Which tool is commonly used to execute commands remotely on Windows hosts during a penetration test?

The main idea here is to run commands on a Windows host remotely during a pentest using a tool that directly starts processes on the target over the network with proper credentials. PsExec from the Sysinternals suite is designed for this purpose: it authenticates to the remote Windows machine (often over SMB, using admin shares) and launches a command or executable on that machine, returning the output to you. You can run it in an interactive session or under the System account if needed, which makes it very convenient for quick remote command execution without a full remote-desktop session. Netcat is a general-purpose network tool that can help in creating a remote shell in some scenarios, but it isn’t a built-in, Windows-focused remote command execution utility with the same reliability and control as PsExec. Telnet is an older, insecure remote shell protocol that is not commonly available or recommended for Windows administration in modern tests. Nmap is primarily a discovery and vulnerability assessment tool; while it can run scripts to probe hosts, it isn’t used to execute arbitrary commands on a remote Windows host in a standard pentest workflow.