Comparing RPC, WMI and WinRM for remote server management with PowerShell V2

Comparing RPC, WMI and WinRM for remote server management with PowerShell V2

  • Comments 1
  • Likes

1. Overview

In a recent blog post, I was looking at PowerShell V2 remoting in Windows Server 2008 R2.
If you haven’t seen it, take a look at
http://blogs.technet.com/josebda/archive/2010/03/31/experimenting-with-powershell-v2-remoting.aspx.

In that post, I mentioned three different ways to gather information about services on a remove server (throughout this post, I use this task as an example of what I administrator would run remotely):

·         Using Get-Service with the –ComputerName parameter (RPC)

·         Using Get-WMIObject with a –ComputerName parameter (WMI)

·         Using Invoke-Command to execute Get-Service remotely (WinRM)

In this post, I spent more time looking deeper at some the most significant differences between them.

 

2. Commands and Outputs

For starters, here are the three versions of a sample command to query a remote server and the output they produce: the first using Get-Service, the second using Get-WMIObject  and the third using Invoke-Command.

From an IT Administrator perspective, the Get-Service form is short and to the point. It is a good example of how PowerShell makes things simple to manage.

The Invoke-Command is not so bad either, with the advantage that IT Administrators don’t have to restrict themselves to cmdlets that have the –ComputerName option.

The Get-WMIObject seems a bit scary for someone without a developer background. You also lose some of the discoverability advantages of PowerShell (you can’t press TAB to complete your query, for instance).

On the other hand, for developers familiar with Win32 APIs and WMI classes, the option to use Get-WMIObject  seems very attractive.

 

Get-Service LanManServer -ComputerName josebda-s0

 

Status   Name          DisplayName

------   ----          -----------

Running  LanManServer  Server

 

Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer '" | ft

 

ExitCode Name           ProcessId StartMode  State    Status

-------- ----           --------- ---------  -----    ------

       0 LanmanServer         868 Auto       Running  OK

 

Invoke-Command josebda-s0 {Get-Service LanManServer}

 

Status   Name          DisplayName   PSComputerName

------   ----          -----------   --------------

Running  LanManServer  Server        josebda-s0

 

3. Properties and Methods

While the three options look similar, the objects returned are different. The first is of type “System.ServiceProcess.ServiceController”, the second returns the type “System.Management.ManagementObject#root\cimv2\Win32_Service” and last one is of type “Deserialized.System.ServiceProcess.ServiceController”. Take a look below at the details on each different type below, obtained using Get-Member.  Note that the deserialized version has no methods to perform actions on the service, like stop or start.

 

Get-Service LanManServer -ComputerName josebda-s0 | Get-Member

 

TypeName: System.ServiceProcess.ServiceController

 

Name                      MemberType    Definition

----                      ----------    ----------

Name                      AliasProperty Name = ServiceName

RequiredServices          AliasProperty RequiredServices = ServicesDependedOn

Disposed                  Event         System.EventHandler Disposed(System.Object, System.EventArgs)

Close                     Method        System.Void Close()

Continue                  Method        System.Void Continue()

CreateObjRef              Method        System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)

Dispose                   Method        System.Void Dispose()

Equals                    Method        bool Equals(System.Object obj)

ExecuteCommand            Method        System.Void ExecuteCommand(int command)

GetHashCode               Method        int GetHashCode()

GetLifetimeService        Method        System.Object GetLifetimeService()

GetType                   Method        type GetType()

InitializeLifetimeService Method        System.Object InitializeLifetimeService()

Pause                     Method        System.Void Pause()

Refresh                   Method        System.Void Refresh()

Start                     Method        System.Void Start(), System.Void Start(string[] args)

Stop                      Method        System.Void Stop()

ToString                  Method        string ToString()

WaitForStatus             Method        System.Void WaitForStatus(System.ServiceProcess.ServiceControllerStatus desi...

CanPauseAndContinue       Property      System.Boolean CanPauseAndContinue {get;}

CanShutdown               Property      System.Boolean CanShutdown {get;}

CanStop                   Property      System.Boolean CanStop {get;}

Container                 Property      System.ComponentModel.IContainer Container {get;}

DependentServices         Property      System.ServiceProcess.ServiceController[] DependentServices {get;}

DisplayName               Property      System.String DisplayName {get;set;}

MachineName               Property      System.String MachineName {get;set;}

ServiceHandle             Property      System.Runtime.InteropServices.SafeHandle ServiceHandle {get;}

ServiceName               Property      System.String ServiceName {get;set;}

ServicesDependedOn        Property      System.ServiceProcess.ServiceController[] ServicesDependedOn {get;}

ServiceType               Property      System.ServiceProcess.ServiceType ServiceType {get;}

Site                      Property      System.ComponentModel.ISite Site {get;set;}

Status                    Property      System.ServiceProcess.ServiceControllerStatus Status {get;}

 

Get-WMIObject -computername josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" | Get-Member

 

TypeName: System.Management.ManagementObject#root\cimv2\Win32_Service

 

Name                    MemberType   Definition

----                    ----------   ----------

Change                  Method       System.Management.ManagementBaseObject Change(System.String DisplayName, System...

