PsExec Access is denied

Question

I am using psexec.exe to run programs in a different security context. However the programs start but it does not seem to be running in the specified security context.

In its minimal form:

psexec -u wsadmin -p password cmd

Starts a new cmd window if I type in that window whoami

C:\Windows\system32>whoami
win-k1r7g38nlkt\wsadmin

C:\Windows\system32>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
wsadmin
The command completed successfully.

As you can see I am definately the other user. And I can confirm that this user is member of the "Administrators group"

C:\Windows\system32>mkdir test
Access is denied.

If I use runas with the specified user it works as supposed. But I need to supply the password on the commandline.

score 12 · Answer 1 · answered Jan 28 '13 at 10:12

On Windows Vista and later, if UAC is enabled, a process launched by psexec -- even when run from an administrator account -- must have its elevate token set in order to get full privileges. This can be done by passing the -h attribute in the psexec command line. So, you would change your command to:

psexec -h -u wsadmin -p password cmd

For more info, run psexec /?:

    -h    If the target system is Vista or higher, has the process
          run with the account's elevated token, if available.

score 6 · Answer 2 · edited Apr 13 '17 at 12:14

It took me hours to find a working way to PsExec between two Windows 7 Computers with non-Admin user starting PsExec ... Disabling UAC (EnableLUA=0, ConsentPromptBehaviorAdmin=0, LocalAccountTokenFilterPolicy=1) did not work, turning off the Firewalls did not work...

Here I found the working way - thanks JelmerS: (Info from PSexec is not connecting to machine using supplied username and password)

This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec:

cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE 
psexec.exe \\MACHINE_NAME_HERE -i notepad
cmdkey.exe /delete:MACHINE_NAME_HERE

score 2 · Accepted Answer · answered Jan 28 '13 at 10:05

2

I have found a solution:

Turns out that when you have UAC enabled psexec does not work as supposed.
Whenever HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is set to 0 psexec works as expected.

answered Jan 28 '13 at 10:05

Tuim

297

score 0 · Answer 4 · answered Jan 11 '17 at 12:45

Here is what worked for me, it doesn't get rid of UAC completely but turns it off for administrators

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control:Run All Administrators in Admin Approval Mode - Disabled

PsExec Access is denied

4 Answers4

Linked