Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

PowerShell Remoting: Cheat Sheet and Guide

IT Pros, PowerShell

powershell remoting illustration of accessing a remote computer

Windows PowerShell 2.0 made a powerful new technology available for system administrators: remoting. Remoting has increased in importance in each PowerShell iteration since then, and future Microsoft products will rely on it for network management. Unfortunately, remoting in PowerShell also relies on a set of quite complex components, and these work in a way that is counter-intuitive for beginners in PowerShell.

In this guide, we’ll give you a quick introduction to what PowerShell remoting is, and how it works. We’ll show you how to set up remoting on your system, and how to use it. We’ll also explain how remoting can be used alongside Varonis Edge to protect your systems from cyberattacks.

Quick Review: What is PowerShell Remoting?

PowerShell remoting is a way to access remote machines across a network, and run PowerShell commands on them. Remoting builds on earlier implementations of this idea, and in fact, remoting has been part of PowerShell for quite some time. Some cmdlets have long supported a limited form of remoting, in which code can be executed on remote machines.

PowerShell remoting provides the same capability for your entire system. This means that anything you can do with PowerShell on your own machine, you can execute remotely on another. Instead of relying on particular cmdlets to provide remoting functions, you can simply transfer any PowerShell commands to a remote machine, wait for these to run, and then send the results back to you.

Remote PowerShell Uses

powershell remoting capabilities

The uses of PowerShell remoting are so numerous that it’s difficult to give a complete list. The technique can be used to execute any command that you can run in PowerShell, including objects and piping. Some uses of PowerShell are best run from your own machine, such as managing user groups and monitoring file usage.

However, some are best run on remote machines including the maintenance of the software running on particular remote machines, pentesting remote networks, which is a more advanced use and will be covered toward the end of this guide. Other uses include rolling out security or other patches across all the machines in your network, as well as monitoring a particular machine’s usage pattern.

Each of these uses relies on a different way of using PowerShell, which we’ll cover below.

How to Enable PowerShell Remoting

In order to get started with PowerShell remoting, you will need a few key components:

  • Because PowerShell remoting is based on the Windows Remote Management (WRM) protocol, you’ll need a system that supports this. WinRM is supported by Windows Vista with Service Pack 1 or later, Windows 7, Windows Server 2008, and Windows Server 2012.
  • We’ll also assume, in the following guide, that you have a pre-existing network to work with, and a pre-existing installation of PowerShell.
  • Also, note that remoting counts as a fairly advanced technique in PowerShell, and so you should be familiar with the basics of working with PowerShell before you move to remoting.

Finally, be aware that PowerShell remoting relies on your target machines having access to PowerShell – for some commands, as an administrator – and several other systems. We’ll go over these in the next section, where we’ll show you how to set up remoting on your network.

Enable-PSRemoting

The first step in setting up PowerShell remoting is to allow the computers you want to control remotely to accept incoming remote connections. From Windows Vista onward, most client versions of Windows don’t enable incoming remote connections by default, so your first step will be to force them to do so.

To do this, you will need access to the computer you want to access. On this computer, open PowerShell with admin privileges. You will now need to execute the following command:

Enable-PSRemoting -Force

This command will start the WinRM service, through which your remote commands will be sent. The command also sets this service to start automatically with your system and creates a firewall rule that allows incoming connections. The -Force modifier of the cmdlet simply means that PowerShell will perform these steps without prompting you for each one.

For some systems, this will be all the configuration you need to do. If all of your computers are part of the same domain, you can now use remoting. If they are not – which will be the case for most home and small business networks – you’ll also have to set up workgroups, and we’ll explain how to do that now.

Do I Need To Set Up a Workgroup?

If your computers aren’t all on the same domain, you will have to perform a few more configuration steps in order to use PowerShell remoting. Make sure, before you begin, that you’ve enabled remoting in the way described in the previous section. Then, you should set up workgroups.

The way to do this is to configure the TrustedHosts setting on both the PC to which you want to connect and the PC you are connecting from. If you want a computer to trust every PC that tries to connect remotely, you can tell it to do that using the following command:

Set-Item wsman:\localhost\client\trustedhosts *

In this command, the asterisk is a wildcard character and can stand for any PC. If you want to limit the incoming connections, you can replace it with a list of IP addresses or computer names. These should be comma-separated items. They define the workgroup of computers that will be able to connect to each other.

Now, you will need to restart WinRM for your new settings to take effect. To do that, use this command:

Restart-Service WinRM

You will need to go through the same process for every computer you want to connect with, and that you want to be available for PowerShell remoting.

Test The Connection

Now you have set up your network for PowerShell remoting, you should test your connection to make sure that everything is working smoothly. WsMan – one of the systems that contribute to PowerShell remoting – provides a dedicated cmdlet to do that. On the computer you will use to run remote commands, run this:

Test-WsMan COMPUTER

This command will test that WsMan is running on the remote machine. In order to do that, it will make a connection in the same way that PowerShell uses to run remote commands. If you see information returned about the status of WsMan, everything is working correctly. If you get an error message, something went wrong.

Running Remote Commands

powershell remoting methods

Now you have PowerShell configured for remoting on both your computer and those you want to control, it’s time to run some commands. There are a number of ways of doing this. Some cmdlets are able to run remotely even without the configuration steps above; some are best run as a single command, and sometimes you will want to start a session on a remote machine.