ChangeStartMode         Method       System.Management.ManagementBaseObject ChangeStartMode(System.String StartMode)

Delete                  Method       System.Management.ManagementBaseObject Delete()

GetSecurityDescriptor   Method       System.Management.ManagementBaseObject GetSecurityDescriptor()

InterrogateService      Method       System.Management.ManagementBaseObject InterrogateService()

PauseService            Method       System.Management.ManagementBaseObject PauseService()

ResumeService           Method       System.Management.ManagementBaseObject ResumeService()

SetSecurityDescriptor   Method       System.Management.ManagementBaseObject SetSecurityDescriptor(System.Management....

StartService            Method       System.Management.ManagementBaseObject StartService()

StopService             Method       System.Management.ManagementBaseObject StopService()

UserControlService      Method       System.Management.ManagementBaseObject UserControlService(System.Byte ControlCode)

AcceptPause             Property     System.Boolean AcceptPause {get;set;}

AcceptStop              Property     System.Boolean AcceptStop {get;set;}

Caption                 Property     System.String Caption {get;set;}

CheckPoint              Property     System.UInt32 CheckPoint {get;set;}

CreationClassName       Property     System.String CreationClassName {get;set;}

Description             Property     System.String Description {get;set;}

DesktopInteract         Property     System.Boolean DesktopInteract {get;set;}

DisplayName             Property     System.String DisplayName {get;set;}

ErrorControl            Property     System.String ErrorControl {get;set;}

ExitCode                Property     System.UInt32 ExitCode {get;set;}

InstallDate             Property     System.String InstallDate {get;set;}

Name                    Property     System.String Name {get;set;}

PathName                Property     System.String PathName {get;set;}

ProcessId               Property     System.UInt32 ProcessId {get;set;}

ServiceSpecificExitCode Property     System.UInt32 ServiceSpecificExitCode {get;set;}

ServiceType             Property     System.String ServiceType {get;set;}

Started                 Property     System.Boolean Started {get;set;}

StartMode               Property     System.String StartMode {get;set;}

StartName               Property     System.String StartName {get;set;}

State                   Property     System.String State {get;set;}

Status                  Property     System.String Status {get;set;}

SystemCreationClassName Property     System.String SystemCreationClassName {get;set;}

SystemName              Property     System.String SystemName {get;set;}

TagId                   Property     System.UInt32 TagId {get;set;}

WaitHint                Property     System.UInt32 WaitHint {get;set;}

__CLASS                 Property     System.String __CLASS {get;set;}

__DERIVATION            Property     System.String[] __DERIVATION {get;set;}

__DYNASTY               Property     System.String __DYNASTY {get;set;}

__GENUS                 Property     System.Int32 __GENUS {get;set;}

__NAMESPACE             Property     System.String __NAMESPACE {get;set;}

__PATH                  Property     System.String __PATH {get;set;}

__PROPERTY_COUNT        Property     System.Int32 __PROPERTY_COUNT {get;set;}

__RELPATH               Property     System.String __RELPATH {get;set;}

__SERVER                Property     System.String __SERVER {get;set;}

__SUPERCLASS            Property     System.String __SUPERCLASS {get;set;}

PSConfiguration         PropertySet  PSConfiguration {DesktopInteract, ErrorControl, Name, PathName, ServiceType, St...

PSStatus                PropertySet  PSStatus {Name, Status, ExitCode}

ConvertFromDateTime     ScriptMethod System.Object ConvertFromDateTime();

ConvertToDateTime       ScriptMethod System.Object ConvertToDateTime();

 

Invoke-Command josebda-s0 {Get-Service LanManServer} | Get-Member

 

TypeName: Deserialized.System.ServiceProcess.ServiceController

 

Name                MemberType   Definition

----                ----------   ----------

ToString            Method       string ToString(), string ToString(string format, System.IFormatProvider formatProv...

Name                NoteProperty System.String Name=LanManServer

PSComputerName      NoteProperty System.String PSComputerName=josebda-s0

PSShowComputerName  NoteProperty System.Boolean PSShowComputerName=True

RequiredServices    NoteProperty Deserialized.System.ServiceProcess.ServiceController[] RequiredServices=System.Serv...

RunspaceId          NoteProperty System.Guid RunspaceId=b7769bc0-4283-4465-bffd-94be34c9e32f

CanPauseAndContinue Property     System.Boolean {get;set;}

CanShutdown         Property     System.Boolean {get;set;}

CanStop             Property     System.Boolean {get;set;}

Container           Property      {get;set;}

DependentServices   Property     Deserialized.System.ServiceProcess.ServiceController[] {get;set;}

DisplayName         Property     System.String {get;set;}

MachineName         Property     System.String {get;set;}

ServiceHandle       Property     System.String {get;set;}

ServiceName         Property     System.String {get;set;}

ServicesDependedOn  Property     Deserialized.System.ServiceProcess.ServiceController[] {get;set;}

ServiceType         Property     System.String {get;set;}

Site                Property      {get;set;}

Status              Property     System.String {get;set;}

 

4. Measurements

Beyond this basic difference in functionality, these three options perform at completely different levels.
To look into how this translates in term of performance, I used the Measure-Command commandlet.

