Windows Remote Management - EN

Windows Remote Management
Kirill Nikolaev
MCSE, MCITP

TOC
1.Legacy technologies
1.WMI
2.RPC
2.PowerShell
3.Tools

Windows Remote Management:
Overview
Overview of remote management technologies in Windows-based infrastructure.

Windows Management Instrumentation
• One of the first technologies to manage both local and remote
Windows computers (NT5.0+).
• WMI – Microsoft’s implementation of Web-Based Enterprise
Management (WBEM)
• WBEM – enterprise-grade standard information access technology,
based on Common Information Model (CIM).
• CIM – describes IT infrastructure, its manageable elements and how
they are connected. (http://dmtf.org/standards/cim)
• CIM, WBEM, WMI, in case of Windows – the same thing.

What can you do with WMI:
• Manage local disks, services, event log etc.
• Manage network settings: IP-address, enable/disable DHCP, DNS-
servers.
• Monitor your system: free disk space, for example.
• Retrieve system configuration information: computer name, RAM
size, OS edition, installed updates.
• Retrieve information from installed applications: SCCM, Exchange,
SQL Server.
• etc.

Windows Remote Management - EN

Manageable Resources
Any system component or a component of installed application:
• Local disks
• Event logs
• Services
• SQL Server
• SCCM
• Exchange Server
• System global properties
• Printers
• Shared folders
• Any hardware

WMI Classes
• Every manageable class is a member of another one class.
• Class – description of resource’s properties and available methods.
• Examples:
• Win32_LogicalMemoryConfiguration
• Win32_Service
• Win32_NTLogEvent
• Exchange_Mailbox
• CCM_SoftwareDistributionClientConfig

WMI Providers
• Every resource has its own API.
• WMI uses standardized access model.
• Provides translates WMI requests to manageable resources and vice
versa.
• Providers are just like drivers.
• One provider can present:
• Single class (Registry – StdRegProv)
• Multiple classes (Win32 - Win32_Process, Win32_LogicalDisk etc.)

Provider Examples
Provider DLL Namespace Description
Active Directory dsprov.dll rootdirectoryldap Maps Active Directory objects to WMI
Event Log ntevt.dll rootcimv2 Manages Windows event logs (for example, reads, backs up, clears,
copies, deletes, monitors, renames, compresses, and uncompresses
event log files and changes event log settings)
Performance
Counter
wbemperf.dll rootcimv2 Provides access to raw performance data
Registry stdprov.dll rootdefault Reads, writes, enumerates, monitors, creates, and deletes registry keys
and values
SNMP snmpincl.dll rootsnmp Provides access to SNMP MIB data and traps from SNMP-managed
devices
WDM wmiprov.dll rootwmi Provides access to information about WDM device drivers
Win32 cimwin32.dll rootcimv2 Provides information about the computer, disks, peripheral devices,
files, folders, file systems, networking components, operating system,
printers, processes, security, services, shares, SAM users and groups,
and more
Windows Installer msiprov.dll rootcimv2 Provides access to information about installed software
Exchange Server rootMicrosoftExchangeV2
SCCM rootCCM

WMI Infrastructure
1. WMI Service (winmgmt)
• Manages communication between providers, repository and applications.
2. WMI Repository
• Consists of namespaces (rootdefault, rootcimv2)
• Namespaces are used for access restriction (ala filesystem folders)
• http://wutils.com/wmi/namespaces.html
• Only static data (class definitions)
• At file system - %SYSTEMROOT%System32wbem

How do I access WMI?
If you are programmer: COM API (WMI Component Object Model
(COM) API), Microsoft.Management.Infrastructure (C#)
If you are administrator:
1. GUI
• WMI Explorer
• wbemtest.exe
• WMI Administrative Tools
• Scriptomatic 2.0
• Coretech WMI and PowerShell Browser http://goo.gl/sySC5o

How do I access WMI?
2. CLI
• wmic
• PowerShell
3. Scripting:
• VBScript - Scripting API for WMI (http://goo.gl/EWt23b)
• PowerShell - Get-WmiObject, Get-CimInstance

Questions?
WMI architecture, WMI in general.

Example: VBS – Total Visible Memory
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & _
"rootcimv2")
Set colItems = objWMIService.InstancesOf("Win32_OperatingSystem")
For Each objItem In colItems
Wscript.Echo "Total Physical Memory (KB): " & _
objItem.TotalVisibleMemorySize
Next

Example: VBS – Installed Updates
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer)
Set colItems = objWMIService.ExecQuery(_
"Select * from Win32_QuickFixEngineering")
For Each objItem in colItems
Wscript.Echo "HotFixID: " & objItem.HotFixID
Wscript.Echo "Caption: " & objItem.Caption
Wscript.Echo "Description: " & objItem.Description
Wscript.Echo "InstalledOn: " & objItem.InstalledOn
Next

Example: VBS – Disable User
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & _
"rootcimv2")
Set colItems = objWMIService.ExecQuery(_
"SELECT * FROM Win32_UserAccount WHERE Name = 'User'")
For Each objItem In colItems
objItem.Disabled = TRUE
objItem.Put_()
Next

