A blog by Jose Barreto, a member of the File Server team at Microsoft.
All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights.
Information on unreleased products are subject to change without notice.
Dates related to unreleased products are estimates and are subject to change without notice.
The content of this site are personal opinions and might not represent the Microsoft Corporation view.
The information contained in this blog represents my view on the issues discussed as of the date of publication.
You should not consider older, out-of-date posts to reflect my current thoughts and opinions.
© Copyright 2004-2012 by Jose Barreto. All rights reserved.
Follow @josebarreto on Twitter for updates on new blog posts.
1. Overview
In a recent blog post, I was looking at PowerShell V2 remoting in Windows Server 2008 R2. If you haven’t seen it, take a look at http://blogs.technet.com/josebda/archive/2010/03/31/experimenting-with-powershell-v2-remoting.aspx.
In that post, I mentioned three different ways to gather information about services on a remove server (throughout this post, I use this task as an example of what I administrator would run remotely):
· Using Get-Service with the –ComputerName parameter (RPC)
· Using Get-WMIObject with a –ComputerName parameter (WMI)
· Using Invoke-Command to execute Get-Service remotely (WinRM)
In this post, I spent more time looking deeper at some the most significant differences between them.
2. Commands and Outputs
For starters, here are the three versions of a sample command to query a remote server and the output they produce: the first using Get-Service, the second using Get-WMIObject and the third using Invoke-Command.
From an IT Administrator perspective, the Get-Service form is short and to the point. It is a good example of how PowerShell makes things simple to manage.
The Invoke-Command is not so bad either, with the advantage that IT Administrators don’t have to restrict themselves to cmdlets that have the –ComputerName option.
The Get-WMIObject seems a bit scary for someone without a developer background. You also lose some of the discoverability advantages of PowerShell (you can’t press TAB to complete your query, for instance).
On the other hand, for developers familiar with Win32 APIs and WMI classes, the option to use Get-WMIObject seems very attractive.
Get-Service LanManServer -ComputerName josebda-s0
Status Name DisplayName
------ ---- -----------
Running LanManServer Server
Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer '" | ft
ExitCode Name ProcessId StartMode State Status
-------- ---- --------- --------- ----- ------
0 LanmanServer 868 Auto Running OK
Invoke-Command josebda-s0 {Get-Service LanManServer}
Status Name DisplayName PSComputerName
------ ---- ----------- --------------
Running LanManServer Server josebda-s0
3. Properties and Methods
While the three options look similar, the objects returned are different. The first is of type “System.ServiceProcess.ServiceController”, the second returns the type “System.Management.ManagementObject#root\cimv2\Win32_Service” and last one is of type “Deserialized.System.ServiceProcess.ServiceController”. Take a look below at the details on each different type below, obtained using Get-Member. Note that the deserialized version has no methods to perform actions on the service, like stop or start.
Get-Service LanManServer -ComputerName josebda-s0 | Get-Member
TypeName: System.ServiceProcess.ServiceController
Name MemberType Definition
---- ---------- ----------
Name AliasProperty Name = ServiceName
RequiredServices AliasProperty RequiredServices = ServicesDependedOn
Disposed Event System.EventHandler Disposed(System.Object, System.EventArgs)
Close Method System.Void Close()
Continue Method System.Void Continue()
CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Dispose Method System.Void Dispose()
Equals Method bool Equals(System.Object obj)
ExecuteCommand Method System.Void ExecuteCommand(int command)
GetHashCode Method int GetHashCode()
GetLifetimeService Method System.Object GetLifetimeService()
GetType Method type GetType()
InitializeLifetimeService Method System.Object InitializeLifetimeService()
Pause Method System.Void Pause()
Refresh Method System.Void Refresh()
Start Method System.Void Start(), System.Void Start(string[] args)
Stop Method System.Void Stop()
ToString Method string ToString()
WaitForStatus Method System.Void WaitForStatus(System.ServiceProcess.ServiceControllerStatus desi...