I ran the commands a few times first, in order to warm both local and remote stacks and avoid issues related to DNS lookups, authentication, etc. The samples below were taken after that.

Keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measuruments in your own test environment to validate them.

 

Measure-Command {Get-Service LanManServer -ComputerName josebda-s0}

 

Days              : 0

Hours             : 0

Minutes           : 0

Seconds           : 0

Milliseconds      : 4

Ticks             : 44539

TotalDays         : 5.15497685185185E-08

TotalHours        : 1.23719444444444E-06

TotalMinutes      : 7.42316666666667E-05

TotalSeconds      : 0.0044539

TotalMilliseconds : 4.4539

 

(Measure-Command {Get-Service LanManServer -ComputerName  josebda-s0}).TotalMilliseconds

 

3.8388

 

Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }

 

Days              : 0

Hours             : 0

Minutes           : 0

Seconds           : 0

Milliseconds      : 148

Ticks             : 1484424

TotalDays         : 1.71808333333333E-06

TotalHours        : 4.1234E-05

TotalMinutes      : 0.00247404

TotalSeconds      : 0.1484424

TotalMilliseconds : 148.4424

 

(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }).TotalMilliseconds

 

134.4495

 

Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}

 

Days              : 0

Hours             : 0

Minutes           : 0

Seconds           : 0

Milliseconds      : 869

Ticks             : 8695210

TotalDays         : 1.0063900462963E-05

TotalHours        : 0.000241533611111111

TotalMinutes      : 0.0144920166666667

TotalSeconds      : 0.869521

TotalMilliseconds : 869.521

 

(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds

 

764.3609

 

As you can see, Invoke-Command takes much longer than the other two. However, there is a way to improve the performance of Invoke-Command by first creating a session and re-using that session in later commands. Here’s how:

 

$s = New-PSSession josebda-s0

$s

 

Id Name            ComputerName    State    ConfigurationName     Availability

-- ----            ------------    -----    -----------------     ------------

  1 Session1        josebda-s0      Opened   Microsoft.PowerShell     Available

 

Invoke-Command -Session $s {Get-Service LanManServer}

 

Status   Name               DisplayName                            PSComputerName

------   ----               -----------                            --------------

Running  LanManServer       Server                                 josebda-s0

 

With that change, Invoke-Command is much faster than before in subsequent calls.

 

Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }

 

Days              : 0

Hours             : 0

Minutes           : 0

Seconds           : 0

Milliseconds      : 14

Ticks             : 140436

TotalDays         : 1.62541666666667E-07

TotalHours        : 3.901E-06

TotalMinutes      : 0.00023406

TotalSeconds      : 0.0140436

TotalMilliseconds : 14.0436

 

(Measure-Command { Invoke-Command -Session $s {Get-Service LanManServer} }).TotalMilliseconds

 

15.5385

 

5. Summarizing Measurements

As you can see, the different options perform very differently. The fastest and slowest are actually orders of magnitude apart.

Because there could be slight variations in the performance depending on what else is running on the administrator’s computer, I used a loop to execute each one 20 times.

Here are the commands I used:

 

1..20 | % {(measure-command {Get-Service LanManServer -ComputerName  josebda-s0}).TotalMilliseconds}

1..20 | % {(Measure-command {Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'" }).TotalMilliseconds}

1..20 | % {(Measure-Command {Invoke-Command josebda-s0 {Get-Service LanManServer}}).TotalMilliseconds}

1..20 | % {(Measure-Command {Invoke-Command $s {Get-Service LanManServer}}).TotalMilliseconds}

 

I then pasted the output into Excel and added some formulas to produce the table below.

As you can see, in average, Get-Service was over 250 times faster than Invoke-Command with servername.

While those 20 commands take less than a tenth of second for Get-Service, it took over 18 seconds to execute the 20 commands for Invoke-Command with Servername.

Invoke-Command with –session separates the heavy lifting of creating a session out of the picture runs all the 20 commands in a quarter of a second.
Get-WMIObject took a little over 3 seconds to execute all 20 commands.

Again, keep in mind that these results can vary widely depending on your server and network configuration. I would strongly encourage you to take these measurements in your own test environment to validate them.

 

Sample

Get-Service
with -CN

Get-WMIObject
with -CN

Invoke-Command
with servername

Invoke-Command
with -session

1

3.7918

137.8325

1,527.9476

13.4520

2

3.6134

133.7955

768.2190

16.7934

3

3.9385

137.8329

766.1347

11.9233

4

3.5771

134.3533

1,311.7297

11.1179

5

3.5146

137.0647

732.0722

11.1046

6

3.5014

133.0551

798.1055

10.8660

7

3.5647

136.2507

794.4809

11.0375

8

3.5082

137.9484

799.5016

11.7835

9

3.4958

137.7649

1,073.0879

10.7582

10

3.5377

133.9375

1,117.2072

14.1638

11

3.5129

137.4364

758.8444

11.3480

12

3.5223

139.8877

767.3930

10.8035

13

3.5441

137.3063

1,566.7211

20.2465

14

3.5172

135.2789

760.4142

13.1813

15

3.5163

404.5968

765.0392

11.0910

16

3.5189

143.2326

1,071.0292

10.9340

17

3.6113

138.0981

755.0543

10.7193

18

3.5168

137.9030

781.3987

11.3788

19

3.6763

135.3268

778.1373

12.0371

20

4.0022

136.6921

760.6862

10.9780

Average

3.5991

150.2797

922.6602

12.2859

Total

71.9815

3,005.5942

18,453.2039

245.7177

 

6. Network Monitor

Next, I went one level deeper by using Network Monitor 3.3 to actually watch the packets on the wire.
As usual, I ran the commands a few times before the capture, to warm both stacks and avoid capturing things like DNS lookups, authentication, etc.

