WinRM (Windows Remote Management) Troubleshooting


What is WinRM?


New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM & WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service. WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, I should note that BOTH computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.


While WinRM listens on port 80 by default, it doesn’t mean traffic is unencrypted. Traffic by default is only accepted by WinRM when it is encrypted using the Negotiate or Kerberos SSP. WinRM uses HTTP (TCP 80) or HTTPS (TCP 443). WinRM also includes helper code that lets the WinRM listener to share port 80 with IIS or any other application that may need to use that port.


WinRM with SCVMM uses Kerberos for authentication, and does not support fall-back to NTLM. There will be an error instead. If no credentials are specified, then the logged-on credentials are used to authenticate against the remote machine. This allows for a single sign-on experience.


  


What is WinRS?


Remote Shell, (WinRS) is used to execute a program on a remote host. Similar in operation to the former Sysinternals tool PSExec, WinRS leverages Windows Remote Management to let you launch processes on remote machines. For example, if you want to perform a directory listing on the system drive on a remote machine, you can remotely launch ‘dir’ using this syntax:



winrs -r:machinename dir


Another handy use of WinRS can be when installing software on remote systems. If you want to quietly install an application using an MSI file onto a remote machine, use the following syntax. This syntax assumes the MSI file has already been deposited into the C:\ folder.



winrs -r:machinename msiexec.exe /i c:\install.msi /quiet


When specifying the remote machine, the following are valid:



· Localhost



· NetBIOS name



· Fully Qualified Domain Name (FQDN)



· IP address


How to install WinRM


The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered.


(Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008)



· The WinRM service starts automatically on Windows Server 2008.



· On Windows Vista, the service must be started manually.



· UPDATE! Windows 2003 requires an update for WinRM



936059 An update is available for the Windows Remote Management feature in Windows Server 2003 and in Windows XP



http://support.microsoft.com/default.aspx?scid=kb;EN-US;936059


How to configure WinRM


To set the default configuration type:



winrm quickconfig (or the abbreviated version, winrm qc)


‘winrm qc’ performs the following operations:



1. Starts the WinRM service and sets the service startup type to auto-start.



2. Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.



3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS.



(Note: Winrm quickconfig also configures Winrs default settings)


If ‘winrm qc’ throws an error:


If the firewall is disabled the quick config command will fail. The firewall can either be started in Services long enough to run ‘winrm qc’ or the commands below can be run:



sc config “WinRM” start= auto



net start WinRM



winrm create winrm/config/listener?Address=*+Transport=HTTP



netsh firewall add portopening TCP 80 “Windows Remote Management”



Group Policy configuration:


WinRM can be configured by group policies.



1. Type gpedit at a command prompt. The Group Policy Object Editor window opens.



2. Look for the Windows Remote Management and Windows Remote Shell Group Policy Objects (GPO) under Administrative Templates and Windows Components.


Troubleshoot WinRM


Common Issues:



1. If the ISA2004 firewall client is installed on the computer, it can cause a Web Services for Management (WS-Management) client to stop responding. To avoid this issue, install ISA2004 Firewall SP1.



2. Antivirus software can prevent proper WinRM communication. Disable antivirus software and reboot the machine if the Antivirus software is known to scan processes and protocols, or if there is any doubt about the software.


Test WinRM communication on the local and remote machines


This section addresses how to test whether WinRM is working on the local system, and whether it can communicate with the remote system. Test remote communication in both directions between machines.


