PSEXESVC Not Self Deleting and Not deletable by Any Admin User

Command Center

2 min read

·

22-10-2024

the ifix

1

0

Share

Problem Scenario

The PSEXESVC service is a Windows service associated with PsExec, a tool from Sysinternals that allows users to execute processes on remote systems. However, many users encounter a frustrating issue where the PSEXESVC service does not delete itself automatically after its processes have ended, nor can it be deleted by any administrator user. This persistent service can lead to confusion and concern for system administrators.

Original Problem Code

PSEXESVC Not Self Deleting and Not Deletable by Any Admin User

Analysis of the PSEXESVC Issue

The inability to remove the PSEXESVC service can be attributed to several factors:

1. Service Dependencies: The PSEXESVC service might be dependent on other processes or services that are still running on the system. Even after the main task is complete, if any dependent processes are still active, the service might remain.

2. User Permissions: Despite being logged in as an administrator, certain system policies or security software may prevent the deletion of the service. UAC (User Account Control) settings might also restrict administrative capabilities.

3. Corrupted Service Entries: In some cases, the PSEXESVC service might encounter issues due to corrupted service entries in the Windows registry, which can complicate deletion efforts.

Practical Solutions

If you're facing this issue, here are some actionable steps to help you resolve it:

1. Check Active Processes: Use Task Manager or PowerShell to verify if any PSEXESVC processes are still running. Terminate any active instances before attempting deletion.

   Get-Process -Name PSEXESVC | Stop-Process
   

2. Use Command Line Tools: The command prompt can be used to forcefully stop and delete the service.

   sc stop PSEXESVC
   sc delete PSEXESVC
   

3. Modify Registry: If the service remains despite attempts to delete it, you may consider checking the Windows registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and find the PSEXESVC entry. Always back up your registry before making changes.

   • To back up:
     • Right-click on Services > Export.
   • To delete the service entry:
     • Right-click on PSEXESVC > Delete.

4. Review Security Policies: Ensure that your user account has the necessary permissions to manage services. Adjust any Group Policies if needed.

5. Restart the System: Sometimes, a simple restart can clear any lingering issues and allow for successful deletion of the service.

Additional Resources

For further assistance and technical guidance, consider visiting the following resources:

• Sysinternals Documentation on PsExec
• Windows Service Management

Conclusion

While the PSEXESVC service can pose challenges for system administrators, understanding its nature and how to manage it effectively can simplify the process. By utilizing the steps outlined above, you can overcome the issues of it not self-deleting and becoming inoperable by admin users. Ensure that you regularly monitor services, maintain proper permissions, and manage your system with best practices to prevent similar issues in the future.

By staying informed and prepared, you can ensure a more efficient and effective use of tools like PsExec in your administrative toolkit.