Example: VBS – Restart Service
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootcimv2")
Set colServices = objWMIService.ExecQuery _
("SELECT * FROM Win32_Service where Name = 'Themes'")
For Each objService In colServices
Return = objService.StopService()
If Return <> 0 Then
Wscript.Echo "Failed " & VBNewLine & "Error code = " & Return
Else
WScript.Echo "Succeeded"
objService.StartService()
End If
Next

wmic syntax
• wmic qfe | find "2998527" << external filtering using “find” command
• qfe where HotfixID= "KB2998527" << built-in filtering,
strict compliance only, works in CLI only
• wmic memorychip get Capacity << clear output
while using property’s name
• wmic path win32_QuickFixEngineering get Hotfixid << full path
w/o usage of aliases

Example: wmic – Rich output
wmic /output:C:tempCPU1.htm cpu get Name, MaxClockSpeed,
NumberOfCores, SocketDesignation /format:hform

DCOM (distributed component object model)
• WMI uses it for remote connection.
• Consists of 2 parts:
• COM – standardized Microsoft model for application communication.
• RPC (Remote Procedure Calls) – client-server technology. Used for remote
functions call, transfer of objects etc.

How does RPC work:
CLIENT_PROC
SERVER_PROC
END POINT
MAPPER
0 REG
1 REQ
2 RESP
3 REQ
4 RESP
135PORT
DYNAMICALLYASSIGNED
PORT

Example: VBS – Remote DHCP Enable
strComputer = “CLT1.exchange12rocks.net“
Set objWMIService = GetObject(_
"winmgmts:" & strComputer & "rootcimv2")
Set colNetAdapters = objWMIService.ExecQuery _
("Select * from Win32_NetworkAdapterConfiguration " _
& "where IPEnabled=TRUE")
For Each objNetAdapter In colNetAdapters
errEnable = objNetAdapter.EnableDHCP()
Next

WinRM
•Microsoft’s implementation of WS-Management
•Single network port – 5985/6 (HTTP/S)
•To enable:
•2003-2008 R2: winrm qc
•2012+: enabled by default

How do I use WinRM?
• Remote interactive shell:
• winrs -r:<ServerName> cmd.exe
• To start a service:
• winrm invoke StartService wmicimv2/Win32_Service?Name=Themes
• Reboot:
• winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:<ServerName>
• Get system info:
• [xml]$osInfo = winrm get wmicimv2/Win32_OperatingSystem /format:pretty
• $osInfo.Win32_OperatingSystem

Questions?
WMI usage in VBScript, wmic, WinRM.

What is PowerShell?
• Script language
• Command-line interface with auto-completion
• Available as built-in from Windows Vista
• Object-oriented – result of each command is an object but no text
string
• “Verb-Noun” system of commands (cmdlets)
• Get-Process
• Stop-Service
• Set-Mailbox
• Easily extensible

PS primitives
• Pipeline – transfers objects between commands:
• Get-Process mmc.exe | Stop-Process
• Variable – text string starting with “$” sign:
• $Counter = 10
• $Files = Get-ChildItem -Path C:temp
• “this” variable ($_) – contains current object:
• 1, 2, 3 | ForEach-Object {echo ($_+5)}
• Properties – each object is described by one or many properties:
• $Files.Count
• Methods – most objects have methods to execute:
• $Files.GetType()

PS Aliases
Short aliases exist for some of the built-in cmdlets:
• where -> Where-Object
• cd -> Set-Location
• man -> help

Main cmdlets
• Get-Help (help)
• Get-Command
• Get-Member
• Select-Object (select)
• Get-Content (gc)
• ForEach-Object (foreach, %)
• Write-Output (echo)
• Where-Object (where)

Comparison operators
-eq - Equal to. Includes an identical value. -Match - Matches a string using regular expressions.
-ne - Not equal to. Includes a different value. -NotMatch - Does not match a string. Uses regular
expressions.
-gt - Greater-than. -Contains - Tells whether a collection of reference
values includes a single test value.
-ge - Greater-than or equal to. -NotContains
-lt - Less-than. -In
-le - Less-than or equal to. -NotIn
-Like - Match using the wildcard character (*). -Replace - Replace operator. Changes the specified
elements of a value.
-NotLike - Does not match using the wildcard
character (*).

