Becoming «NT Authority\System»
-s
indicates to run the executable in the System accunt, -i
specifies that it interacts with the desktop (that is: it is interactive).
C:\Users\rene> PsExec64 -s -i cmd
…
C:\WINDOWS\system32> whoami /user
…
User Name SID
=================== ========
nt authority\system S-1-5-18
Viewing protected registry keys
In order to be able to navigate to these keys,
regedit.exe
must be started as
System.
PsExec64 -s -i regedit.exe
Do not wait for cmd.exe to be closed
PSExec
waits for the remote session to be terminated by default. In order to open a cmd.exe
with super privileges and without waiting for it to be terminated, the -d
option must be specified:
C:\Users\rene> PsExec64 -s -d -i cmd
Open a command prompt on a remote machine
A command can be executed on a remote machine. The following command line executes
cmd.exe
on the computer named
compi
. Note that the two backslashes in front of a computer name need to be escaped by another backslash, thus totalling in four backslaches:
PsExec64 \\\\computername -u username -p password cmd