Invoke a remote command without WinRM, psexec or similar – Access administrative shares even if they have been removed

Scripting

Recently I ran into a situation, where I had to check a few log files on some remote computers and also needed to execute some commands to fix an issue. However, due to reasons I’m not going to enlarge on, all administrative shares had been removed. So by this, no share was left that would allow me to access to the local file system. In addition the PowerShell CmdLet Invoke-Command couldn’t also help me out, as either PowerShell wasn’t installed (yes, oooooold systems) or WinRM wasn’t enabled/configured.

A typical task if WinRM isn’t enabled or properly configured is to execute the „winrm quickconfig“ command via e.g. psexec, but due to the removal of the Admin$ share, typical weapons of choice for remote execution like psexec or similar wouldn’t work as well, as they initate their connection via the Admin$ share.

So what’s left? I could still use RDP or a similar tool. But most of those machines were Workstations, which would require me to get back to the local user, ask for a timeframe to either log on or take over his session etc. This would be a hassle and time-consuming for both of us. Not to speak that this doesn’t scale properly. So I took on the challenge and was looking for a „better“ solution.

One option that I found was making use of the Win32_Process WMI class. In particular the Create method of this class, which allows to, guess what, create a new process. That would cover the second part of my problem, executing a command on the remote computer. But what about the log files. Well, how about creating a new share to check the log files, do our troubleshooting and remove the share aftwards?

All it takes is a PowerShell command to invoke a WMI method remotely. We can use either Invoke-WMIMethod or Invoke-CimMethod. In this case, Invoke-WMIMethod is probably a bit shorter:

And now we can read the log files and do whatever we need. And afterwards just execute

and the share is gone again.

Or how about enabling WinRM?

There are probably other ways to achieve the same goal (there always are!), but for me this is a pretty nifty way of doing this in will definitely get its place in my IT toolbelt 😉

Source

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scripting
Install Vmware PowerCLI

PowerCLI is really easy to install now. From an Administrative Powershell window just enter: Install-Module -Name VMware.PowerCLI Minimum Powershell Version must be v3.   Offline Install of PowerCLI Accessing the PowerCLI Modules We’re now ready to download the PowerCLI modules. This task will require a system with internet access. This …

Scripting
Pass credentials with Powershell – 3 Ways

Interactive Here’s your typical scenario.   You have a script that requires credentials internally.  So to provide those credentials you would do something like $MyCredentials=GET-CREDENTIAL –credential “CONTOSO\Username” and you of course see a box like this normally on the screen Then you would type in the password and life would go …

Deployment
MDT – Joining a Computer to a Domain Using PowerShell

Using PowerShell scripts within a task sequence provides more flexibility than using the CustomSettings.ini file to join a computer to a domain. The parameters of the CustomSettings.ini file are common to any deployment you perform. That’s why creating a custom PowerShell script to join your domain will be customize to …