PowerShell Remoting Exposed: How To Command Your Minions

We have many words to describe those who do the boss's dirty work:  minion, henchman, and toadie.  My personal favorite is "toadie", as referenced in A Christmas Story.  You can tour the house just outside of Cleveland, Ohio.  Of course I got my picture taken with the leg lamp.

"So what does 'toadie' have to do with PowerShell?" you ask.  Everything.  We PowerShell-writing IT pros are like emperors.  We sit in the royal cube on the royal throne and make royal decrees like:

  • "Go fetch hotfixes from those servers."
  • "Fix that NIC setting on the DCs."
  • "How many days until my vacation week?"

From this vantage point we write "toadie" scripts to go do our bidding across the empire.  Call them "scripted minions" if you like.

Today we are diving into PowerShell remoting to understand five different methods for commanding our army of minions.  We will also examine the protocols and requirements under the hood so we know exactly what we are getting.  The information below comes from some testing in my home lab where I captured network traces of each remoting technology to see the ports, protocols, and protections employed between two Windows Server 2008 R2 member servers.  The capture file is attached at the end of the article.

 

Method #1: The Computername Switch

Remoting Command Get-Process -Computername computer1
Protocols RPC, Remote Registry (RRP), SMB2
Port 445
Data Encryption Encrypted
Supported OS Windows 2000 and above
Data Returned Object
Pros Works against older OSesDoes not require WinRM
Cons Limited to cmdlets that support the Computername switch

  Method #2: WMI

Remoting Command Get-WMIObject Win32_Process -Computername computer1
Protocols WMI/RPC/DCOM
Port Random high port
Data Encryption Clear text
Supported OS Windows 2000 and above
Data Returned Object
Pros Works against older OSesDoes not require WinRM
Cons Random high portsTransmits data in clear text

  Method #3: PowerShell Remoting Interactively

Remoting Command Enter-PSSession computer1Get-ProcessExit-PSSession
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and aboveOlder OSes with WINRM install
Data Returned In an interactive session all data remains on the remote host.
Pros Single port requiredSupports any cmdletBuilt in on Windows 7/2008 R2
Cons Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO)

  Method #4: PowerShell Remoting Commands

Remoting Command Invoke-Command -Computername computer1 -Scriptblock {Get-Process}
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and aboveOlder OSes with WINRM install
Data Returned Deserialized object
Pros Single port requiredSupports any cmdletBuilt in on Windows 7/2008 R2
Cons Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO)

  Method #5: WMI Tunneling Through PowerShell Remoting

Remoting Command Invoke-Command -Computername computer1 -Scriptblock {Get-WMIObject Win32_Process}
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and aboveOlder OSes with WINRM install
Data Returned Deserialized object
Pros Single port requiredWMI data encrypted on the wire
Cons Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO)

 

Now you have some ideas for collecting data remotely, and there are many variations of the examples listed above.  For example, you can pass multiple computer names to the Computername switch:

Get-Process -Computername computer1, computer2, computer3

Or you could pipe a list of computer names into any of these commands:

Get-Content computers.txt | Foreach-Object {Get-Process -Computername $_}

To scale remoting commands out to hundreds of computers explore using Invoke-Command with the switches -AsJob and -ThrottleLimit.

For more information try these lines at the PowerShell console:

  • Get-Help * -Parameter Computername
  • Get-Help about_remote
  • Get-Help about_remote_FAQ
  • Get-Help about_remote_output
  • Get-Help about_remote_requirements
  • Get-Help about_remote_troubleshooting
  • Get-Help PSSession
  • Get-Help about_pssessions
  • Get-Help about_pssession_details

Now go unleash your PowerShell minions!

remoting.cap.zip