PSEXESVC being detected by VirusScan

Posted on 2004-12-01
Last Modified: 2008-03-03
I've got a domain controller/file/print server running W2k SP4 that has McAfee VirusScan Enterprise 7.1 on it.  The last couple weeks we've been getting the following warning........The file C:\WINNT\system32\PSEXESVC.EXE is infected with the RemAdm-ProcLaunch Program.  Delete failed, quarantine failed. Detected using Scan engine version 4.3.20 DAT version 4410.(from Server IP user SYSTEM running VirusScan EntSv 7.1.0 OAS).  We've been running this virus scan on the machine for about a month or more.  There were no problems until just recently.

I know Sysinternals has some PStools that you can use to remotely manage PCs.  There is also a service on my server called PSEXESVC that is not running and it set to manual.  I've got other W2k servers w/SP4 and none of them have this service.  I'm not finding any information about where this service came from or why it's on this particular one and not the others.  I've looked on McAfee's web site and read that it's not a virus, but a potentially dangerous program.  I would like to know why this server has this service for one.  I didn't build this server; I need to know if I need this service and/or file.  
Question by:scrmcna
    LVL 82

    Accepted Solution

    That's very probably harmless and indeed related to psexec. On the first run against a machine, psexec will install this file as a service.
    Have a look at the properties of the psexesvc.exe file, and it should display Sysinternals as company name.
    Run psexec against a test workstation, and you'll notice that afterwards, the psexesvc service will be installed as well.

    Have a look here: (Link from, and the on the second page, you'll find this note:
    "Inside PsExec
    PsExec starts an executable on a remote system and controls the input and output streams of the executable's process so that you can interact with the executable from the local system. PsExec does so by extracting from its executable image an embedded Windows service named Psexesvc and copying it to the Admin$ share of the remote system. PsExec then uses the Windows Service Control Manager API, which has a remote interface, to start the Psexesvc service on the remote system."
    LVL 5

    Author Comment

    When I tested it on another computer it, I was able to connect but never saw anything with the services.  I tried connecting to the server I was having this problem with again, it worked.  When I exited the exe was gone so of course was the service.
    LVL 82

    Expert Comment

    Just checked again; seems like it leaves the service on the system only when psexec itself got terminated unexpectedly; I had one machine where it was still present. Ran psexec against it, and afterwards it was gone. On another machine, it showed up during execution, and disappeared after the started process was done.
    You can reproduce the "leftover" service by doing the following:
    Open a command prompt, start a process with a psexec (without using the -d switch), for example
    psexec \\somemachine -i notepad
    This will open notepad. Now close the window with the command prompt. Close Notepad, and the service will still be there (start type manual).
    Run psexec again, close notepad while psexec is still waiting for the execution, and the service will have disappeared.
    LVL 1

    Expert Comment

    It is from PSTOOLS and if someone wrote a script such as I have it will leave a copy on machines depending on what you do and when the script runs.  The easiest thing to do is either get rid of it if you aren't doing anything or just exclude it from your virus scan.  It is annoying but many programs that run like this are detected as spyware or virus'.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now