I also filtered the packets to show only the ones where the source or destination address match the remote server where the commands execute.

 

As expected, the Get-Service version uses RPC. It efficiently sent a dozen IP packets back and forth (in the specific case of the sample command used).

Both the Get-WMIObject and Invoke-Command with servername versions took around a hundred packets to get the job done and both did a lot of serialization of objects.

By looking at the number of TCP continuation packets and their PaylodLen field, you can clearly see how the Invoke-Command uses the highest number of very large packets.
The
Invoke-Command with –Session was very efficient (taking into consideration that it also does serialization) at around 20 packets.

 

Command = Get-Service LanManServer -ComputerName josebda-s0

 

#

Conversation ID

Source

Dest

Protocol

Description

1

 

 

 

NetmonFilter

NetmonFilter:Updated Capture Filter: Source == "Server" OR Destination == "Server"

2

 

 

 

NetworkInfoEx

NetworkInfoEx:Network info for , Network Adapter Count = 2

3

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0xF  Opnum=0xF  Context=0x0  Hint=0x30

4

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0xF  Context=0x0  Hint=0x18  Cancels=0x0

5

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0x10  Opnum=0x15  Context=0x0  Hint=0x40

6

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0x10  Context=0x0  Hint=0x18  Cancels=0x0

7

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0x11  Opnum=0x14  Context=0x0  Hint=0x40

8

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0x11  Context=0x0  Hint=0x24  Cancels=0x0

9

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0x12  Opnum=0x10  Context=0x0  Hint=0x40

10

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0x12  Context=0x0  Hint=0x18  Cancels=0x0

11

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0x13  Opnum=0x6  Context=0x0  Hint=0x14

12

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0x13  Context=0x0  Hint=0x20  Cancels=0x0

13

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Request: unknown   Call=0x14  Opnum=0x0  Context=0x0  Hint=0x14

14

{MSRPC:33, TCP:32, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Response: unknown   Call=0x14  Context=0x0  Hint=0x18  Cancels=0x0

 

Command = Get-WMIObject -ComputerName josebda-s0 -query "Select * from Win32_Service Where Name='LanManServer'"

 

#

Conversation ID

Source

Dest

Protocol

Description

1

 

 

 

NetmonFilter

NetmonFilter:Updated Capture Filter: Source == "Server" OR Destination == "Server"

2

 

 

 

NetworkInfoEx

NetworkInfoEx:Network info for , Network Adapter Count = 2

3

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=......S., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018716, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

4

{TCP:62, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A..S., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068760, Ack=2227018717, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

5

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227018717, Ack=1052068761, Win=259 (scale factor 0x8) = 66304

6

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Bind:  UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM)  Call=0x14  Assoc Grp=0x0  Xmit=0x16D0  Recv=0x16D0

7

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227020132 - 2227021547, Ack=1052068761, Win=259 (scale factor 0x8) = 66304

8

{TCP:62, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227021547, Win=259 (scale factor 0x8) = 66304

9

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227021547 - 2227022962, Ack=1052068761, Win=259 (scale factor 0x8) = 66304

10

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1415, Seq=2227022962 - 2227024377, Ack=1052068761, Win=259 (scale factor 0x8) = 66304

11

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...AP..., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=1028, Seq=2227024377 - 2227025405, Ack=1052068761, Win=259 (scale factor 0x8) = 66304

12

{TCP:62, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=0, Seq=1052068761, Ack=2227025405, Win=259 (scale factor 0x8) = 66304

13

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Bind Ack:  Call=0x14  Assoc Grp=0x4839  Xmit=0x16D0  Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

14

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{000001A0-0000-0000-C000-000000000046} IRemoteSCMActivator(DCOM)  Call=0x14 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

15

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0x14  Assoc Grp=0x4839  Xmit=0x16D0  Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

16

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:RemoteCreateInstance Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

17

{MSRPC:63, TCP:62, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:RemoteCreateInstance Response, ORPCFLOCAL - Local call to this computer

18

{TCP:62, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #17]Flags=...AP..., SrcPort=DCE endpoint resolution(135), DstPort=62629, PayloadLen=97, Seq=1052070542 - 1052070639, Ack=2227026441, Win=255 (scale factor 0x8) = 65280

19

{TCP:62, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62629, DstPort=DCE endpoint resolution(135), PayloadLen=0, Seq=2227026441, Ack=1052070639, Win=259 (scale factor 0x8) = 66304

20

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=......S., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414295, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

21

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A..S., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206270, Ack=2176414296, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