CanPauseAndContinue Property System.Boolean CanPauseAndContinue {get;}
CanShutdown Property System.Boolean CanShutdown {get;}
CanStop Property System.Boolean CanStop {get;}
Container Property System.ComponentModel.IContainer Container {get;}
DependentServices Property System.ServiceProcess.ServiceController[] DependentServices {get;}
DisplayName Property System.String DisplayName {get;set;}
MachineName Property System.String MachineName {get;set;}
ServiceHandle Property System.Runtime.InteropServices.SafeHandle ServiceHandle {get;}
ServiceName Property System.String ServiceName {get;set;}
ServicesDependedOn Property System.ServiceProcess.ServiceController[] ServicesDependedOn {get;}
ServiceType Property System.ServiceProcess.ServiceType ServiceType {get;}
Site Property System.ComponentModel.ISite Site {get;set;}
Status Property System.ServiceProcess.ServiceControllerStatus Status {get;}
Get-WMIObject -computername josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" | Get-Member
TypeName: System.Management.ManagementObject#root\cimv2\Win32_Service
Change Method System.Management.ManagementBaseObject Change(System.String DisplayName, System...
ChangeStartMode Method System.Management.ManagementBaseObject ChangeStartMode(System.String StartMode)
Delete Method System.Management.ManagementBaseObject Delete()
GetSecurityDescriptor Method System.Management.ManagementBaseObject GetSecurityDescriptor()
InterrogateService Method System.Management.ManagementBaseObject InterrogateService()
PauseService Method System.Management.ManagementBaseObject PauseService()
ResumeService Method System.Management.ManagementBaseObject ResumeService()
SetSecurityDescriptor Method System.Management.ManagementBaseObject SetSecurityDescriptor(System.Management....
StartService Method System.Management.ManagementBaseObject StartService()
StopService Method System.Management.ManagementBaseObject StopService()
UserControlService Method System.Management.ManagementBaseObject UserControlService(System.Byte ControlCode)
AcceptPause Property System.Boolean AcceptPause {get;set;}
AcceptStop Property System.Boolean AcceptStop {get;set;}
Caption Property System.String Caption {get;set;}
CheckPoint Property System.UInt32 CheckPoint {get;set;}
CreationClassName Property System.String CreationClassName {get;set;}
Description Property System.String Description {get;set;}
DesktopInteract Property System.Boolean DesktopInteract {get;set;}
ErrorControl Property System.String ErrorControl {get;set;}
ExitCode Property System.UInt32 ExitCode {get;set;}
InstallDate Property System.String InstallDate {get;set;}
Name Property System.String Name {get;set;}
PathName Property System.String PathName {get;set;}
ProcessId Property System.UInt32 ProcessId {get;set;}
ServiceSpecificExitCode Property System.UInt32 ServiceSpecificExitCode {get;set;}
ServiceType Property System.String ServiceType {get;set;}
Started Property System.Boolean Started {get;set;}
StartMode Property System.String StartMode {get;set;}
StartName Property System.String StartName {get;set;}
State Property System.String State {get;set;}
Status Property System.String Status {get;set;}
SystemCreationClassName Property System.String SystemCreationClassName {get;set;}
SystemName Property System.String SystemName {get;set;}
TagId Property System.UInt32 TagId {get;set;}
WaitHint Property System.UInt32 WaitHint {get;set;}
__CLASS Property System.String __CLASS {get;set;}
__DERIVATION Property System.String[] __DERIVATION {get;set;}
__DYNASTY Property System.String __DYNASTY {get;set;}
__GENUS Property System.Int32 __GENUS {get;set;}
__NAMESPACE Property System.String __NAMESPACE {get;set;}
__PATH Property System.String __PATH {get;set;}
__PROPERTY_COUNT Property System.Int32 __PROPERTY_COUNT {get;set;}
__RELPATH Property System.String __RELPATH {get;set;}
__SERVER Property System.String __SERVER {get;set;}
__SUPERCLASS Property System.String __SUPERCLASS {get;set;}
PSConfiguration PropertySet PSConfiguration {DesktopInteract, ErrorControl, Name, PathName, ServiceType, St...
