Forum Discussion
Get-Service fails but Invoke-Command {Get-Service} succeeds
I'm trying to run a series of PowerShell commands on my desktop computer that connect to one of the corporate servers and checks on the status of the services there. I'm doing a Run As on the PowerShell ISE and sign on using an account that is in the Administrators group of the remote server. This command fails:
Get-Service -ComputerName SRV-TSTD123 -DisplayName *Dynamic* Microsoft.PowerShell.Management\Get-Service : Cannot open Service Control Manager on computer 'SRV-TSTD123'. This operation might require other privileges. At line:1 char:1 + Microsoft.PowerShell.Management\Get-Service -ComputerName SRV-TSTD123 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
What's super weird is that this command works:
invoke-command -computername srv-tstd123 -scriptblock {powershell Get-Service -DisplayName *Dynamic* } Status Name DisplayName ------ ---- ----------- Running DynGP18eConnect eConnect for Microsoft Dynamics GP ... Running DynGPWebService Microsoft Dynamics GP Service Host Stopped eConnect_Incomi... eConnect Incoming Service for Micro... Stopped econnect_outgoi... eConnect Outgoing Service for Micro... Running PostMasterService Post Master Enterprise for Dynamics GP
This command is part of a script supplied by a third party so I'd prefer to solve the root cause of this inconsistent behaviour rather than make a dozen changes to the script. Any idea why the behaviour is so inconsistent?
Ken
- Hello everyone,
I ended up engaging the entire Infrastructure team from my office and we managed to solve the problem by slightly loosening our firewall rules. According to my firewall admin: The firewall rule required ms service controller to be allowed.
This issue is now resolved. Thanks.
Ken
- Ken_SQLDBACopper ContributorHello everyone,
I ended up engaging the entire Infrastructure team from my office and we managed to solve the problem by slightly loosening our firewall rules. According to my firewall admin: The firewall rule required ms service controller to be allowed.
This issue is now resolved. Thanks.
Ken- LainRobertsonSilver Contributor
The two commands use completely different connection protocols:
- Get-Service uses RPC (TCP 135);
- Invoke-Command uses WinRM (TCP 5985).
For my environment, I only allow WinRM as without going into the "why", it's most often faster and - indirectly - more secure. I also tend to configure secure WinRM (TCP 5986 using TLS) and block the default non-TLS endpoint (TCP 5985) using the Windows Advanced Firewall (where possible).
In any event, RPC is still commonly utilised in PowerShell and it meets your brief. Just note - purely for educational purposes - that it's also one of the most historically targeted protocols for exploits.
Cheers,
Lain
- Ken_SQLDBACopper ContributorThanks for the explanation. Would you say that the long term solution is to replace "Get-Service ..." with "Invoke-Command {Get-Service ...}"?