Forum Discussion

Ken_SQLDBA's avatar
Ken_SQLDBA
Copper Contributor
Nov 06, 2023

Get-Service fails but Invoke-Command {Get-Service} succeeds

I'm trying to run a series of PowerShell commands on my desktop computer that connect to one of the corporate servers and checks on the status of the services there. I'm doing a Run As on the PowerShell ISE and sign on using an account that is in the Administrators group of the remote server. This command fails:

Get-Service -ComputerName SRV-TSTD123 -DisplayName *Dynamic*
Microsoft.PowerShell.Management\Get-Service : Cannot open Service Control Manager on computer 'SRV-TSTD123'. This operation might require other 
    privileges.
    At line:1 char:1
    + Microsoft.PowerShell.Management\Get-Service -ComputerName SRV-TSTD123 ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
        + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

What's super weird is that this command works:

invoke-command -computername srv-tstd123 -scriptblock {powershell Get-Service -DisplayName *Dynamic* }

Status   Name               DisplayName                           
------   ----               -----------                           
Running  DynGP18eConnect    eConnect for Microsoft Dynamics GP ...
Running  DynGPWebService    Microsoft Dynamics GP Service Host    
Stopped  eConnect_Incomi... eConnect Incoming Service for Micro...
Stopped  econnect_outgoi... eConnect Outgoing Service for Micro...
Running  PostMasterService  Post Master Enterprise for Dynamics GP

This command is part of a script supplied by a third party so I'd prefer to solve the root cause of this inconsistent behaviour rather than make a dozen changes to the script. Any idea why the behaviour is so inconsistent?

Ken

  • Hello everyone,
    I ended up engaging the entire Infrastructure team from my office and we managed to solve the problem by slightly loosening our firewall rules. According to my firewall admin: The firewall rule required ms service controller to be allowed.

    This issue is now resolved. Thanks.

    Ken
  • Ken_SQLDBA's avatar
    Ken_SQLDBA
    Copper Contributor
    Hello everyone,
    I ended up engaging the entire Infrastructure team from my office and we managed to solve the problem by slightly loosening our firewall rules. According to my firewall admin: The firewall rule required ms service controller to be allowed.

    This issue is now resolved. Thanks.

    Ken
    • LainRobertson's avatar
      LainRobertson
      Silver Contributor

      Ken_SQLDBA 

       

      The two commands use completely different connection protocols:

       

      • Get-Service uses RPC (TCP 135);
      • Invoke-Command uses WinRM (TCP 5985).

       

      For my environment, I only allow WinRM as without going into the "why", it's most often faster and - indirectly - more secure. I also tend to configure secure WinRM (TCP 5986 using TLS) and block the default non-TLS endpoint (TCP 5985) using the Windows Advanced Firewall (where possible).

       

      In any event, RPC is still commonly utilised in PowerShell and it meets your brief. Just note - purely for educational purposes - that it's also one of the most historically targeted protocols for exploits.

       

      Cheers,

      Lain

      • Ken_SQLDBA's avatar
        Ken_SQLDBA
        Copper Contributor
        Thanks for the explanation. Would you say that the long term solution is to replace "Get-Service ..." with "Invoke-Command {Get-Service ...}"?

Resources