110V Soldering Iron Kit
[ I WANT THIS ↑↑↑ Please use this affiliate linked image ]

Friday, May 17, 2013

psexec via linux

I often use sysinternals'  psexec during my windows management routines; however, i'd often wish i could do such from my linux desktop rather than my windows vm.  Thanks to an updated "winexe" hosted at http://sourceforge.net/p/winexe/wiki/Home/ "psexec in linux" is possible.

In your debian, or ubuntu based distro add the following repository to /etc/apt/sources.list :
deb http://repo.openpcf.org/repository/ext/openpcf/ubuntu/ precise main

Then add the repo's public key and update/install: (As of this writing, it is version 1.00 and they are developing v1.1)
wget http://repo.openpcf.org/repository/ext/openpcf/openpcf.org-repo-public-key-C6E91526.asc
sudo apt-key add ./openpcf.org-repo-public-key-C6E91526.asc
sudo apt-get update
sudo apt-get install winexe

As with the windows utility psexec.exe, the target must be configured appropriately.  Specifically read the following if necessary:
1) http://forum.sysinternals.com/psexec-could-not-start_topic3698_post11962.html#11962
2) http://jamesrayanderson.blogspot.com/2010/04/psexec-and-ports.html

Lets test it by listing processes on the target:
winexe -U USERNAME //HOSTNAMEorIP "tasklist"

The utility should ask for the password and display results:

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0         72 K
smss.exe                     712 Console                 0        268 K
csrss.exe                    800 Console                 0      1,488 K
winlogon.exe                 824 Console                 0      4,892 K
services.exe                 868 Console                 0      2,228 K
lsass.exe                    880 Console                 0      1,876 K
vmacthlp.exe                1084 Console                 0        152 K
svchost.exe                 1100 Console                 0      2,328 K
PresentationFontCache.exe   1168 Console                 0      1,024 K
svchost.exe                 1196 Console                 0      1,676 K
svchost.exe                 1320 Console                 0     32,768 K
svchost.exe                 1412 Console                 0      2,576 K
svchost.exe                 1436 Console                 0        368 K
svchost.exe                 1508 Console                 0      1,440 K
svchost.exe                 1568 Console                 0      1,368 K
svchost.exe                 1912 Console                 0        272 K
alg.exe                     1956 Console                 0        280 K
svchost.exe                  584 Console                 0        384 K
ramaint.exe                 1296 Console                 0        424 K
SntpClient.exe              2796 Console                 0      1,416 K
dllhost.exe                 2892 Console                 0        360 K
vmtoolsd.exe                3260 Console                 0      2,708 K
vmware-usbarbitrator.exe    3368 Console                 0        388 K
vssvc.exe                   3436 Console                 0        188 K
SDUpdSvc.exe                3488 Console                 0        800 K
dllhost.exe                 2472 Console                 0      1,040 K
logon.scr                   4080 Console                 0        252 K
csrss.exe                   4024                         1      2,340 K
winlogon.exe                 404                         1      5,684 K

When running programs that take parameters, remember to use quotes.
Lets test this by running a ping-to-self on the target.  Execute the utility including quotation marks:
winexe -U USERNAME //HOSTNAMEorIP "ping -n 1"

The above produces:

Pinging with 32 bytes of data:

Reply from bytes=32 time<1ms ttl=128
Ping statistics for
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

For domain accounts, i've found that you need to escape your domain username in this fashion: (notice the double-slashed username )
winexe -U DOMAIN\\username //HOSTNAMEorIP "commandline"

Be warned though, as also true with psexec, your password may be passed as plain text over the network.

As always, Good Luck!

Please comment or tip me or use any/all of my affiliate links; Thank YOU!

Coolest nerd tech ever:



  1. You may also want to look into https://sourceforge.net/projects/smbexec/ , but i haven't.

  2. If you prefer compiling from source code: http://www.aldeid.com/wiki/Winexe

  3. and http://www.room362.com/blog/2014/04/19/executing-code-via-smb-without-psexec/

  4. and http://www.lexsi.fr/wmi-shell.html

  5. Hi There,
    I'm not sure wheter this is the right place to ask this question, if it is I apologize in advance...
    My situation is as follows, I'm trying to start programs on a remote win7 machine from my raspberry pi using winexe. This works fine for programs that not require a GUI, but (for example) when I want to start XBMC winexe a 'Interactive Services Detection' message pops up. If I open this message it states that XBMC was unable to create GUI. When I try to open Notepad, same thing happens except that opening the ISD-message shows an opened notepad after which I can return to my desktop environment.
    I'm using version 1.0 with the following command:
    ./bin/winexe -U Username%password // -d 4 --ostype=0 --interactive=1 --system 'c:\program files\xbmc\xbmc.exe'
    Does anyone know what I'm doing wrong? Any suggestion would be verry much appreciated!
    debug shows:
    adding hidden service IPC$
    adding hidden service ADMIN$
    failed to get principal from default ccache: No such file or directory: open(/tmp/krb5cc_1000): No such file or directory
    winexe version 1.00
    This program may be freely redistributed under the terms of the GNU GPLv3
    GENSEC backend 'krb5' registered
    GENSEC backend 'fake_gssapi_krb5' registered
    GENSEC backend 'schannel' registered
    GENSEC backend 'spnego' registered
    GENSEC backend 'gssapi_spnego' registered
    GENSEC backend 'gssapi_krb5' registered
    GENSEC backend 'gssapi_krb5_sasl' registered
    GENSEC backend 'ntlmssp' registered
    Using binding ncacn_np:
    Mapped to DCERPC endpoint \pipe\svcctl
    added interface ip= nmask=
    added interface ip= nmask=
    ERROR: Cannot connect to svcctl pipe. NT_STATUS_RESOURCE_NAME_NOT_FOUND.
    added interface ip= nmask=
    added interface ip= nmask=
    Got challenge flags:
    Got NTLMSSP neg_flags=0x628a8215
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088215
    IN: async_open(\pipe\ahexec, 2)
    IN: async_open_recv
    CTRL: Sending command: get version
    CTRL: Sending command: set system 1
    run c:\program files\xbmc\xbmc.exe
    CTRL: Recieved command: std_io_err 0DEC002B
    IN: async_open(\pipe\ahexec_stdin0DEC002B, 2)
    IN: async_open(\pipe\ahexec_stdout0DEC002B, 2)
    IN: async_open(\pipe\ahexec_stderr0DEC002B, 2)
    IN: async_open_recv
    IN: async_open_recv
    IN: async_open_recv
    After this winexe hangs, obviously because it's awaiting a response from the win7 machine. After CTRL+C debug shows:
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: on_ctrl_pipe_error - NT_STATUS_PIPE_DISCONNECTED

    1. i just don't know, i've reviewed this question several times. i'm not the authority on this. i suspect the xbmc is awaiting some interaction on the remote computer. sorry.

  6. more stuffs:


Comments, Suggestions or "Thank you's" Invited! If you have used this info in any way, please comment below and link/link-back to your project (if applicable). Please Share.
I accept Bitcoin tips of ANY amount to: 1GS3XWJCTWU7fnM4vfzerrVAxmnMFnhysL
I accept Litecoin tips of ANY amount to: LTBvVxRdv2Lz9T41UzqNrAVVNw4wz3kKYk