Local communication:


Locate listeners and addresses: (No output means WinRM is not installed)



winrm e winrm/config/listener


Localhost Ping:


(Successfully completing this step pretty much insure complete access to WSMan on the local system)



Winrm id


Further:


Check state of configuration settings:



winrm get winrm/config


Check the state of WinRM service:



winrm get wmicimv2/Win32_Service?Name=WinRM



Remote communication:


Locate listeners and addresses:



winrm e winrm/config/listener


Remote Ping:


(Successfully completing this step pretty much insure complete access to WSMan on the remote system)



Winrm id –r:machinename


Further:


Check state of configuration settings:



winrm get winrm/config -r:machinename


Check the state of WinRM service:



winrm get wmicimv2/Win32_Service?Name=WinRM -r:machinename


Sample Commands


Here are some sample commands to play with. If you cannot get the ‘Test WS-Man…’ step to work, none of the steps following will work either (you’re probably not using the right credentials to access the remote machine). One more caveat, the remote commands work best on domain joined machines. For workgroup machines, the WinRM service needs additional configuration.


































































Description


Command


Run from an Elevated Command prompt


Quickly configure the WS-Man service


winrm QuickConfig


Quickly delete the WS-Man listener


winrm invoke Restore winrm/Config @{}


Run from an standard Command prompt


Display your machine’s basic hardware info


winrm enumerate wmicimv2/Win32_ComputerSystem


Display your operating system properties


winrm get wmicimv2/Win32_OperatingSystem


Output your OS info in XML


winrm get wmicimv2/Win32_OperatingSystem -format:pretty


Test WS-Man access to a remote machine**


winrm id -remote:<some machine>


Grab a remote machine’s WS-Man config


winrm get winrm/Config -r:<some machine>


Grab a remote machine’s CPU load


winrm g wmicimv2/Win32_Processor?DeviceID=CPU0 -fragment:LoadPercentage -r:<some computer>


Grab a remote machine’s free memory


winrm g wmicimv2/Win32_OperatingSystem -fragment:FreePhysicalMemory -r:<some computer>


Stop a service on a remote machine


winrm invoke stopservice wmicimv2/Win32_Service?name=w32time -r:<some computer>


Start a service on a remote machine


winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:<some computer>


Reboot a remote machine


winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:<some computer>


Run a command on a remote machine (this uses winrS, not winrM)


winrs -r:<some computer> ipconfig /all


Run from PowerShell


Use PowerShell to grab the WS-Man Win32_OperatingSystem XML output


[xml]$osInfo = winrm get wmicimv2/Win32_OperatingSystem /format:pretty


Display the OS version property


$osInfo.Win32_OperatingSystem.Version


Display the last boot time


$osInfo.Win32_OperatingSystem.LastBootupTime.DateTime


Put free memory metric into an XML variable


[xml]$freemem = cmd /c “winrm get wmicimv2/Win32_OperatingSystem -fragment:FreePhysicalMemory -f:pretty -r:<some computer>”


Display the free memory value


$freemem.XMLFragment.FreePhysicalMemory


**Note: This step verifies that you have good connectivity to the remote machine, WS-Man is running and properly configured on the remote machine, AND you have the correct permissions to fully leverage WS-Man on the remote machine. If this step fails, it’s probably a permissions issue.


Advanced Concepts


URI Aliases


URI aliases can simplify the Winrm command line. The following URI aliases are supported:



wmi = http://schemas.microsoft.com/wsman/2005/06/wmi



wsman = wsman:microsoft.com/wsman/2005/06/



cimv2.9 = http://schemas.dmtf.org/wsman/2005/06/cimv2.9



cimv2 = http://schemas.microsoft.com/wsman/2005/06/wmi/root/cimv2


For example, the following command:



winrm get http://schemas.microsoft.com/wsman/2005/06/wmi/root/cimv2/Win32_Service?Name=WSMan


Gets replaced with:



winrm get wmi/root/cimv2/Win32_Service?Name=WinRM



Performing an Invoke Operation


‘Invoke’ initiates commands


winrm invoke StartService wmicimv2/Win32_Service?Name=WinRM -r:machinename @{}



This will likely return ‘ReturnValue = 10’ on a remote system where WinRM is running


WS-Man (WinRM) Architecture


The following diagram shows a high-level overview of the WS-Man (WinRM) architecture. In the diagram the ‘Client’ is querying the ‘Server’ for WS-Man information. Note that HTTP.sys and WinHTTP support the HTTP(s) transport for WS-Man, not IIS. In addition, IIS (or another web publishing service) can co-exist with WS-Man and share port 80.


