In the Metasploit PsExec module, what sequence of actions enables remote code execution on the target system?

Remote code execution with the PsExec module hinges on delivering a payload to the target and triggering its execution through the Windows Service framework. An SMB session is established to access the remote machine and authenticate. The module then writes the payload executable to the remote system and creates a Windows service that points to that executable. Starting the service causes the payload to run in the service context, typically with SYSTEM privileges, giving the attacker code execution on the target. This workflow—copying the executable via SMB and then turning it into a service to run it—is what enables remote code execution. Using SSH would not apply here on Windows targets, and merely enumerating user accounts doesn’t execute code or provide a path to compromise.