PSStatus PropertySet PSStatus {Name, Status, ExitCode}
ConvertFromDateTime ScriptMethod System.Object ConvertFromDateTime();
ConvertToDateTime ScriptMethod System.Object ConvertToDateTime();
Invoke-Command josebda-s0 {Get-Service LanManServer} | Get-Member
TypeName: Deserialized.System.ServiceProcess.ServiceController
ToString Method string ToString(), string ToString(string format, System.IFormatProvider formatProv...
Name NoteProperty System.String Name=LanManServer
PSComputerName NoteProperty System.String PSComputerName=josebda-s0
PSShowComputerName NoteProperty System.Boolean PSShowComputerName=True
RequiredServices NoteProperty Deserialized.System.ServiceProcess.ServiceController[] RequiredServices=System.Serv...
RunspaceId NoteProperty System.Guid RunspaceId=b7769bc0-4283-4465-bffd-94be34c9e32f
CanPauseAndContinue Property System.Boolean {get;set;}
CanShutdown Property System.Boolean {get;set;}
CanStop Property System.Boolean {get;set;}
Container Property {get;set;}
DependentServices Property Deserialized.System.ServiceProcess.ServiceController[] {get;set;}
DisplayName Property System.String {get;set;}
MachineName Property System.String {get;set;}
ServiceHandle Property System.String {get;set;}
ServiceName Property System.String {get;set;}
ServicesDependedOn Property Deserialized.System.ServiceProcess.ServiceController[] {get;set;}
ServiceType Property System.String {get;set;}
Site Property {get;set;}
Status Property System.String {get;set;}
4. Measurements
Beyond this basic difference in functionality, these three options perform at completely different levels.To look into how this translates in term of performance, I used the Measure-Command commandlet.
I ran the commands a few times first, in order to warm both local and remote stacks and avoid issues related to DNS lookups, authentication, etc. The samples below were taken after that.
Keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measuruments in your own test environment to validate them.
Measure-Command {Get-Service LanManServer -ComputerName josebda-s0}
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 4
Ticks : 44539
TotalDays : 5.15497685185185E-08
TotalHours : 1.23719444444444E-06
TotalMinutes : 7.42316666666667E-05
TotalSeconds : 0.0044539
TotalMilliseconds : 4.4539
(Measure-Command {Get-Service LanManServer -ComputerName josebda-s0}).TotalMilliseconds
3.8388
Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }
Milliseconds : 148
Ticks : 1484424
TotalDays : 1.71808333333333E-06
TotalHours : 4.1234E-05
TotalMinutes : 0.00247404
TotalSeconds : 0.1484424
TotalMilliseconds : 148.4424
(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }).TotalMilliseconds
134.4495
Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}
Milliseconds : 869
Ticks : 8695210
TotalDays : 1.0063900462963E-05
TotalHours : 0.000241533611111111
TotalMinutes : 0.0144920166666667
TotalSeconds : 0.869521
TotalMilliseconds : 869.521
(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds
764.3609
As you can see, Invoke-Command takes much longer than the other two. However, there is a way to improve the performance of Invoke-Command by first creating a session and re-using that session in later commands. Here’s how:
$s = New-PSSession josebda-s0
$s
Id Name ComputerName State ConfigurationName Availability
-- ---- ------------ ----- ----------------- ------------
1 Session1 josebda-s0 Opened Microsoft.PowerShell Available
Invoke-Command -Session $s {Get-Service LanManServer}
With that change, Invoke-Command is much faster than before in subsequent calls.
Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }
Milliseconds : 14
Ticks : 140436
TotalDays : 1.62541666666667E-07
TotalHours : 3.901E-06
TotalMinutes : 0.00023406
TotalSeconds : 0.0140436
TotalMilliseconds : 14.0436
(Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }).TotalMilliseconds
15.5385
5. Summarizing Measurements
As you can see, the different options perform very differently. The fastest and slowest are actually orders of magnitude apart.
Because there could be slight variations in the performance depending on what else is running on the administrator’s computer, I used a loop to execute each one 20 times.
Here are the commands I used:
1..20 | % {(measure-command {Get-Service LanManServer -ComputerName josebda-s0}).TotalMilliseconds}
1..20 | % {(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }).TotalMilliseconds}
1..20 | % {(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds}
1..20 | % {(Measure-Command {Invoke-Command $s {Get-Service LanManServer}}).TotalMilliseconds}
I then pasted the output into Excel and added some formulas to produce the table below.
