PsExec Slow to connect when Windows Firewall Enabled

Question

Situation:

Running PsExec takes 20 seconds with the Windows firewall active, and 1 second with it disabled.

Exceptions added to the firewall:

• opened ports 135 and 445 (both tcp) as per http://jamesrayanderson.blogspot.co.uk/2010/04/psexec-and-ports.html
• "allow app through firewall" choose "Remote Service Management"
• ensure network is set to private

Without these two it won't connect at all. Target machine running windows 10. During the 20 second wait it sits saying "Starting PsEXESVC on "

A little wiresharking shows us that we need to also open another port which is being requested.

• first time I ran this it was 49669 second time it was 49670

No idea why nor what range it will accept, any ideas?

Is there a definitive list of what ports PSEXEC needs to have opened?

Answer 1

Apparently this is an issue with the Group Policy client when enabling "Remote Service Management".

The fix is to run the following command:

netsh advfirewall firewall set rule name="Remote Service Management (RPC)" profile=domain new enable=yes

I did this in bulk, remotely, using PsExec (which ran slowly) as follows, given the affected workstations, one computer name per line, in workstations.txt:

for /f %i in (workstations.txt) do @start /B psexec \\%i netsh advfirewall firewall set rule name="Remote Service Management (RPC)" profile=domain new enable=yes

Doing psexec @workstations.txt (instead of using a for loop) would still run the commands in serial, slowly, with the 20-ish second delay. With a reasonable number of workstations, the above command will start them all in parallel. There are of course other methods to running commands remotely, but this worked well for me.

Source: https://harryjohnston.wordpress.com/2009/12/18/delays-when-connecting-to-windows-7-clients-for-remote-administration/

Answer 2

PSExec uses RPC, which uses a randomly allocated port; for modern Windows, that is in the 49152+ range.

IF you're using Windows Firewall, there's a built-in "Remote Service Management" rule that will allow those dynamic ports. There's also some registry tweaks to customize it, if you feel the need to.

Answer 3

There must be three rules enabled:

Remote Service Management (NP-In)
Remote Service Management (RPC)
Remote Service Management (RPC-EPMAP)

More info here: https://serverfault.com/a/1100581/965884

Answer 4

In Windows Firewall Remote Service Management is already predefined. Enable the 3 rules for PRIVATE and there is no delay.

Answer 5

Here is all you need to allow PSExec to come in remotely. Run these on target PC, in this order. Tested on Win11 & WinSer22:

PowerShell - Admin:

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

CMD - Admin:

winrm qc -force
netsh AdvFirewall firewall add rule name=PSExec dir=In action=allow protocol=TCP localport=RPC profile=domain,private program=""%WinDir%\system32\services.exe"" service=any
netsh AdvFirewall firewall set rule group="Remote Service Management" new enable=yes

You may need to reboot for all changes to take effect.