22

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176414296, Ack=3916206271, Win=259 (scale factor 0x8) = 66304

23

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Bind:  UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM)  Call=0xA5  Assoc Grp=0x0  Xmit=0x16D0  Recv=0x16D0

24

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176415711 - 2176417126, Ack=3916206271, Win=259 (scale factor 0x8) = 66304

25

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176417126, Win=259 (scale factor 0x8) = 66304

26

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176417126 - 2176418541, Ack=3916206271, Win=259 (scale factor 0x8) = 66304

27

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #23]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176418541 - 2176419956, Ack=3916206271, Win=259 (scale factor 0x8) = 66304

28

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #23]Flags=...AP..., SrcPort=62630, DstPort=49155, PayloadLen=1071, Seq=2176419956 - 2176421027, Ack=3916206271, Win=259 (scale factor 0x8) = 66304

29

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206271, Ack=2176421027, Win=259 (scale factor 0x8) = 66304

30

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Bind Ack:  Call=0xA5  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

31

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{00000143-0000-0000-C000-000000000046} IRemUnknown2(DCOM)  Call=0xA5 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

32

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xA5  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0 Warning: GssAPIMechanism is not found, either caused by not reassembled, conversation off or filtering.

33

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

34

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

35

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} IWbemLoginClientID(WMIRP)  Call=0xA6

36

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176422817 - 2176424232, Ack=3916206801, Win=257 (scale factor 0x8) = 65792

37

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176424232 - 2176425647, Ack=3916206801, Win=257 (scale factor 0x8) = 65792

38

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #35]Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=1415, Seq=2176425647 - 2176427062, Ack=3916206801, Win=257 (scale factor 0x8) = 65792

39

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #35]Flags=...AP..., SrcPort=62630, DstPort=49155, PayloadLen=983, Seq=2176427062 - 2176428045, Ack=3916206801, Win=257 (scale factor 0x8) = 65792

40

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176424232, Win=259 (scale factor 0x8) = 66304

41

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=0, Seq=3916206801, Ack=2176428045, Win=259 (scale factor 0x8) = 66304

42

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xA6  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

43

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} IWbemLoginClientID(WMIRP)  Call=0xA6

44

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xA6  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

45

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemLoginClientID: SetClientInfo, Request

46

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemLoginClientID: SetClientInfo, Response, Status: WBEM_S_NO_ERROR

47

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{F309AD18-D86A-11D0-A075-00C04FB68820} IWbemLevel1Login(WMIRP)  Call=0xA7

48

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xA7  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

49

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemLevel1Login: EstablishPosition, Request

50

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemLevel1Login: EstablishPosition, Response, Status: WBEM_S_NO_ERROR

51

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemLevel1Login: NTLMLogin, Request

52

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemLevel1Login: NTLMLogin, Response, Status: WBEM_S_NO_ERROR

53

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

54

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL - No additional information in this packet

55

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

56

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

57

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

58

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

59

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{9556DC99-828C-11CF-A37E-00AA003240C7} IWbemServices(WMIRP)  Call=0xAC

60

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xAC  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

61

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemServices: ExecQuery, Request

62

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemServices: ExecQuery, Response, Status: WBEM_S_NO_ERROR

63

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

64

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

65

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

66

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

67

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

68

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

69

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{1C1C45EE-4395-11D2-B60B-00104B703EFD} IWbemFetchSmartEnum(WMIRP)  Call=0xB0

70

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xB0  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

71

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemFetchSmartEnum: GetSmartEnum, Request, No parameters

72

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemFetchSmartEnum: GetSmartEnum, Response, Status: WBEM_S_NO_ERROR

73

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{027947E1-D731-11CE-A357-000000000001} IEnumWbemClassObject(WMIRP)  Call=0xB1

74

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xB1  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

75

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IEnumWbemClassObject: Clone, Request, No parameters

76

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IEnumWbemClassObject: Clone, Response, Status: WBEM_S_NO_ERROR

77

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

78

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

79

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

80

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

81

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemQueryInterface Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

82

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemQueryInterface Response, ORPCFNULL - No additional information in this packet

83

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemFetchSmartEnum: GetSmartEnum, Request, No parameters

84

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemFetchSmartEnum: GetSmartEnum, Response, Status: WBEM_S_NO_ERROR

85

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IEnumWbemClassObject: Reset, Request, No parameters

86

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IEnumWbemClassObject: Reset, Response, Status: WBEM_S_NO_ERROR

87

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

MSRPC

MSRPC:c/o Alter Cont:  UUID{423EC01E-2E35-11D2-B604-00104B703EFD} IWbemWCOSmartEnum(WMIRP)  Call=0xB7

88

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

MSRPC

MSRPC:c/o Alter Cont Resp:  Call=0xB7  Assoc Grp=0x5205  Xmit=0x16D0  Recv=0x16D0

89

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemWCOSmartEnum: Next, Request

90

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemWCOSmartEnum: Next, Response, Status: Unknown Return Value, *Un-Interpreted*

91

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916212478 - 3916213893, Ack=2176431384, Win=258 (scale factor 0x8) = 66048

92

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916213893, Win=259 (scale factor 0x8) = 66304