As you can see, in average, Get-Service was over 250 times faster than Invoke-Command with servername.
While those 20 commands take less than a tenth of second for Get-Service, it took over 18 seconds to execute the 20 commands for Invoke-Command with Servername.
Invoke-Command with –session separates the heavy lifting of creating a session out of the picture runs all the 20 commands in a quarter of a second.Get-WMIObject took a little over 3 seconds to execute all 20 commands.
Again, keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measurements in your own test environment to validate them.
Sample
Get-Servicewith -CN
Get-WMIObjectwith -CN
Invoke-Commandwith servername
Invoke-Commandwith -session
1
3.7918
137.8325
1,527.9476
13.4520
2
3.6134
133.7955
768.2190
16.7934
3
3.9385
137.8329
766.1347
11.9233
4
3.5771
134.3533
1,311.7297
11.1179
5
3.5146
137.0647
732.0722
11.1046
6
3.5014
133.0551
798.1055
10.8660
7
3.5647
136.2507
794.4809
11.0375
8
3.5082
137.9484
799.5016
11.7835
9
3.4958
137.7649
1,073.0879
10.7582
10
3.5377
133.9375
1,117.2072
14.1638
11
3.5129
137.4364
758.8444
11.3480
12
3.5223
139.8877
767.3930
10.8035
13
3.5441
137.3063
1,566.7211
20.2465
14
3.5172
135.2789
760.4142
13.1813
15
3.5163
404.5968
765.0392
11.0910
16
3.5189
143.2326
1,071.0292
10.9340
17
3.6113
138.0981
755.0543
10.7193
18
3.5168
137.9030
781.3987
11.3788
19
3.6763
135.3268
778.1373
12.0371
20
4.0022
136.6921
760.6862
10.9780
Average
3.5991
150.2797
922.6602
12.2859
Total
71.9815
3,005.5942
18,453.2039
245.7177
6. Network Monitor
Next, I went one level deeper by using Network Monitor 3.3 to actually watch the packets on the wire.As usual, I ran the commands a few times before the capture, to warm both stacks and avoid capturing things like DNS lookups, authentication, etc.
I also filtered the packets to show only the ones where the source or destination address match the remote server where the commands execute.
As expected, the Get-Service version uses RPC. It efficiently sent a dozen IP packets back and forth (in the specific case of the sample command used).
Both the Get-WMIObject and Invoke-Command with servername versions took around a hundred packets to get the job done and both did a lot of serialization of objects.
By looking at the number of TCP continuation packets and their PaylodLen field, you can clearly see how the Invoke-Command uses the highest number of very large packets.The Invoke-Command with –Session was very efficient (taking into consideration that it also does serialization) at around 20 packets.
Command = Get-Service LanManServer -ComputerName josebda-s0
#
Conversation ID
Source
Dest
Protocol
Description
NetmonFilter
NetmonFilter:Updated Capture Filter: Source == "Server" OR Destination == "Server"
NetworkInfoEx
NetworkInfoEx:Network info for , Network Adapter Count = 2
{MSRPC:33, TCP:32, ESP:58, IPv6:57}
Admin
Server
MSRPC
MSRPC:c/o Request: unknown Call=0xF Opnum=0xF Context=0x0 Hint=0x30
MSRPC:c/o Response: unknown Call=0xF Context=0x0 Hint=0x18 Cancels=0x0
MSRPC:c/o Request: unknown Call=0x10 Opnum=0x15 Context=0x0 Hint=0x40
MSRPC:c/o Response: unknown Call=0x10 Context=0x0 Hint=0x18 Cancels=0x0
MSRPC:c/o Request: unknown Call=0x11 Opnum=0x14 Context=0x0 Hint=0x40
MSRPC:c/o Response: unknown Call=0x11 Context=0x0 Hint=0x24 Cancels=0x0
MSRPC:c/o Request: unknown Call=0x12 Opnum=0x10 Context=0x0 Hint=0x40
MSRPC:c/o Response: unknown Call=0x12 Context=0x0 Hint=0x18 Cancels=0x0
MSRPC:c/o Request: unknown Call=0x13 Opnum=0x6 Context=0x0 Hint=0x14
MSRPC:c/o Response: unknown Call=0x13 Context=0x0 Hint=0x20 Cancels=0x0
MSRPC:c/o Request: unknown Call=0x14 Opnum=0x0 Context=0x0 Hint=0x14
MSRPC:c/o Response: unknown Call=0x14 Context=0x0 Hint=0x18 Cancels=0x0
