PSEXEC, access denied errors

问题

While I'm using PSEXEC.exe getting 'Access denied' error for remote systems.

Any idea about how to solve this?

回答1:

Hi i am placing here a summary from many sources online for various solutions to "access is denied" : most information can be found here (including requirements needed) - sysinternal help

1. as someone mentioned add this reg key, and then restart the computer :

   reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

   Read this knowledge base article to learn what this does and why it is needed

2. Disable firewall (note - this will leave you with out any firewall protection)

   netsh advfirewall set allprofiles state off

3. if target user has a blank PW and you dont want to add one, run on target:

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "LimitBlankPasswordUse"=dword:00000000

4. This didnt work for me, but i have read it did for others in a few places, on target execute:

   Start -> Run -> secpol.msc -> Local Policies -> Security Options -> Network Access: Sharing > and security model for local accounts > Classic – local users authenticate as themselves

   if already in 'Classic':

   move to "Guest only - .." run from elevated command prompt gpupdate \force move back to 'Classic - .." again run from elevated command prompt gpupdate \force

5. This one solved my issue:

   run on target from elevated command prompt "net use" look at ouput chart and for shares listed in remote column there (i only deleted the disconnected ones - you can try them all) run "net use [remote path from before list] /delete" then run 'net use \target\Admin$ /user:[user name]' enter prompt password request (if empty PW just press enter), viola should work.

good luck, hope this saves someones time.

回答2:

I just solved an identical symptom, by creating the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy and setting it to 1. More details are available here.

回答3:

PsExec has whatever access rights its launcher has. It runs under regular Windows access control. This means whoever launched PsExec (be it either you, the scheduler, a service etc.) does not have sufficient rights on the target machine, or the target machine is not configured correctly. The first things to do are:

1. Make sure the launcher of PsExec is familiar to the target machine, either via the domain or by having the same user and password defined locally on both machines.
2. Use command line arguments to specify a user that is known to the target machine (-u user -p password)

If this did not solve your problem, make sure the target machine meets the minimum requirements, specified here.

回答4:

This helped in my case:

cmdkey.exe /add:<targetname> /user:<username> /pass:<password>
psexec.exe \\<targetname> <remote_command>

回答5:

You can try the command

net use \\computername\ipc$ /user:adminname password

to get admin permissions on remote PC before use psexec.

回答6:

I just added "-с" parameter. It makes Psexec copy executable to remote machine. So it works without access errors.

回答7:

I had the same problem. And after a hard work, I found a easy and full solution:

1. I use runas to run the script in a admin account
2. I use the -s parameter in psExec to run in a system account
3. Inside the PsExec, I login again with a admin account
4. You can use & to run multiples commands
5. Remember to replace [USERNAME], [PASSWORD], [COMPUTERNAME], [COMMAND1] and [COMMAND2] with the real values

The code looks like this:

runas /user:[USERNAME] "psexec -e -h -s -u [USERNAME] -p [PASSWORD] \\[COMPUTERNAME] cmd /C [COMMAND1] & [COMMAND2]"

If you whant to debug your script in the another machine, run the following template:

runas /user:[USERNAME] "psexec -i -e -h -s -u [USERNAME] -p [PASSWORD] \\[COMPUTERNAME] cmd /C [COMMAND1] & [COMMAND2] & pause"

回答8:

Try setting this key on the target (remote) machine, and restart the machine:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

See: http://forum.sysinternals.com/topic10924.html and http://www.brandonmartinez.com/2013/04/24/resolve-access-is-denied-using-psexec-with-a-local-admin-account/

回答9:

I found Sophos kept placing psexec.exe into the Quarantine section. Once I authorized it, it ran fine.

回答10:

I had a case where AV was quarantining Psexec - had to disable On-access scanning

回答11:

I found another reason PSEXEC (and other PS tools) fail - If something (...say, a virus or trojan) hides the Windows folder and/or its files, then PSEXEC will fail with an "Access is Denied" error, PSLIST will give the error "Processor performance object not found on " and you'll be left in the dark as to the reason.

You can RDP in; You can access the admin$ share; You can view the drive contents remotely, etc. etc., but there's no indication that file(s) or folder(s) being hidden is the reason.

I'll be posting this information on several pages that i was perusing yesterday while trying to determine the cause of this odd problem, so you might see this elsewhere verbatim - just thought I'd put the word out before anyone else pulled their hair out by the roots trying to understand why the performance counter has anything to do with PSEXEC running.

回答12:

For anybody who may stumble upon this. There is a recent (Dec 2013) Security Update from Microsoft Windows on Windows 7 that is preventing remote execution. See http://support.microsoft.com/kb/2893294/en-us

I uninstalled the Security Update by going to Control Panel\Programs\Programs and Features\Installed Updates

It worked right after that.

回答13:

The following worked, but only after I upgraded PSEXEC to 2.1 from Microsoft.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "LocalAccountTokenFilterPolicy"=dword:00000001 See: http://forum.sysinternals.com/topic10924.html

I had a slightly older version that didn't work. I used it to do some USMT work via Dell kace, worked a treat :)

回答14:

On Windows Server 2012 R2 I had trouble to run from user account

psexec -u administrator -p password \\machinename -h -s -d -accepteula cmd.exe

But it works fine if you run without parameters -h -s. That's why I use this to solve my trouble:

psexec -accepteula -u administrator -p password \\machinename %PathToLocalUtils%\psexec.exe -h -s -d  cmd.exe

回答15:

I still use psexec, even on win 10. Replace the psexec.exe in the Windows 10's win32 folder with the older version to work -> I use version 2.11.0.0. The Windows 10 version I was using would only run .bat files as background/hidden process on the remote computer. Took a whole day to figure this out.

Adding the registry key from above to the remote computer helps as well:

   reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

回答16:

I couldn't get access to remote machines unless I had UAC disabled.

That has to be done locally, either from control panel or running the following through cmd:

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

While UAC is enabled, make sure you run cmd as administrator.

回答17:

For a different command I decided to change the network from public to work.
After trying to use the psexec command again it worked again.
So to get psexec to work try to change your network type from public to work or home.

来源：https://stackoverflow.com/questions/828432/psexec-access-denied-errors