93

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916213893 - 3916215308, Ack=2176431384, Win=258 (scale factor 0x8) = 66048

94

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #90]Flags=...A...., SrcPort=49155, DstPort=62630, PayloadLen=1415, Seq=3916215308 - 3916216723, Ack=2176431384, Win=258 (scale factor 0x8) = 66048

95

{TCP:64, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62630, DstPort=49155, PayloadLen=0, Seq=2176431384, Ack=3916216723, Win=259 (scale factor 0x8) = 66304

96

{TCP:64, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #90]Flags=...AP..., SrcPort=49155, DstPort=62630, PayloadLen=876, Seq=3916216723 - 3916217599, Ack=2176431384, Win=258 (scale factor 0x8) = 66048

97

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

WMI

WMI:IWbemWCOSmartEnum: Next, Request

98

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

WMI

WMI:IWbemWCOSmartEnum: Next, Response, Status: WBEM_S_FALSE

99

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

100

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL - No additional information in this packet

101

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Admin

Server

DCOM

DCOM:IRemUnknown2:RemRelease Request, DCOM Version=5.7  Causality Id={30148A67-F3D3-4A13-AE58-ED488ED55283}

102

{MSRPC:65, TCP:64, ESP:58, IPv6:57}

Server

Admin

DCOM

DCOM:IRemUnknown2:RemRelease Response, ORPCFNULL - No additional information in this packet

 

Command = Invoke-Command josebda-s0 {Get-Service LanManServer}

 

#

Conversation ID

Source

Dest

Protocol

Description

1

 

 

 

NetmonFilter

NetmonFilter:Updated Capture Filter: Source == "Server" OR Destination == "Server"

2

 

 

 

NetworkInfoEx

NetworkInfoEx:Network info for , Network Adapter Count = 2

3

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=......S., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192850, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

4

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A..S., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429644, Ack=2616192851, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

5

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616192851, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

6

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman, Using Kerberos Authorization

7

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616194266 - 2616195681, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

8

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616195681, Win=259 (scale factor 0x8) = 66304

9

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616195681 - 2616197096, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

10

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616197096 - 2616198511, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

11

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616198511 - 2616199926, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

12

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616199926 - 2616201341, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

13

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616199926, Win=259 (scale factor 0x8) = 66304

14

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #6]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=362, Seq=2616201341 - 2616201703, Ack=2351429645, Win=259 (scale factor 0x8) = 66304

15

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429645, Ack=2616201703, Win=259 (scale factor 0x8) = 66304

16

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Server

Admin

HTTP

HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication

17

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

18

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

19

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616203381 - 2616204796, Ack=2351429986, Win=258 (scale factor 0x8) = 66048

20

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616204796 - 2616206211, Ack=2351429986, Win=258 (scale factor 0x8) = 66048

21

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616206211 - 2616207626, Ack=2351429986, Win=258 (scale factor 0x8) = 66048

22

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=1415, Seq=2616207626 - 2616209041, Ack=2351429986, Win=258 (scale factor 0x8) = 66048

23

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=810, Seq=2616209041 - 2616209851, Ack=2351429986, Win=258 (scale factor 0x8) = 66048

24

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616203381, Win=259 (scale factor 0x8) = 66304

25

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616207626, Win=259 (scale factor 0x8) = 66304

26

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351429986, Ack=2616209851, Win=259 (scale factor 0x8) = 66304

27

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

28

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #27]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=189, Seq=2351431401 - 2351431590, Ack=2616209851, Win=259 (scale factor 0x8) = 66304

29

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616209851, Ack=2351431590, Win=259 (scale factor 0x8) = 66304

30

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

31

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

32

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #31]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616211529 - 2616211825, Ack=2351431590, Win=259 (scale factor 0x8) = 66304

33

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351431590, Ack=2616211825, Win=259 (scale factor 0x8) = 66304

34

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

35

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #34]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=1074, Seq=2351433005 - 2351434079, Ack=2616211825, Win=259 (scale factor 0x8) = 66304

36

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616211825, Ack=2351434079, Win=259 (scale factor 0x8) = 66304

37

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

38

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

39

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #38]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616213503 - 2616213799, Ack=2351434079, Win=259 (scale factor 0x8) = 66304

40

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351434079, Ack=2616213799, Win=259 (scale factor 0x8) = 66304

41

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

42

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #41]Flags=...AP..., SrcPort=5985, DstPort=62655, PayloadLen=46, Seq=2351435494 - 2351435540, Ack=2616213799, Win=259 (scale factor 0x8) = 66304

43

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616213799, Ack=2351435540, Win=259 (scale factor 0x8) = 66304

44

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

45

{HTTP:16, TCP:15, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

46

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #45]Flags=...AP..., SrcPort=62655, DstPort=5985, PayloadLen=296, Seq=2616215477 - 2616215773, Ack=2351435540, Win=259 (scale factor 0x8) = 66304

47

{TCP:15, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62655, PayloadLen=0, Seq=2351435540, Ack=2616215773, Win=259 (scale factor 0x8) = 66304

48

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=......S., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142219, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

49

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A..S., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935512, Ack=2945142220, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