Command = Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'"
{TCP:62, ESP:58, IPv6:57}
TCP
TCP:Flags=......S., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018716, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
TCP:Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068760, Ack=2227018717, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
TCP:Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018717, Ack=1052068761, Win=259 (scale factor 0x8) = 66304
{MSRPC:63, TCP:62, ESP:58, IPv6:57}
MSRPC:c/o Bind: UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM) Call=0x14 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0
TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227020132 - 2227021547, Ack=1052068761, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227021547, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227021547 - 2227022962, Ack=1052068761, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227022962 - 2227024377, Ack=1052068761, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...AP..., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1028, Seq=2227024377 - 2227025405, Ack=1052068761, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227025405, Win=259 (scale factor 0x8) = 66304
MSRPC:c/o Bind Ack: Call=0x14 Assoc Grp=0x4839 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
MSRPC:c/o Alter Cont: UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM) Call=0x14 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
MSRPC:c/o Alter Cont Resp: Call=0x14 Assoc Grp=0x4839 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
DCOM
DCOM:RemoteCreateInstance Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}
DCOM:RemoteCreateInstance Response, ORPCFLOCAL - Local call to this computer
TCP:[Continuation to #17]Flags=...AP..., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=97, Seq=1052070542 - 1052070639, Ack=2227026441, Win=255 (scale factor 0x8) = 65280
TCP:Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227026441, Ack=1052070639, Win=259 (scale factor 0x8) = 66304
{TCP:64, ESP:58, IPv6:57}
TCP:Flags=......S., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414295, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
21
TCP:Flags=...A..S., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206270, Ack=2176414296, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
22
TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414296, Ack=3916206271, Win=259 (scale factor 0x8) = 66304
23
{MSRPC:65, TCP:64, ESP:58, IPv6:57}
MSRPC:c/o Bind: UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM) Call=0xA5 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0
24
TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176415711 - 2176417126, Ack=3916206271, Win=259 (scale factor 0x8) = 66304
25
TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176417126, Win=259 (scale factor 0x8) = 66304
26
TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176417126 - 2176418541, Ack=3916206271, Win=259 (scale factor 0x8) = 66304
27
TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176418541 - 2176419956, Ack=3916206271, Win=259 (scale factor 0x8) = 66304
28
TCP:[Continuation to #23]Flags=...AP..., SrcPort=62630, DstPort=49155, PayloadLen=1071, Seq=2176419956 - 2176421027, Ack=3916206271, Win=259 (scale factor 0x8) = 66304
29
TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176421027, Win=259 (scale factor 0x8) = 66304
30
MSRPC:c/o Bind Ack: Call=0xA5 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
31
MSRPC:c/o Alter Cont: UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM) Call=0xA5 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
32
MSRPC:c/o Alter Cont Resp: Call=0xA5 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.