Complex Example
$Files | where {$_.LastWriteTime -gt '01.01.2010'} | select Name,
Length

Cmdlets: CIM vs. WMI
• Get-WmiObject:
• PowerShell 2.0
• DCOM/RPC
• Get-CimInstance:
• PowerShell 3.0
• WS-Man/HTTP(S)
• Improved compatibility (non-Windows systems, down-level OS)

Example: PS – OLD
$Service = Get-WmiObject -Query "SELECT * FROM
Win32_Service WHERE Name = 'Themes'"
$Return = $Service.ChangeStartMode("Manual")
if ($Return.ReturnValue -eq 0) { "Success" }
else { "$($Return.ReturnValue) was reported" }

Example: PS – NEW
$Return = Invoke-CimMethod -Query "SELECT * FROM
Win32_Service WHERE Name = 'Themes'"
-MethodName 'ChangeStartMode'
-Arguments @{StartMode = 'Manual'}
if ($Return.ReturnValue -eq 0) { "Success" }
else { "$($Return.ReturnValue) was reported" }

Remote-enabled PowerShell-cmdlets
Get-WmiObject Get-EventLog Stop-Computer
Remove-WmiObject Show-EventLog Restart-Computer
Invoke-WmiMethod New-EventLog Get-Service
Register-WmiEvent Remove-EventLog Set-Service
Set-WmiInstance Clear-EventLog Get-Process
Limit-EventLog Get-Counter
Get-WinEvent Get-HotFix

PowerShell Remoting
1. Execute PowerShell commands remotely:
Invoke-Command
2. Interactive remote PowerShell session:
*-PSSession*

PS Remoting – minimum requirements
1. Windows XP SP3
2. .NET Framework 2.0 SP1
3. Windows Management Framework
1. Windows PowerShell 2.0
2. Windows Remote Management (WinRM) 2.0

PS Remoting - activation
• Enable-PSRemoting
• Enabled by default on Windows 2012 and later.
• Remote activation:
• http://gallery.technet.microsoft.com/scriptcenter/Enable-PSRemoting-
Remotely-6cedfcb0
• Network ports: 5985 (HTTP), 5986 (HTTPS) (same as WinRM)

PS Remoting – command execution
Invoke-Command -ComputerName SRV1, SRV2 -ScriptBlock {Get-Process}
• ComputerName accepts any PowerShell-list as an input:
• (Get-Content C:ScriptsServers.txt)
• ScriptBlock accepts both single (with parameters) and multiple cmdlets as an
input:
• {Get-Process mmc | Stop-Process},
• {$myScript}
• -FilePath {C:ScriptsTestScript.ps1}

PS Remoting – RunAs
Invoke-Command … -Credential:
1. (Get-Credential)
2. $cred variable
• $cred = Get-Credential

PS Remoting - Sessions
• Command completion works even if cmdlets aren’t installed at your
box.
• Get-Help, Get-Command works against remote cmdlet set.
• Less typing, commands are shorter – same as you’d run them locally.

PS Remoting – Session cmdlets
• Enter-PSSession
• Exit-PSSession
• Permanent sessions for Invoke-Command cmdlet:
1. $S = New-PSSession $ComputerName
2. Invoke-Command -Session $S -ScriptBlock {Start-Job -ScriptBlock {$Script}}

PS Remoting – Background Jobs
1. Run command as a job:
Invoke-Command SRV1 -ScriptBlock {(Get-ChildItem C: -Recurse).Count} -AsJob
2. Grab the result:
Get-Job -Id 2 | Receive-Job
Useful for long operations, especially with multiple computers.

Windows Remote Management:
Tools
Tools, which are useful to any network administrator in Windows-based
infrastructure.

Administrative shares
• “Hidden” networks share
• Its name ends with “$” sign. Windows Explorer and “net view” command
don’t show such network shares.
• One for each logical volume:
• C$, D$, E$ etc.
• admin$ - %SYSTEMROOT%
• print$ - contains printer objects
• ipc$ - not a part of a file system. Used for inter-process
communication
By default, accessible by administrators only.

MMC
• Microsoft Management Console – GUI which hosts many
administrative tools to manage your machines locally and remotely.
• Installed at each Windows PC starting from NT4.0
• Many snap-ins ship separately
• Remote Server Administration Tools
• Exchange Management Console
• DPM Administration Console
• Kaspersky Security Center

MMC snap-ins
• Standard Microsoft snap-ins located in “Control PanelAll Control
Panel ItemsAdministrative Tools”
• Most useful for you – “Computer Management”
• You can create your own set of snap-ins and save as a single file

Remote registry
• Depends on “Remote Registry” service
• Use common regedit.exe tool
• File -> Connect network registry

Built-in command-line tools
• tasklist/taskkill
• /s
• shutdown
• /m
• netsh
• -r
• w32tm
• /computer

Sysinternals PsTools
• PsExec - execute processes remotely
• PsFile - shows files opened remotely
• PsGetSid - display the SID of a computer or a user
• PsInfo - list information about a system
• PsPing - measure network performance
• PsKill - kill processes by name or process ID
• PsList - list detailed information about processes
• PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
• PsLogList - dump event log records
• PsPasswd - changes account passwords
• PsService - view and control services
• PsShutdown - shuts down and optionally reboots a computer
• PsSuspend - suspends processes

About me
• Every contact/social networks:
• http://about.me/exchange12rocks
• My technical blog:
• https://exchange12rocks.org

Windows Remote Management - EN

More Related Content

What's hot (20)

Similar to Windows Remote Management - EN (20)

Windows Remote Management - EN

Editor's Notes