50

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945142220, Ack=935513, Win=259 (scale factor 0x8) = 66304

51

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman, Using Kerberos Authorization

52

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945143635 - 2945145050, Ack=935513, Win=259 (scale factor 0x8) = 66304

53

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945145050, Win=259 (scale factor 0x8) = 66304

54

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945145050 - 2945146465, Ack=935513, Win=259 (scale factor 0x8) = 66304

55

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945146465 - 2945147880, Ack=935513, Win=259 (scale factor 0x8) = 66304

56

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945147880 - 2945149295, Ack=935513, Win=259 (scale factor 0x8) = 66304

57

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945149295 - 2945150710, Ack=935513, Win=259 (scale factor 0x8) = 66304

58

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945149295, Win=259 (scale factor 0x8) = 66304

59

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #51]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=362, Seq=2945150710 - 2945151072, Ack=935513, Win=259 (scale factor 0x8) = 66304

60

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935513, Ack=2945151072, Win=259 (scale factor 0x8) = 66304

61

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Server

Admin

HTTP

HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication

62

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

63

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

64

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #63]Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=1415, Seq=2945152750 - 2945154165, Ack=935854, Win=258 (scale factor 0x8) = 66048

65

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #63]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=1243, Seq=2945154165 - 2945155408, Ack=935854, Win=258 (scale factor 0x8) = 66048

66

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945152750, Win=259 (scale factor 0x8) = 66304

67

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=935854, Ack=2945155408, Win=259 (scale factor 0x8) = 66304

68

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

69

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

70

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

71

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #70]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=345, Seq=2945157086 - 2945157431, Ack=937228, Win=259 (scale factor 0x8) = 66304

72

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=937228, Ack=2945157431, Win=259 (scale factor 0x8) = 66304

73

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

74

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #73]Flags=...AP..., SrcPort=5985, DstPort=62656, PayloadLen=1266, Seq=938643 - 939909, Ack=2945157431, Win=259 (scale factor 0x8) = 66304

75

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945157431, Ack=939909, Win=259 (scale factor 0x8) = 66304

76

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

77

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

78

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #77]Flags=...AP..., SrcPort=62656, DstPort=5985, PayloadLen=373, Seq=2945159109 - 2945159482, Ack=939909, Win=259 (scale factor 0x8) = 66304

79

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62656, PayloadLen=0, Seq=939909, Ack=2945159482, Win=259 (scale factor 0x8) = 66304

80

{TCP:15, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A.R.., SrcPort=62655, DstPort=5985, PayloadLen=0, Seq=2616215773, Ack=2351435540, Win=0 (scale factor 0x8) = 0

81

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=......S., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474629, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192

82

{TCP:20, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A..S., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738651, Ack=1691474630, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

83

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691474630, Ack=717738652, Win=259 (scale factor 0x8) = 66304

84

{HTTP:21, TCP:20, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman, Using Kerberos Authorization

85

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691476045 - 1691477460, Ack=717738652, Win=259 (scale factor 0x8) = 66304

86

{TCP:20, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691477460, Win=259 (scale factor 0x8) = 66304

87

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691477460 - 1691478875, Ack=717738652, Win=259 (scale factor 0x8) = 66304

88

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691478875 - 1691480290, Ack=717738652, Win=259 (scale factor 0x8) = 66304

89

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691480290 - 1691481705, Ack=717738652, Win=259 (scale factor 0x8) = 66304

90

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...A...., SrcPort=62657, DstPort=5985, PayloadLen=1415, Seq=1691481705 - 1691483120, Ack=717738652, Win=259 (scale factor 0x8) = 66304

91

{TCP:20, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691481705, Win=259 (scale factor 0x8) = 66304

92

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #84]Flags=...AP..., SrcPort=62657, DstPort=5985, PayloadLen=362, Seq=1691483120 - 1691483482, Ack=717738652, Win=259 (scale factor 0x8) = 66304

93

{TCP:20, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738652, Ack=1691483482, Win=259 (scale factor 0x8) = 66304

94

{HTTP:21, TCP:20, ESP:58, IPv6:57}

Server

Admin

HTTP

HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wsman, Using Kerberos Authentication

95

{HTTP:21, TCP:20, ESP:58, IPv6:57}

Admin

Server

HTTP

HTTP:Request, POST /wsman

96

{HTTP:21, TCP:20, ESP:58, IPv6:57}

Admin

Server

MIME

MIME:

97

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:[Continuation to #96]Flags=...AP..., SrcPort=62657, DstPort=5985, PayloadLen=129, Seq=1691485160 - 1691485289, Ack=717738993, Win=258 (scale factor 0x8) = 66048

98

{TCP:20, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=62657, PayloadLen=0, Seq=717738993, Ack=1691485289, Win=259 (scale factor 0x8) = 66304

99

{HTTP:19, TCP:18, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

100

{TCP:18, ESP:58, IPv6:57}

Server

Admin

TCP

TCP:[Continuation to #99]Flags=...AP..., SrcPort=5985, DstPort=62656, PayloadLen=409, Seq=941324 - 941733, Ack=2945159482, Win=259 (scale factor 0x8) = 66304

101

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=259 (scale factor 0x8) = 66304