33
DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}
34
DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet
35
MSRPC:c/o Alter Cont: UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} IWbemLoginClientID(WMIRP) Call=0xA6
36
TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176422817 - 2176424232, Ack=3916206801, Win=257 (scale factor 0x8) = 65792
37
TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176424232 - 2176425647, Ack=3916206801, Win=257 (scale factor 0x8) = 65792
38
TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176425647 - 2176427062, Ack=3916206801, Win=257 (scale factor 0x8) = 65792
39
TCP:[Continuation to #35]Flags=...AP..., SrcPort=62630, DstPort=49155, PayloadLen=983, Seq=2176427062 - 2176428045, Ack=3916206801, Win=257 (scale factor 0x8) = 65792
40
TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176424232, Win=259 (scale factor 0x8) = 66304
41
TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176428045, Win=259 (scale factor 0x8) = 66304
42
MSRPC:c/o Alter Cont Resp: Call=0xA6 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
43
44
45
WMI
WMI:IWbemLoginClientID: SetClientInfo, Request
46
WMI:IWbemLoginClientID: SetClientInfo, Response, Status: WBEM_S_NO_ERROR
47
MSRPC:c/o Alter Cont: UUID{F309AD18-D86A-11D0-A075-00C04FB68820} IWbemLevel1Login(WMIRP) Call=0xA7
48
MSRPC:c/o Alter Cont Resp: Call=0xA7 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
49
WMI:IWbemLevel1Login: EstablishPosition, Request
50
WMI:IWbemLevel1Login: EstablishPosition, Response, Status: WBEM_S_NO_ERROR
51
WMI:IWbemLevel1Login: NTLMLogin, Request
52
WMI:IWbemLevel1Login: NTLMLogin, Response, Status: WBEM_S_NO_ERROR
53
DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7 Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}
54
DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL - No additional information in this packet
55
56
57
58
59
MSRPC:c/o Alter Cont: UUID{9556DC99-828C-11CF-A37E-00AA003240C7} IWbemServices(WMIRP) Call=0xAC
60
MSRPC:c/o Alter Cont Resp: Call=0xAC Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
61
WMI:IWbemServices: ExecQuery, Request
62
WMI:IWbemServices: ExecQuery, Response, Status: WBEM_S_NO_ERROR
63
64
65
66
67
68
69
MSRPC:c/o Alter Cont: UUID{1C1C45EE-4395-11D2-B60B-00104B703EFD} IWbemFetchSmartEnum(WMIRP) Call=0xB0
70
MSRPC:c/o Alter Cont Resp: Call=0xB0 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
71
WMI:IWbemFetchSmartEnum: GetSmartEnum, Request, No parameters
72
WMI:IWbemFetchSmartEnum: GetSmartEnum, Response, Status: WBEM_S_NO_ERROR
73
MSRPC:c/o Alter Cont: UUID{027947E1-D731-11CE-A357-000000000001} IEnumWbemClassObject(WMIRP) Call=0xB1
74
MSRPC:c/o Alter Cont Resp: Call=0xB1 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
75
WMI:IEnumWbemClassObject: Clone, Request, No parameters
76
WMI:IEnumWbemClassObject: Clone, Response, Status: WBEM_S_NO_ERROR
77
78
79
80
81
82
83
84
85
WMI:IEnumWbemClassObject: Reset, Request, No parameters
86
WMI:IEnumWbemClassObject: Reset, Response, Status: WBEM_S_NO_ERROR
87
MSRPC:c/o Alter Cont: UUID{423EC01E-2E35-11D2-B604-00104B703EFD} IWbemWCOSmartEnum(WMIRP) Call=0xB7
88
MSRPC:c/o Alter Cont Resp: Call=0xB7 Assoc Grp=0x5205 Xmit=0x16D0 Recv=0x16D0
89
WMI:IWbemWCOSmartEnum: Next, Request
90
WMI:IWbemWCOSmartEnum: Next, Response, Status: Unknown Return Value, *Un-Interpreted*
91
TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916212478 - 3916213893, Ack=2176431384, Win=258 (scale factor 0x8) = 66048
92
TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916213893, Win=259 (scale factor 0x8) = 66304
93
TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916213893 - 3916215308, Ack=2176431384, Win=258 (scale factor 0x8) = 66048
94
TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916215308 - 3916216723, Ack=2176431384, Win=258 (scale factor 0x8) = 66048
95
TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916216723, Win=259 (scale factor 0x8) = 66304
96
TCP:[Continuation to #90]Flags=...AP..., SrcPort=49155, DstPort=62630, PayloadLen=876, Seq=3916216723 - 3916217599, Ack=2176431384, Win=258 (scale factor 0x8) = 66048
97
98
WMI:IWbemWCOSmartEnum: Next, Response, Status: WBEM_S_FALSE
99
100
101
102
Command = Invoke-Command josebda-s0 {Get-Service LanManServer}
{TCP:15, ESP:58, IPv6:57}
TCP:Flags=......S., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192850, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
TCP:Flags=...A..S., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429644, Ack=2616192851, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192851, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
{HTTP:16, TCP:15, ESP:58, IPv6:57}
HTTP
HTTP:Request, POST /wsman, Using Kerberos Authorization
TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616194266 - 2616195681, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616195681, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616195681 - 2616197096, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616197096 - 2616198511, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616198511 - 2616199926, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616199926 - 2616201341, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616199926, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #6]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=362, Seq=2616201341 - 2616201703, Ack=2351429645, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616201703, Win=259 (scale factor 0x8) = 66304
HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication
HTTP:Request, POST /wsman
MIME
MIME:
TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616203381 - 2616204796, Ack=2351429986, Win=258 (scale factor 0x8) = 66048
TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616204796 - 2616206211, Ack=2351429986, Win=258 (scale factor 0x8) = 66048
TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616206211 - 2616207626, Ack=2351429986, Win=258 (scale factor 0x8) = 66048
TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616207626 - 2616209041, Ack=2351429986, Win=258 (scale factor 0x8) = 66048
TCP:[Continuation to #18]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=810, Seq=2616209041 - 2616209851, Ack=2351429986, Win=258 (scale factor 0x8) = 66048
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616203381, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616207626, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616209851, Win=259 (scale factor 0x8) = 66304
MIME:MediaType = application/HTTP-Kerberos-session-encrypted
TCP:[Continuation to #27]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=189, Seq=2351431401 - 2351431590, Ack=2616209851, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616209851, Ack=2351431590, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #31]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616211529 - 2616211825, Ack=2351431590, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351431590, Ack=2616211825, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #34]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=1074, Seq=2351433005 - 2351434079, Ack=2616211825, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616211825, Ack=2351434079, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #38]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616213503 - 2616213799, Ack=2351434079, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351434079, Ack=2616213799, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #41]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=46, Seq=2351435494 - 2351435540, Ack=2616213799, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616213799, Ack=2351435540, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #45]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616215477 - 2616215773, Ack=2351435540, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351435540, Ack=2616215773, Win=259 (scale factor 0x8) = 66304
{TCP:18, ESP:58, IPv6:57}
TCP:Flags=......S., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142219, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
TCP:Flags=...A..S., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935512, Ack=2945142220, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142220, Ack=935513, Win=259 (scale factor 0x8) = 66304
{HTTP:19, TCP:18, ESP:58, IPv6:57}
TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945143635 - 2945145050, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945145050, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945145050 - 2945146465, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945146465 - 2945147880, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945147880 - 2945149295, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945149295 - 2945150710, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945149295, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #51]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=362, Seq=2945150710 - 2945151072, Ack=935513, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945151072, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #63]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945152750 - 2945154165, Ack=935854, Win=258 (scale factor 0x8) = 66048
TCP:[Continuation to #63]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=1243, Seq=2945154165 - 2945155408, Ack=935854, Win=258 (scale factor 0x8) = 66048
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945152750, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945155408, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #70]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=345, Seq=2945157086 - 2945157431, Ack=937228, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=937228, Ack=2945157431, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #73]Flags=...AP..., SrcPort=5985, DstPort=62656, PayloadLen=1266, Seq=938643 - 939909, Ack=2945157431, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945157431, Ack=939909, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #77]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=373, Seq=2945159109 - 2945159482, Ack=939909, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=939909, Ack=2945159482, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A.R.., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616215773, Ack=2351435540, Win=0 (scale factor 0x8) = 0
{TCP:20, ESP:58, IPv6:57}
TCP:Flags=......S., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474629, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
TCP:Flags=...A..S., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738651, Ack=1691474630, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
TCP:Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474630, Ack=717738652, Win=259 (scale factor 0x8) = 66304
{HTTP:21, TCP:20, ESP:58, IPv6:57}
TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691476045 - 1691477460, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691477460, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691477460 - 1691478875, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691478875 - 1691480290, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691480290 - 1691481705, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691481705 - 1691483120, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691481705, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #84]Flags=...AP..., SrcPort=62657, DstPort=5985, PayloadLen=362, Seq=1691483120 - 1691483482, Ack=717738652, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691483482, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #96]Flags=...AP..., SrcPort=62657, DstPort=5985, PayloadLen=129, Seq=1691485160 - 1691485289, Ack=717738993, Win=258 (scale factor 0x8) = 66048
TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738993, Ack=1691485289, Win=259 (scale factor 0x8) = 66304
TCP:[Continuation to #99]Flags=...AP..., SrcPort=5985, DstPort=62656, PayloadLen=409, Seq=941324 - 941733, Ack=2945159482, Win=259 (scale factor 0x8) = 66304
TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=259 (scale factor 0x8) = 66304
103
TCP:Flags=...A.R.., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691485289, Ack=717740121, Win=0 (scale factor 0x8) = 0
104
TCP:Flags=...A.R.., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=0 (scale factor 0x8) = 0
Command = Invoke-Command –Session $s {Get-Service LanManServer}
NetworkInfoEx:Network info for , Network Adapter Count = 1
{HTTP:43, TCP:42, ESP:7, IPv6:6}
{TCP:42, ESP:7, IPv6:6}
TCP:[Continuation to #4]Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=1415, Seq=2205380353 - 2205381768, Ack=1454111481, Win=259
TCP:[Continuation to #4]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=1243, Seq=2205381768 - 2205383011, Ack=1454111481, Win=259
TCP:[Segment Lost]Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205380353, Win=259
TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205383011, Win=259
TCP:[Continuation to #11]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=345, Seq=2205384689 - 2205385034, Ack=1454112855, Win=254
TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454112855, Ack=2205385034, Win=259
TCP:[Continuation to #14]Flags=...AP..., SrcPort=5985, DstPort=49783, PayloadLen=1266, Seq=1454114270 - 1454115536, Ack=2205385034, Win=259
TCP:Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205385034, Ack=1454115536, Win=259
TCP:[Continuation to #18]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=373, Seq=2205386712 - 2205387085, Ack=1454115536, Win=259
TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454115536, Ack=2205387085, Win=259
TCP:[Continuation to #21]Flags=...AP..., SrcPort=5985, DstPort=49783, PayloadLen=409, Seq=1454116951 - 1454117360, Ack=2205387085, Win=259
TCP:Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205387085, Ack=1454117360, Win=259
7. Conclusion
While the multiple ways to gather information about services on a remote computer look similar at the surface, they are radically different underneath.
This is by no means an exhausting study of all the different details about each option, but I believe there is enough to cover the main differences.
At first, Invoke-Command seems like an ideal choice for Administrators, since you can run any PowerShell commandlet remotely and leverage Web Services over HTTP (a common choice for modern solutions).
That’s until you look at the performance issue and the lack of methods on the resulting deserialized objects.
If are an IT Administrator executing just a few commands every once in a while, those issues might not be much of a difference.If you intend to run a lot of commands against the same server with Invoke-Command, using the –Session option will save quite some time, but then things get a bit more complicated.
Get-WMIObject provides a lot of functionality, due to the large number of WMI providers available and it’s always remotable.
Performance is better than Invoke-Command for single commands per server and the resulting objects do have methods you can call.
You do have to get familiar with the WMI classes and learn how to write queries. This is not a big deal for developers, but this can turn off IT Administrators.
If the specific action you are trying to accomplish can be performed remotely with an RPC-based cmdlet like Get-Service, that’s probably your best choice.
If you are using doing something in a loop inside another loop for a large set of servers, the performance issue might make the other options less attractive.
The main issue here is that not all cmdlets support the –ComputerName option and you’re likely to need to combine this with the other options.
Here’s a summary of the main points:
Attribute
RPC
WinRM
WinRM (w/session)
Ease of use by IT Administrator
+ +
- -
+
-
Ease of use by Developer
++
Returns objects with methods
Uses web services over HTTP protocol
Many available commandlets/providers
Performance for a single command
Performance for a thousand commands
I hope this has post has help you understand your choices so you can select the best option for your specific case.
Excellent post and backs up my own feeling in an objective manor. Maybe worth adding that you want to filter out as much data as possible in a WMI query rather than pull back all data and filter locally in PowerShell (specifically when querying something like the remote event log)