Petya: disabling remote execution of psexec

This morning in response to reports of an outbreak of yet more malware I wrote a quick blog post on one way to stop the SysInternals psexec from being allowed to execute by using the Image File Execution Options registry key mechanism – see here for that post.

My technique was, and still is sound, but @RennJohnny correctly pointed out that if the psxec.exe executable was renamed then my approach would not work. I therefore set about finding another way to stop psexec from running for those who don’t (yet) have security software in place to stop the exploit. Note that you need to be running it on a system where you are an administrator and have the same rights on the remote system to be attacked. As the disposable virtual machine that I used for my testing is not on a domain, I passed explicit credentials to psexec for my testing – I don’t believe Petya operates this way but my solution will still work.

So when psexec is used to run something on a remote system, it works by creating a new service executable called psexesvc.exe which is embedded within the original psexec.exe file. This is copied to the Windows folder on the remote machine via the admin$ default share (hence why you need to be an admin to get psexec to work remotely). It then creates the PSEXESVC service with this, now local, executable, starts it and then runs the specified command.

What I found was that even when I copied psexec.exe to another file name, the file produced and copied to the remote system was still called psexesvc.exe. This is what happens when you run the copied psexec.exe and tell it to invoke a command on a remote machine:

psexesvc allowed


On that remote system we can then see this has been created in the services registry key:

psexesvc registry

How do we stop it? I reckon that the easiest way is to use good old Image File Execution Options (IFEO) mechanism again but this time we create the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSEXESVC.exe” and in there create the REG_SZ value called “Debugger” and set it to “svchost.exe”. Now when we try and run psexec to execute on the system where we just patched the registry, this happens instead:

psexesvc blocked

What happened? Well when the Service Control Manager (SCM) on the remote machine was asked to start the PSEXESVC service, it started the psexesvc.exe process but the IFEO entry we created caused it to run svchost.exe instead but as that can’t be used as a standalone service, it failed to start so SCM reported this to psexec which is the error we see above. You will also get this in the System event log of the remote system:

psexesvc eventlog.PNG

One way to roll it out to all your computers is to put the above registry value into a Group Policy Preference that applies to those computers.

You can also create a dummy psexesvc.exe file in your Windows folder, remove all permissions and change the owner to, say, TrustedInstaller, and that will also prevent it from running.

I hope this helps some of you and stay safe (and don’t run routinely with admin privileges!).


Author: guyrleech

I wrote my first program, in BASIC, in 1980, was a Unix developer after graduation from Manchester University (Computer Science) and then became a consultant, initially with Citrix WinFrame, in 1995 and later into Terminal Server/Services and thence EUC. I currently hold the Citrix CTP, Microsoft MVP, VMware vExpert and Parallels VIPP awards. I invented and wrote the first few versions of the security product which is now Ivanti Application Control (formerly AppSense Application Manager). I now work as an freelance consultant-cum-developer, live in West Yorkshire, England; have a wife, three children, one grandchild and two dogs and was a keen competitive runner until health problems put an end to that fun.

8 thoughts on “Petya: disabling remote execution of psexec”

  1. Your solution will work for psexec versions prior to 2.1+ after that MS included a switch -r that allows you to change the service process name.

  2. If you are not using the Administrative shares like admin$ then disabling them on client machines will block psexec regardless of the process name. Beware, it will also block other apps remotely connecting and creating services.


    Create a new DWORD value here, named AutoShareServer. Leave its value data as 0
    Create a new DWORD value here, named AutoShareWks. Leave its value data as 0

  3. Would it be possible to use Software Restriction Policies to prevent PsExec.exe from running? You’d have to have the file hashes for every version of PsExec.exe but that can probably be found somehow.

    1. The trouble with specific blacklisting is that you are always playing catch-up. You only need to change 1 bit of a byte, in say a text string that doesn’t affect the program’s operation and you’ve got a completely different file hash.

  4. Does Psexec64.exe spawn the same service name on the remote machines? Do we need separate keys for it as well?

    1. I believe that it creates the same service name regardless of whether it is psexec or psxec64 so one IFEO entry should kill it

  5. What about preventing write access to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services key by permission (deny everyone “create subkey”, this key only) . If you can’t create any new “service” than any name psexec wanted to use wouldn’t work. I’m unsure of how this would affect windows running, I don’t think it needs to create services on the fly.

    1. Where you say “I’m unsure of how this would affect windows running” is what I would’ve said if you hadn’t mentioned it – would probably cause problems when patching, upgrading, etc. You could try but test it thoroughly.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: