What To Do When PsExec Is Blocked By Your Anti-Virus Software

If your anti-virus software has been configured to block PsExec through some type of execution policy, here are your options for getting it working again:

  1. Perhaps the most obvious method would be to modify the execution policy so that it no longer blocks PsExec. 🙂
  2. Another option, if your AV software has such functionality, is to whitelist PsExec. In this case you should whitelist psexec.exe as well as psexesvc.exe
  3. The simplest method to prevent your antivirus software from blocking PsExec is actually using a built-in switch that PsExec offers to change the remote service name. This option exists in PsExec version 2+. This method works for the large majority of situations, but depending on the actual blocking mechanism that has been used in your environment, it’s possible that this method might not work for you.

    -r Specifies the name of the remote service to create or interact with

    Under normal circumstances when PsExec.exe is executed on computer A, it creates a connection to a target computer B. On computer B a new service is created called PSEXESVC with an executable file psexesvc.exe. When you use the -r switch you are able to specify a new/different service name to be used, so the target computer will create a service and associated executable with the name you specific rather than the default/generic psexesvc. Believe it or not, this is actually enough to bypass or prevent detection in many/most cases, though again I would note that it really depends on the actual blocking mechanism that’s in place in your environment.

    This switch can be utilized when working with PsExec directly at the command line on a particular computer or it can also be used inside of BatchPatch. In BatchPatch go to ‘Tools > Settings > Remote Execution’. You’ll need to modify the value next to ‘Use PsExec -r switch to specify remote service name’. You can use any name that you want here. BatchPatchExeSvc is not a bad choice, and it’s what I have specified in my instance of BatchPatch, as you can see in the screenshot below.

    Normally it’s just the remote service PSEXESVC and/or psexesvc.exe that is blocked by an execution policy, but if you want you could go a step further and actually provide a new name for the PsExec.exe too. This file normally only would exist on the BatchPatch computer. You can change its name to whatever you want such as YourCustomName.exe and then in BatchPatch modify the value for ‘Use psexec.exe custom filepath:‘ which also lives under Tools > Settings > Remote Execution. You’ll need to specify the full filepath to your newly named .exe file, so for example C:\YourDesiredPath\YourCustomName.exe

This entry was posted in Blog, General, Tutorials and tagged . Bookmark the permalink. Both comments and trackbacks are currently closed.