PsExec Access is denied

I am using psexec.exe to run programs in a different security context. However the programs start but it does not seem to be running in the specified security context.

In its minimal form:

psexec -u wsadmin -p password cmd

Starts a new cmd window if I type in that window whoami

C:\Windows\system32>whoami
win-k1r7g38nlkt\wsadmin

C:\Windows\system32>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
wsadmin
The command completed successfully.

As you can see I am definately the other user. And I can confirm that this user is member of the "Administrators group"

C:\Windows\system32>mkdir test
Access is denied.

If I use runas with the specified user it works as supposed. But I need to supply the password on the commandline.

Tuim

Posted 2013-01-23T09:53:40.703

Reputation: 257

Answers

I have found a solution:

Turns out that when you have UAC enabled psexec does not work as supposed.
Whenever HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is set to 0 psexec works as expected.

Tuim

Posted 2013-01-23T09:53:40.703

Reputation: 257

For me the -h flag did not work and disabling UAC was troubling, but I found a better alternative

– mTorres – 2019-11-16T11:39:20.633

4The other way around this that doesn't require changing the registry is to just add the -h flag to the psexec command. This tells it to run the command with the elevated token, which is equivalent to launching a process "as administrator" from the context menu. – nhinkle – 2013-01-28T10:09:41.440

Setting EnableLUA to 0 disables Admin Approval Mode, which is basically the core of UAC. As a result the UAC will get disabled. Source.

– Vlastimil Ovčáčík – 2013-07-27T13:06:10.290

On Windows Vista and later, if UAC is enabled, a process launched by psexec -- even when run from an administrator account -- must have its elevate token set in order to get full privileges. This can be done by passing the -h attribute in the psexec command line. So, you would change your command to:

psexec -h -u wsadmin -p password cmd

For more info, run psexec /?:

    -h    If the target system is Vista or higher, has the process
          run with the account's elevated token, if available.

nhinkle

Posted 2013-01-23T09:53:40.703

Reputation: 35 057

1Use "Elevated command prompt" or "Elevated PowerShell prompt" via "Start > Type "PowerShell" > Right-click "Windows PowerShell" > Select "Run as Administrator" then run the psexec command including the -h option. – Underverse – 2017-02-21T03:56:59.767

@Underverse, Is it possible to use psexec from user CMD, not from admin PS? I wanna use psexec exactly for transition CMD into admin context :) – Suncatcher – 2017-12-10T10:24:24.470

@Suncatcher The only difference should be to use / instead of - for switches for CMD prompt to call psexec. psexec.exe /u "username" /p "password" /accepteula /i /h "c:\\Windows\System32\\cmd.exe" in a CMD prompt vs psexec.exe -u "username" -p "password" /accepteula -i -h PowerShell.exe -NoExit in PowerShell. In both cases the CMD/PowerShell window must be run as administrator. Otherwise the Couldn't install PsExec service: message is thrown. – Underverse – 2017-12-11T23:58:44.390

Bad (( I saw this as answer to question "how to elevate CMD". – Suncatcher – 2017-12-12T09:31:19.717

9Unfortunately this gives me "Couldn't install PSExec service access is denied" – Tuim – 2013-01-28T10:39:32.607

Are you also running the initial command from an elevated command prompt, or are you using it as a local run-as? – nhinkle – 2013-01-28T11:02:18.903

The original command runs a 'user' security context. I can not use run-as for specific reasons. – Tuim – 2013-01-28T11:20:00.233

It took me hours to find a working way to PsExec between two Windows 7 Computers with non-Admin user starting PsExec ... Disabling UAC (EnableLUA=0, ConsentPromptBehaviorAdmin=0, LocalAccountTokenFilterPolicy=1) did not work, turning off the Firewalls did not work...

Here I found the working way - thanks JelmerS: (Info from PSexec is not connecting to machine using supplied username and password)

This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec:

cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE 
psexec.exe \\MACHINE_NAME_HERE -i notepad
cmdkey.exe /delete:MACHINE_NAME_HERE

Peter Feldhammer

Posted 2013-01-23T09:53:40.703

Reputation: 51

Note - If you don't want your password in the command line history, you can just use /pass with no password, and you will get a prompt to enter one. – Joe the Coder – 2018-09-27T16:13:28.287

Here is what worked for me, it doesn't get rid of UAC completely but turns it off for administrators

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control:Run All Administrators in Admin Approval Mode - Disabled

cristobalhernandez

Posted 2013-01-23T09:53:40.703

Reputation: 1

Which isn't really a great idea. In addition how is this an improvement in comparison to the other available solutions? – Seth – 2017-01-11T14:23:57.633