102

{HTTP:21, TCP:20, ESP:58, IPv6:57}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

103

{TCP:20, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A.R.., SrcPort=62657, DstPort=5985, PayloadLen=0, Seq=1691485289, Ack=717740121, Win=0 (scale factor 0x8) = 0

104

{TCP:18, ESP:58, IPv6:57}

Admin

Server

TCP

TCP:Flags=...A.R.., SrcPort=62656, DstPort=5985, PayloadLen=0, Seq=2945159482, Ack=941733, Win=0 (scale factor 0x8) = 0

 

Command = Invoke-Command –Session $s {Get-Service LanManServer}

 

#

Conversation ID

Source

Dest

Protocol

Description

1

 

 

 

NetmonFilter

NetmonFilter:Updated Capture Filter: Source == "Server" OR Destination == "Server"

2

 

 

 

NetworkInfoEx

NetworkInfoEx:Network info for , Network Adapter Count = 1

3

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

HTTP

HTTP:Request, POST /wsman

4

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

MIME

MIME:

5

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:[Continuation to #4]Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=1415, Seq=2205380353 - 2205381768, Ack=1454111481, Win=259

6

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:[Continuation to #4]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=1243, Seq=2205381768 - 2205383011, Ack=1454111481, Win=259

7

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:[Segment Lost]Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205380353, Win=259

8

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454111481, Ack=2205383011, Win=259

9

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

10

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

HTTP

HTTP:Request, POST /wsman

11

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

MIME

MIME:

12

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:[Continuation to #11]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=345, Seq=2205384689 - 2205385034, Ack=1454112855, Win=254

13

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454112855, Ack=2205385034, Win=259

14

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

15

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:[Continuation to #14]Flags=...AP..., SrcPort=5985, DstPort=49783, PayloadLen=1266, Seq=1454114270 - 1454115536, Ack=2205385034, Win=259

16

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205385034, Ack=1454115536, Win=259

17

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

HTTP

HTTP:Request, POST /wsman

18

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Admin

Server

MIME

MIME:

19

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:[Continuation to #18]Flags=...AP..., SrcPort=49783, DstPort=5985, PayloadLen=373, Seq=2205386712 - 2205387085, Ack=1454115536, Win=259

20

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:Flags=...A...., SrcPort=5985, DstPort=49783, PayloadLen=0, Seq=1454115536, Ack=2205387085, Win=259

21

{HTTP:43, TCP:42, ESP:7, IPv6:6}

Server

Admin

MIME

MIME:MediaType = application/HTTP-Kerberos-session-encrypted

22

{TCP:42, ESP:7, IPv6:6}

Server

Admin

TCP

TCP:[Continuation to #21]Flags=...AP..., SrcPort=5985, DstPort=49783, PayloadLen=409, Seq=1454116951 - 1454117360, Ack=2205387085, Win=259

23

{TCP:42, ESP:7, IPv6:6}

Admin

Server

TCP

TCP:Flags=...A...., SrcPort=49783, DstPort=5985, PayloadLen=0, Seq=2205387085, Ack=1454117360, Win=259

 

 

7. Conclusion

While the multiple ways to gather information about services on a remote computer look similar at the surface, they are radically different underneath.

This is by no means an exhausting study of all the different details about each option, but I believe there is enough to cover the main differences.


At first, Invoke-Command seems like an ideal choice for Administrators, since you can run any PowerShell commandlet remotely and leverage Web Services over HTTP (a common choice for modern solutions).

That’s until you look at the performance issue and the lack of methods on the resulting deserialized objects.

If are an IT Administrator executing just a few commands every once in a while, those issues might not be much of a difference.
If you intend to run a lot of commands against the same server with Invoke-Command, using the –Session option will save quite some time, but then things get a bit more complicated.

 

Get-WMIObject provides a lot of functionality, due to the large number of WMI providers available and it’s always remotable.

Performance is better than Invoke-Command for single commands per server and the resulting objects do have methods you can call.

You do have to get familiar with the WMI classes and learn how to write queries. This is not a big deal for developers, but this can turn off IT Administrators.

 

If the specific action you are trying to accomplish can be performed remotely with an RPC-based cmdlet like Get-Service, that’s probably your best choice.

If you are using doing something in a loop inside another loop for a large set of servers, the performance issue might make the other options less attractive.

The main issue here is that not all cmdlets support the –ComputerName option and you’re likely to need to combine this with the other options.

 

Here’s a summary of the main points:

 

Attribute

RPC

WMI

WinRM

WinRM
(w/session)

Ease of use by IT Administrator

+ +

- -

+

-

Ease of use by Developer

+ +

+

+ +

++

Returns objects with methods

+

+

-

-

Uses web services over HTTP protocol

-

-

+

+

Many available commandlets/providers

-

+

+ +

+ +

Performance for a single command

+ +

++

++

++

Performance for a thousand commands

+ +

-

- -

+

 

I hope this has post has help you understand your choices so you can select the best option for your specific case.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Excellent post and backs up my own feeling in an objective manor. Maybe worth adding that you want to filter out as much data as possible in a WMI query rather than pull back all data and filter locally in PowerShell (specifically when querying something like the remote event log)