Remember:



WinHTTP = Client



HTTP.SYS = Server


clip_image002


The Windows Remote Management architecture consists of components on the client and server computers. The following illustration shows the components on both computers, how the components interact with other components, and the protocol that is used to communicate between the computers.


clip_image003


Requesting Client

The following WinRM components reside on the computer that is running the script that requests data.


· WinRM application



This is the script or Winrm command-line tool that uses the WinRM scripting API to make calls to request data or to execute methods. For more information, see the WinRM Scripting API [ http://msdn.microsoft.com/en-us/library/aa384469(VS.85).aspx ] .


· WsmAuto.dll



The OLE automation layer that provides scripting support.


· WsmCL.dll



C API layer within the operating system.


· HTTP API



WinRM requires support for HTTP and HTTPS transport.



Responding Server

The following WinRM components reside on the responding computer.


· HTTP API



WinRM requires support for HTTP and HTTPS transport.


· WsmAuto.dll



The OLE automation layer that provides scripting support.


· WsmCL.dll



C API layer within the operating system.


· WsmSvc.dll



WinRM listener [ http://msdn.microsoft.com/en-us/library/aa384465(VS.85).aspx ] service.


· WsmProv.dll



Provider subsystem.


· WsmRes.dll



Resource file.


· WsmWmiPl.dll



WMI plug-in [ http://msdn.microsoft.com/en-us/library/aa384465(VS.85).aspx ] . This allows you to obtain WMI data through WinRM.


· Intelligent Platform Management Interface (IPMI) driver and WMI IPMI provider



These components supply any hardware data that is requested using the IPMI classes. For more information, see Intelligent Platform Management Interface (IPMI) Classes [ http://msdn.microsoft.com/en-us/library/aa390891(VS.85).aspx ] . BMC hardware must have been detected by the SMBIOS or the device created manually by loading the driver. For more information, see Installation and Configuration for Windows Remote Management [ http://msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx ] .


References


Installation and Configuration for Windows Remote Management


http://msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx


Windows Remote Management Command-Line Tool (Winrm.cmd)


http://technet.microsoft.com/en-us/library/cc781778.aspx


How can Windows Server 2008 WinRM & WinRS help you


http://windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-WinRS.html


The things that are better left unspoken Remotely managing your Server Core using WinRM and WinRS


http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx


Redmond Print First Look WinRM & WinRS


http://redmondmag.com/columns/article.asp?EditorialsID=2262


Otto Helweg – Management Matters A Few Good Vista WS-Man (WinRM) Commands


http://blogs.technet.com/otto/archive/2007/02/09/sample-vista-ws-man-winrm-commands.aspx


Windows Remote Management Architecture


http://msdn.microsoft.com/en-us/library/aa384464(VS.85).aspx

Comments (12)

  1. Anonymous says:

    Thank you very much for the great article.

    I have the bellow error when i tried to configure winrm service

    C:Windowssystem32>winrm qc

    WinRM already is set up to receive requests on this machine.

    WSManFault

       Message = WinRM cannot process the request. The following error occured whil

    e using Negotiate authentication: An unknown security error occurred.

    Possible causes are:

     -The user name or password specified are invalid.

     -Kerberos is used when no authentication method and no user name are specified

    .

     -Kerberos accepts domain user names, but not local user names.

     -The Service Principal Name (SPN) for the remote computer name and port does n

    ot exist.

     -The client and remote computers are in different domains and there is no trus

    t between the two domains.

    After checking for the above issues, try the following:

     -Check the Event Viewer for events related to authentication.

     -Change the authentication method; add the destination computer to the WinRM T

    rustedHosts configuration setting or use HTTPS transport.

    Note that computers in the TrustedHosts list might not be authenticated.

      -For more information about WinRM configuration, run the following command: w

    inrm help config.

