Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
This is Krishnan and I would like to discuss a bit about the Windows Remote Management tool (WinRM) for Windows Server 2008 R2.
First, some design info. Windows Remote Management is the Microsoft implementation of the WS-Management Protocol. It uses SOAP (Simple Object Access Protocol) over HTTP and HTTPS, and thus is considered a firewall-friendly protocol. It was designed to provide interoperability and consistency for enterprise networks that have a variety of operating systems, to locate and exchange management information.
WinRM provides a command line interface that can be used to perform common management tasks, and also provides a scripting API so you can write your own Windows Scripting Host based scripts. In the background, WinRM relies on management data provided by WMI; however it makes the exchange of data much easier by utilizing the HTTP protocol.
Apart from WMI, WinRM utilizes the Intelligent Platform Management Interface (IPMI) driver for hardware management. The IPMI provider and driver enable you to control and diagnose remote server hardware through BMCs [Baseboard Management Controllers] even when the OS is not running or deployed. Effectively BMC is a chip connected to the processor board of a server; it has its own network adapter and hence can monitor the server in situations even when the server is malfunctioning.
So, here is some basic WinRM configuration info:
First, to make WinRM work on the server we need the Windows Firewall to be enabled. Once that is done, open a command prompt and run the following command:
This command performs configuration actions to enable this machine for remote management, which includes:
When you configure WinRM on the server it will check if the Firewall is enabled. If so, it then enables the Firewall exception for WinRM. In case the Firewall is disabled, you should get the following error message
To list all the WinRM listeners, run this command:
“Winrm enumerate winrm/config/listener”
You can also get the configuration information of the Service, Client and WinRS by running the following command:
“Winrm get winrm/config”
Now let us look at the different operations that WinRM supports to access WMI data.
The list of currently supported operations is:
Using the WinRM get command you can also query different services configuration running on the server.
“Winrm get wmicimv2/Win32_Service?Name=spooler”
You can also use the WinRm get command to query the remote computer:
“Winrm get Winrm/config –r:remotemachinename”
Run this to query the service of remote computer:
“Winrm get wmicimv2/Win32_Service?Name=spooler –r:remotemachinename”
To reboot a remote machine:
“winrm invoke reboot wmicimv2/Win32_OperatingSystem -r:<some computer>”
Start a service on a remote machine
“winrm invoke startservice wmicimv2/Win32_Service?name=w32time -r:<some computer>”
Additional commands are listed at the following link in case you are interested:
I’ll also use this opportunity to discuss a recent issue I faced while working with WinRM, as I have seen multiple users complaining about similar issue when working with 3rd party apps that make use of WinRM. Hopefully this may help you if you have to tackle similar issues at a later stage.
In this specific issue the customer was using a 3rd party application to collect the event logs from servers located in different sites. The application uses WinRM to collect the event logs on Windows server 2008 and R2 Servers. This application also uses a service account using which it collects the logs. When they ran the application it failed and gave Access Denied errors. The customer was working on this case thinking this to be an application issue, as they were able to collect the logs from some Windows Server 2008 machines not others.
In order to narrow the issue down, we first logged in to the server using the service account and confirmed that this account did not have any obvious permission or logon issues. Now to remove the application out of the picture we checked if WinRM is able to connect to the remote server by itself. For this, we used the wevtutil tool try querying the event logs:
“winrs -r:http://<FQDN of the server> -u:username –p:password "wevtutil qe system"
First we used the Admin account credentials to query the event log and it worked correctly. Then we tried using the Service Account that the application was using and got an ACCESS DENIED. It seemed that the service account is missing some permissions on the target box. Since we were able to login correctly using this account earlier and also could do all other normal operations with this account, we suspected the issue to be something specific to WinRM or event log permissions. So, we started by comparing the “Channel Access” (read security setting) of the target machine with that of a working machine.
Below is the command to get the Channel Access information:
“wevtutil sl system /ca”
“/ca:<Channel>” sets the access permission for an event log. “<Channel>” is a security descriptor that uses the Security Descriptor Definition Language (SDDL).
By comparing against a working machine, we found that the Authenticated Users group had DENY permissions listed on the non-working box. Because of this, we replaced the Channel Access permissions on the non-working machine with that of the working machine. Now when accessing the event logs with the service account username and password we were able to successfully query. Once this was fixed, the application started collecting the event logs from all the servers.
So, in the end it wasn’t really a WinRM issue, but one might get that impression based on the symptom.
Hope this information was helpful. For more information on WinRM, please see:
Installation and Configuration for Windows Remote Management
Krishnan S. Ayyer
This is Krishnan and I would like to discuss a bit about the Windows Remote Management tool (WinRM) for Windows Server 2003 R2.
WinRM is available only on Windows Server 2003 R2 SP 2 and above OS only.
All nice and well.. but every Windows remote execution tool I have tried won't forward correct authentication to third party servers/computers.
winrs -r:server1 cmd.exe
shutdown /r /t 0 /m /m \\computer2
computer2: access is denied.(5)
Also Active Directory access is blocked (for example vbscript to look up computer info.. Active Directory: An operations error occurred.).
This does work perfectly well on a console in a rdp session on server1. Also I made sure that the cmd.exe that runs through winrs has administrator rights (I can create a folder in c:\windows).
Nice work. just to complete the work, WINRM needs the firewall port 5985 and 5986 to be enabel before running the command "winrm quickconfig" command.
Awesome information Sir...
It is very useful for my project
I'm able to connect Application logs but not security or system logs. If I add security or syslog to the configuration that's working to pull the application logs everything stops working with a denied access message. I thought security was the only subscription that needed specific rights, so why would I get application but not system? The user account has been added to the local read event group. Any idea on how to troubleshoot this?