Troubleshooting PsExec “Access Denied” Errors When Using Explicit Credentials on Remote Windows Machines


11 views

When executing PsExec with explicit credentials (-u and -p parameters), Windows performs an authentication dance that often trips up administrators. The core behavior we're seeing:

psexec \\TARGET_MACHINE -u TARGET_MACHINE\Administrator -p AdminPassword123 cmd.exe
# Returns: "Couldn't access TARGET_MACHINE: Access is denied"

What actually happens during this failed attempt:

  1. Your workstation first authenticates using your current domain credentials
  2. Only then does it attempt the explicit local Administrator credentials
  3. Windows combines both authentication attempts in the security log

When working with workgroup machines, try these approaches:

Method 1: Force Pure Local Authentication

psexec \\TARGET_MACHINE -u Administrator -p AdminPassword123 -h -i 1 cmd.exe
# -h : Run with account's elevated token
# -i 1 : Interactive session on console

Method 2: Registry Modification (For Persistent Access)

On the target machine, create this registry entry:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

For modern systems, consider this PowerShell equivalent:

$cred = New-Object System.Management.Automation.PSCredential(".\Administrator", (ConvertTo-SecureString "AdminPassword123" -AsPlainText -Force))
Invoke-Command -ComputerName TARGET_MACHINE -Credential $cred -ScriptBlock { Start-Process notepad }
  • Always use complex passwords for local admin accounts
  • Consider creating dedicated service accounts instead of using Administrator
  • For domain environments, ensure proper delegation is configured

Check these logs when troubleshooting:

# On target machine:
Event Viewer > Windows Logs > Security
Filter for Event ID 4624 (successful logon) and 4625 (failed logon)

When using PSexec to connect to a remote Windows Server 2008 R2 machine from Windows 7 with explicit credentials (-u and -p parameters), you might encounter "Access Denied" errors despite successful authentication attempts showing in the security logs. This occurs because Windows authentication works in two phases:

psexec \\TARGET_MACHINE -u TARGET_MACHINE\\Administrator -p AdminPassword123 cmd.exe
# Returns: "Couldn't access TARGET_MACHINE: Access is denied"

The observed behavior reveals an important Windows security mechanism:

  • Primary authentication succeeds with provided explicit credentials
  • Secondary attempt automatically uses your current domain credentials
  • The remote system checks both credential sets for authorization

When working with machines that might be off-domain, consider these approaches:

# Method 1: Use fully qualified local account
psexec \\TARGET_MACHINE -u .\\Administrator -p AdminPassword123 cmd.exe

# Method 2: Disable network-level authentication
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

For environments where machines frequently change domain status:

# Enable administrative shares (if disabled)
reg add "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

# Set proper share permissions
icacls C$ /grant "Administrators:(OI)(CI)F"

For more granular control over credential usage:

runas /user:TARGET_MACHINE\\Administrator /netonly "psexec \\TARGET_MACHINE cmd.exe"
# Then enter password when prompted

Remember these critical security implications:

  • Never store passwords in batch files or scripts
  • Consider using LSA protection for credential security
  • Audit remote access regularly via Windows Event Logs