target machine. I only have a non-admin account, and I would like to run a process under this account, using the command-line. What is the best way to do this? – HighCommander4 Jun 14 '11 at 22:22
2

Ask your Domain Admin to do it for you. Which shouldn't be a problem unless what you're doing is fishy, right? – Safado Jun 14 '11 at 22:25
2

Ask my Domain Admin to do what for me? I can already run the process by remote desktoping into the machine using the non-admin account, and running the process under that account, i.e. the process itself doesn't need admin privileges to run. I just want to be able to do this from the command-line rather than having to remote desktop into the machine. – HighCommander4 Jun 14 '11 at 22:33
To put it another way, I am simply trying to do the Windows equivalent of `ssh user@machine 'mycommand -arg1 -arg2'` on Linux. Note that with `ssh`, `user` does **not** need to have root privileges. – HighCommander4 Jun 14 '11 at 22:39
get ssh for windows – tony roth Jun 14 '11 at 23:09
1

Is it possible to install ssh on a Windows Server without admin privileges? If so, could you point me to a link? I tried OpenSSH but it seems to require admin privileges. – HighCommander4 Jun 15 '11 at 01:09
How often do you have to run this command? Maybe set it up through Scheduled Task? – Nixphoe Jun 15 '11 at 01:29
no you need to be admin to installl ssh just as you would need elevated perms within linux to get the ssh process running. if thelinxux admin does not want you to run ssh then you don't get to run ssh.. if the windows admin wants you to run ssh then you can. – tony roth Jun 15 '11 at 11:22
Have you tried any of these suggestions? http://serverfault.com/questions/8805/psexec-access-is-denied – Safado Jun 15 '11 at 16:30
1

@tony roth: You do not need elevated perms to run an SSH daemon on Linux. You just need elevated perms to run it on a privileged port (0-1023). You can configure both client and server to use a non-privileged port, without needing elevated perms on either machine. – HighCommander4 Jun 15 '11 at 18:37
2

And in fact I have managed to set up OpenSSH on the Windows server without any admin privileges by running the SSH daemon on a non-privileged port. Go ahead and downvote me for daring to take the initiative to increase my productivity at my job without consulting the Holy Sysadmins first. – HighCommander4 Jun 15 '11 at 21:48
wow thats great that your security is that screwed up, you wouldn't be able to run openssh on any of my servers no matter how hard you tried unless an admin let you do it, as in minimally the fw would block it. In reality I wouldn't care since your totally accurate about the issue at hand, if you can log in and run a program then you should be able to execute the same app remotely! Now if you did this at my place of work you would have been fired. Hopefully your SA's don't care. – tony roth Jun 16 '11 at 00:19

score 1 · Answer 4 · answered Mar 05 '14 at 21:30

1

You'd probably be better off using Powershell commands:

Start-Process

answered Mar 05 '14 at 21:30

Robert Ebers

11
1

score 0 · Answer 5 · answered Jun 19 '17 at 18:50

A solution would be to use an AutoIT script to log into your remote desktop on a schedule from your workstation. Have your "startup" folder execute your process via either a batch script or another AutoIT script (so that you can cancel if doing other work). This is not command line, but it does automate your work within the parameters that your sysadmin has given you. Hope it helps.

score -1 · Answer 6 · answered Nov 27 '12 at 10:05

`const string subkey = "Software\Sysinternals\PsExec";

        if (Environment.Is64BitOperatingSystem)
        {
            // For 64 Bit PC
            RegistryKey registryKey64 = RegistryKey.OpenBaseKey(RegistryHive.CurrentUser, RegistryView.Registry64);
            RegistryKey NDPKey64 = registryKey64.OpenSubKey(subkey);
            if (NDPKey64 != null)
            {
                Registry.CurrentUser.OpenSubKey(subkey, true).SetValue("EulaAccepted", 1, RegistryValueKind.DWord);
            }
            else
            {
                RegistryKey regKey64 = registryKey64.OpenSubKey("Software", true);
                regKey64.CreateSubKey("Sysinternals\\PsExec", RegistryKeyPermissionCheck.ReadWriteSubTree);
                Registry.CurrentUser.OpenSubKey(subkey, true).SetValue("EulaAccepted", 1, RegistryValueKind.DWord);
            }
        }
        else
        {
            //For 32 bit PC
            RegistryKey registryKey32 = Registry.CurrentUser.OpenSubKey(subkey);
            if (registryKey32 != null)
            {
                Registry.CurrentUser.OpenSubKey(subkey, true).SetValue("EulaAccepted", 1, RegistryValueKind.DWord);
            }
            else
            {
                RegistryKey regKey32 = Registry.CurrentUser.OpenSubKey("Software", true);
                regKey32.CreateSubKey("Sysinternals\\PsExec", RegistryKeyPermissionCheck.ReadWriteSubTree);
                Registry.CurrentUser.OpenSubKey(subkey, true).SetValue("EulaAccepted", 1, RegistryValueKind.DWord);
            }
        }`

One sure fire way to bring yourself to the attention of the system is to post identical answers to old questions. Just dumping code without explanation isn't great either. Please update your answers with some explanation as to what the code does and how it solves the OPs problem. — user9517, Nov 27 '12 at 10:27
Ok, sometimes the PsExec eventhough it is installed wont invoke other exes when requested. The problem is to do with setting the EulaAccepted DWORD value to 1. I could not find a page which discusses this problem, so added here. — Shyam, Nov 30 '12 at 10:02

score -1 · Answer 7 · edited Apr 04 '13 at 07:10

-1

Why does someone not just say that it is not possible? I need to do something similar (Remote Exec a SAS Program), which I do have access to do if I RDP into that server (i.e. I have logon access to the server. I have file system access to the source code folder and I have access to run SAS).

No sysadmin is his/her right mind is going to grant me full admin rights on that box just to exec remotely. Basically PSTools is a sysadmin tool not designed to be used for the deployment of actual IT system solutions.

edited Apr 04 '13 at 07:10

Kenny Rasschaert

8,925
3
41
58

answered Apr 04 '13 at 06:28

GMT

11

2

This rant doesn't answer the question at all. – Flup Apr 04 '13 at 08:35
Actually it does. +1 – Amit Naidu May 19 '13 at 19:04

score -2 · Answer 8 · answered Jun 15 '11 at 17:09

-2

There is probably a way to do this. It's probably as simple as editing WMI permissions on the machine. If it's not possible, then using something like WinRM would definitely work.

All of that is moot for you though. You don't have admin access to the machine at all. Therefore, you cannot make any of the changes necessary to get this going. You need to work this out with your sysadmin instead of asking us to help you go around him. Remember one thing very clearly, most of us here are sysadmins and we do not like users trying to go around us. That doesn't make us very likely to help you try to go around your sysadmins.

answered Jun 15 '11 at 17:09

Jason Berg

18,954
6
38
55

2

I don't see how I'm trying to "go around" anything. The sysadmins want me to be able to run processes on that machine, otherwise I wouldn't be able to remote desktop into it. All I want is a way to run the process using the command-line rather than the remote desktop GUI. Now I could go bug the sysadmins about this, or I could simply find a way to do it myself. I thought a community of professional sysadmins would try to help me, not lecture me. – HighCommander4 Jun 15 '11 at 18:40
@HighCommander - The answer is that the sysadmins must provide this ability to you. You cannot do it yourself as you do not have administrative rights on the machine. If they really approve of this, then ask them to give you the rights you need to be able to do what you need to do. – Jason Berg Jun 15 '11 at 18:48

How to use psexec without admin privileges on target machine?

8 Answers8

Linked

Related