Invoke a remote command without WinRM, psexec or similar – Access administrative shares even if they have been removed
Recently I ran into a situation, where I had to check a few log files on some remote computers and also needed to execute some commands to fix an issue. However, due to reasons I’m not going to enlarge on, all administrative shares had been removed. So by this, no share was left that would allow me to access to the local file system. In addition the PowerShell CmdLet Invoke-Command couldn’t also help me out, as either PowerShell wasn’t installed (yes, oooooold systems) or WinRM wasn’t enabled/configured.
A typical task if WinRM isn’t enabled or properly configured is to execute the “winrm quickconfig” command via e.g. psexec, but due to the removal of the Admin$ share, typical weapons of choice for remote execution like psexec or similar wouldn’t work as well, as they initate their connection via the Admin$ share.
So what’s left? I could still use RDP or a similar tool. But most of those machines were Workstations, which would require me to get back to the local user, ask for a timeframe to either log on or take over his session etc. This would be a hassle and time-consuming for both of us. Not to speak that this doesn’t scale properly. So I took on the challenge and was looking for a “better” solution.
One option that I found was making use of the Win32_Process WMI class. In particular the Create method of this class, which allows to, guess what, create a new process. That would cover the second part of my problem, executing a command on the remote computer. But what about the log files. Well, how about creating a new share to check the log files, do our troubleshooting and remove the share aftwards?
All it takes is a PowerShell command to invoke a WMI method remotely. We can use either Invoke-WMIMethod or Invoke-CimMethod. In this case, Invoke-WMIMethod is probably a bit shorter:
1 |
Invoke-WmiMethod -ComputerName MyComputer -Namespace root\cimv2 -Class Win32_Process -Name Create -ArgumentList "Net Share CCMLogs=C:\Windows\CCM\Logs" |
And now we can read the log files and do whatever we need. And afterwards just execute
1 |
Invoke-WmiMethod -ComputerName MyComputer -Namespace root\cimv2 -Class Win32_Process -Name Create -ArgumentList "Net Share CCMLogs /Delete" |
and the share is gone again.
Or how about enabling WinRM?
1 |
Invoke-WmiMethod -ComputerName MyComputer -Namespace root\cimv2 -Class Win32_Process -Name Create -ArgumentList "winrm quickconfig -quiet" |
There are probably other ways to achieve the same goal (there always are!), but for me this is a pretty nifty way of doing this in will definitely get its place in my IT toolbelt 😉
Vielen Dank!
Eine Frage: Do the resulting process on the remote computers are elevated?