psexec64.exe

Microsoft Sysinternals PsExec 64-bit

System UtilityTrustedRemote Administration

CPU Usage

0-7%

Memory

5-25 MB

Location

C:\Program Files\Sysinternals\PsTools

Publisher

Microsoft Corporation

Quick Answer

PSEXEC64.EXE is a legitimate Sysinternals utility used by administrators to run commands on remote Windows systems. It should only be used with proper authorization and from official sources.

Is it a Virus?

✔ NO - Safe

Must be obtained from Microsoft Sysinternals PsTools and used for authorized admin tasks

Warning

Remote admin tool, misuse risk

Unauthorized access or misuse can lead to security incidents

Can I Disable?

✔ YES

If you don’t need remote execution capabilities, remove the executable and restrict admin tool usage

What is psexec64.exe?

psexec64.exe is the 64-bit PsExec tool from Microsoft Sysinternals that enables administrators to execute commands on remote Windows hosts. It works by creating a service on the target machine and launching the requested process, returning output locally. It is a powerful tool for remote administration but must be used responsibly and only against machines you control or have explicit permission to manage.

PsExec64 uses SMB/IPC mechanisms to launch a remote process by creating a temporary service on the target computer. The command runs under a chosen context (-s for System, -i for interactive) and streams stdout/stderr back to the caller.

Quick Fact: PsExec64 pioneered remote command execution in Sysinternals; it can run commands without installing software on the remote host, but requires careful permission handling.

Types of PsExec Usage

Remote Command Execution: Run a command on a remote host using the remote service mechanism
Remote Service Installation: PsExec creates a temporary service on the target and then removes it after execution
Interactive Execution: Use -i to run processes on a specific interactive session
System Context Execution: Run commands under the System account with -s
Background/Copy and Execute: Option -c copies the binary to the remote host before execution
Output Capture: Stdout/stderr are streamed back to the local session

Is psexec64.exe Safe?

Yes, psexec64.exe is safe when downloaded from Microsoft Sysinternals and used with proper authorization.

Is psexec64.exe a Virus or Malware?

The legitimate psexec64.exe is not a virus. However, malware can masquerade with similar names. Always verify source and signature.

How to Tell if psexec64.exe is Legitimate or Malware

File Location: Must be in C:\Program Files\Sysinternals\PsTools\psexec64.exe or C:\Sysinternals\PsTools\psexec64.exe. Any other location is suspicious.
Digital Signature: Right-click C:\Program Files\Sysinternals\PsTools\psexec64.exe -> Properties -> Digital Signatures. Should show a valid Microsoft or Sysinternals signer.
Resource Usage: Normal usage is minimal when idle; unusual CPU spikes or persistent network activity on idle is suspicious.
Behavior: PsExec64 should not install persistent services without explicit command; unexpected remote connection or persistent tasks indicate compromise.

Red Flags: If psexec64.exe is located in temp folders (like %TEMP%), lacks a valid digital signature, or starts remote sessions without user consent, scan for malware and restrict usage.

Why Is psexec64.exe Running on My PC?

psExec64 runs when you or a management script initiates a remote command, or when a tool uses PsExec to perform admin tasks across hosts.

Reasons it's running:

Active Administrative Sessions: A remote command is executing on a host you manage; PsExec starts a process on that machine.
Automation and Deployment: Batch jobs or deployment scripts leverage PsExec to push updates or run installers remotely.
Remote Diagnostics: IT staff use PsExec to collect logs or run diagnostics on remote systems.
Startup/Scheduled Tasks: Tools may launch PsExec64 via scheduled tasks or startup scripts for maintenance.
Credentialed Remote Operations: If an admin console or RMM tool uses remote execution, PsExec will appear as part of those workflows.

Can I Disable or Remove psexec64.exe?

Yes, you can disable psexec64.exe. If you don’t need remote execution capabilities, remove the executable and restrict admin tool usage. In managed environments, block usage via policy and monitoring.

How to Stop psexec64.exe

Close Active Sessions: If a remote process is running, wait for it to finish or terminate it from Task Manager on the host.
Limit Access: Remove PsTools from allowed toolsets and restrict admin rights.
Remove the Binary: Delete psexec64.exe from its folder and audit for copies.
Policy Controls: Implement Group Policy/AppLocker/Secure Apps policies to block PsExec usage.
Monitor & Audit: Enable auditing for process creation and remote service installation to detect misuse.

How to Uninstall PsTools (PSEXEC64.EXE)

✔ Delete the PsTools folder containing psexec64.exe (e.g., C:\Program Files\Sysinternals\PsTools).
✔ Remove any references from scripts, task schedules, or automated workflows.
✔ If installed via Sysinternals updater, delete the entire PsTools package directory.

Common Problems: Remote Execution Issues

If psexec64.exe behaves unexpectedly or fails to run remote commands:

Common Causes & Solutions

Incorrect Admin Credentials: Verify the target credentials using credentials prompts or a secure manager; ensure the account has remote admin rights.
Firewall or Network Restrictions: Open necessary ports (SMB/Remote Service Control) or adjust network segmentation to allow PsExec operations.
Invalid Path or Missing Files: Ensure PsTools folder contains psexec64.exe and related files; re-download from official Sysinternals site if missing.
Antivirus Blocking: Whitelist psexec64.exe in security software or temporarily disable in a controlled environment (follow policy).
UAC and Remote Execution Restrictions: Run with proper elevation (-h for elevated rights if supported) and ensure UAC policies permit remote tasks.
Remote Host Not Reachable: Check hostname/IP, DNS resolution, and firewall rules on the target machine.

Quick Fixes:
1. Verify PsTools download from official Microsoft Sysinternals site
2. Run with explicit credentials and correct syntax (e.g., psexec \\host -u user -p pass cmd)
3. Ensure necessary firewall ports are open for remote admin tasks
4. Update PsTools to latest version
5. Audit recent usage with security tooling

Frequently Asked Questions

Is psexec64.exe safe to run?

Yes, when downloaded from Microsoft Sysinternals and used with explicit authorization. Treat it as a powerful admin tool and restrict access.

Where can I download PsExec64?

From the official Microsoft Sysinternals PsTools suite: https://docs.microsoft.com/sysinternals/downloads/psexec. Verify the signature after download.

Do I need admin rights to use PsExec64?

Yes, remote execution requires administrative privileges on both the local and target machines.

Can PsExec64 be blocked by antivirus or firewall?

Yes. Security software may flag or block the tool; admins should whitelist it and ensure legitimate usage policies are in place.

How do I verify PsExec64 is performing correctly on a remote host?

Check command output, remote process creation logs, and verify the remote service status. Use -s or -i as appropriate and confirm results locally.

Can I uninstall PsTools after use?

Yes. Simply delete the PsTools folder containing psexec64.exe and remove any scripts referencing it.