Is it possible to run PsExec without admin$ share enabled on target PC?

ZachB32 1 Reputation point
2022-08-19T17:02:35.993+00:00

Long story short, I want to use PsExec to run ipconfig on a machine on our network using its IP. My cmd is open as admin, and I’m executing the PsExec command using the target machines local admin account. I keep getting “Make sure that the default admin$ share is enabled”.

Here’s what I’m running:
psexec -i \IP ipconfig /all -u .\username -p password

Am I able to run this command using the local admin account on the target machine, without having admin$ share enabled? I don’t believe this is a firewall issue, and the target machine is online and pinging.

I’ve already tried nslookup with the IP, doesn’t show hostname. If there’s another recommendation for getting an IP’s hostname, I’m open to using that instead.

Windows Sysinternals
Windows Sysinternals
A website that offers technical information and advanced system utilities to manage, troubleshoot, and diagnose Windows systems and applications.
873 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Philippe Levesque 4,701 Reputation points MVP
    2022-08-19T17:23:10.347+00:00

    No, as psexec evoke a cmd prompt remotly via psexecsvc.exe to run the command, thus need access to admin share for the first handshake.

    To quote how it work;

    How Does PsExec Work?

    In the resources of the executable file PsExec.exe, there is another executable file – PSEXESVC, which is a Windows service file. When establishing a connection to a remote computer, the PsExec utility copies this file to the hidden administrative folder Admin$ of the remote computer (C:\Windows\System32\psexesvc.exe). In order for PsExec to connect to a remote computer, the LanmanServer and LanmanWorkstation services must be running on a computer. The SMB port (TCP/445) and UDP/137 ports should be opened on the firewalls between source and target computers.