    Error number:  -2144108387 0x8033809D

    An unknown security error occurred.

    could you help me please?

     

     

    =-=-=-=-=-=-=-=-=-=-

    This may help.

     

    970923 
    Unable to add a managed host in SCVMM 2008, Error 2927 (0x8033809d)

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;970923

  2. Anonymous says:

    Jonathon Jordan has written a great article on troubleshooting WinRM on his blog site. SCVMM relies heavily

  3. Anonymous says:

    Excellent information!  Thanks!

    Could you please write something up ( :-)) )  how to configure WinRM communication over https rather than http which transmit over clear-text?  Thanks 🙂

    You give us more, we want more ;p

  4. Anonymous says:

    What we will be going over in this blog is one of the improvements of Distributed Transaction Coordinator

  5. hassan sayed issa20014 says:

    thank you

  6. VJ says:

    How to retrieve WMI property qualifiers using WINRM?

    Example:

    By using below query we can disk read rate, so how we can get countertype property qualifier of "DiskReadsPerSec ".?

    "select DiskReadsPerSec from Win32_PerfRawData_PerfDisk_LogicalDisk"

    Thanks in Advance.

    VJ

  7. GT says:

    When I run winrm quickconfig I am just getting the following:

    PS C:Usersgreg> winrm quickconfig

    WinRM already is set up to receive requests on this machine.

    WSManFault

       Message = The client cannot connect to the destination specified in the request. Verify that the service on the dest

    ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o

    n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the

    destination to analyze and configure the WinRM service: "winrm quickconfig".

    Error number:  -2144108526 0x80338012

    The client cannot connect to the destination specified in the request. Verify that the service on the destination is run

    ning and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destinat

    ion, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination t

    o analyze and configure the WinRM service: "winrm quickconfig".

    PS C:Usersgreg>

    I don't know what I screwed up but no matter what I do with winrm, it gives me the same message.  How do I completely uninstall and reinstall it?

  8. AJ says:

    Hi GT, it appears that the "Windows Remote Management (WS-Management)" service is not running on your machine from where you running the winrm quickconfig command.

    To check this service, go to Run box and open the services window (start-Run,type services.msc)..A window with list of services running on your machine will be displayed..Locate the service mentioned above and ensure that it is started  in automatic mode. After this is done..try the winrm quickconfig query..it should work.

    By the way, if query still does not respond, check for Remote Procedure call service at the services page, if it is stopped, start it as well in automatic mode  and retry the query, this should display the required output for winrm query.

  9. brad says:

    I am not able to do a remote ping on my hyperV host the error I get is:

    WSManFault

       Message = WinRM cannot process the request. The following error occured whil

    e using Kerberos authentication: A specified logon session does not exist. It ma

    y already have been terminated.

    Possible causes are:

     -The user name or password specified are invalid.

     -Kerberos is used when no authentication method and no user name are specified

    .

     -Kerberos accepts domain user names, but not local user names.

     -The Service Principal Name (SPN) for the remote computer name and port does n

    ot exist.

     -The client and remote computers are in different domains and there is no trus

    t between the two domains.

    After checking for the above issues, try the following:

     -Check the Event Viewer for events related to authentication.

     -Change the authentication method; add the destination computer to the WinRM T

    rustedHosts configuration setting or use HTTPS transport.

    Note that computers in the TrustedHosts list might not be authenticated.

      -For more information about WinRM configuration, run the following command: w

    inrm help config.

    Error number:  -2147023584 0x80070520

    A specified logon session does not exist. It may already have been terminated.

  10. JayP says:

    Great Blog found it in a search for some troubleshooting I was doing and it had a great mix of architecture, troubelshooting and usage.

  11. Anonymous says:

    Im

    windows.developer 5.2014

    ist ein Artikel über die Sicherheit der PowerShell erschienen: Wie

    wird die PowerShell vor Missbrauch geschützt, welche Angriffe

    auf/über die PowerShell gibt es, und auf was muss man bei ihrem

    Einsatz acht