Remoting Without Configuration

As we mentioned above, you should recognize that some cmdlets can run remotely without configuration. These are normally utilities used to perform basic actions on remote machines or to quickly check their status. These cmdlets use varying communication protocols and work on all Windows operating systems without any special configuration.

The most commonly used of these are:

There are many others, however. Generally, the cmdlets that can run remotely without configuration are those that have the ComputerName parameter, but don’t have a Session parameter. To return a list of all of these commands, type:

Get-Command | where { $_.parameters.keys -contains "ComputerName" -and $_.parameters.keys -notcontains "Session"}

Running Single Remote Command

The second way to run PowerShell commands remotely is to pass them to your target machines separately. There is a specific command for doing this. To run a single command:

Invoke-Command -ComputerName COMPUTER -ScriptBlock { COMMAND } -credential USERNAME

In this command, “COMPUTER” represents the target machine, and should be replaced with either the computer’s name or its IP address. You’ll also need to supply a username for the target machine, and the command will prompt you for a password.

In practice, a simple command executed in this way might be to see the contents of the C:\ directory on a remote machine. Let’s say that the IP address of this target computer is 10.0.0.22, and that the username under which you want to execute the command is “varonis”. You can then run:

Invoke-Command -ComputerName 10.0.0.22 -ScriptBlock { Get-ChildItem C:\ } -credential varonis

Invoking single commands in this way is great for simple tasks, but if you are attempting to do something more complicated, typing out this command each time will get annoying. There are two ways to get around this: either running scripts remotely or starting a persistent session with your target machine.

Running a Script

Running PowerShell scripts via remoting works in much the same way as the invoke-command process above. You merely replace the FilePath parameter with a pointer to your script:

Invoke-Command -ComputerName Server01, Server02 -FilePath c:\Scripts\DiskCollect.ps1

In order for this script to be run, it will have to be accessible to the computers you want it to be run on. In this example, we are also running this script on multiple machines, by using the comma-delimited list of computers.

Creating a Persistent Section

A more powerful way of running PowerShell commands remotely is to start a persistent session on your target machine. There is a dedicated command for doing this. In order to create persistent sessions on both Server01 and Server02, you will need to store the session parameters in the $s parameter.

To start a new persistent session:

$s = New-PSSession -ComputerName Server01, Server02

Establishing a session in this way will allow you to interact with your remote machines in exactly the same way as you could if you were sitting in front of them. Once the session is established, you can run any command that you normally can in PowerShell, execute scripts, and use the output of one command in another.

An example of this is to run a Get-HotFix command in the sessions in the $s variable, and which will save the results in the $h variable. The $h variable is created in each of the sessions in $s, but it doesn’t exist in the local session:

Invoke-Command -Session $s {$h = Get-HotFix}

Because you’ve now created a new variable on your remote machine, you can use the data in the $h variable with other commands in the same session, and the results of this will be displayed on the local computer. For example:

Invoke-Command -Session $s {$h | where {$_.InstalledBy -ne "NTAUTHORITY\SYSTEM"}}

Advanced PowerShell Remoting Techniques

powershell remoting uses and advantages

If you’ve followed the guide above, you will now be able to use PowerShell remoting on your network. However, the power of remoting extends much further than the examples above. By using the cmdlets installed with Windows PowerShell, you can establish and configure remote sessions both from the local and remote ends, create customized and restricted sessions, allow users to import commands from a remote session that actually run implicitly on the remote session as well as configure the security of a remote session.

Much of this functionality is achieved through WsMan, which is included within PowerShell. The WsMan provider creates a WSMAN: drive that lets you navigate through a hierarchy of configuration settings on the local computer and remote computers.

There are also many common tasks in PowerShell that can be more easily achieved, or have their reach extended, by using remoting:

PowerShell Remoting Command Cheat Sheet

Once you master the basics of PowerShell remoting, the commands you use to execute commands and set up remote sessions will become second nature. But to help you out, we’ve compiled the most commonly used commands into a cheat sheet

Remoting Commands

Command Used For
Enable-PSRemoting –force
In a PowerShell console running as administrator enable PowerShell Remoting.
# Set start mode to automatic

Set-Service WinRM -StartMode Automatic

# Verify start mode and state - it should be running

Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
Set the WinRM service is set up to start automatically.
# Trust all hosts

Set-Item WSMan:localhost\client\trustedhosts -value *

# Verify trusted hosts configuration

Get-Item WSMan:\localhost\Client\TrustedHosts
Set all remote hosts to trusted. Note: unset this after setup.
Invoke-Command –ComputerName MyServer1 -ScriptBlock {Hostname}

Invoke-Command –ComputerName MyServer1 -Credential demo\serveradmin -ScriptBlock {Hostname}
Execute a command on a remote machine.
Get-ADComputer -Filter * -properties name | select @{Name="computername";Expression={$_."name"}} | Invoke-Command -ScriptBlock {hostname}
Execute commands on a remote system if the AD PowerShell module is installed.
Invoke-Command -ComputerName MyServer1 -FilePath C:\pentest\Invoke-Mimikatz.ps1

Invoke-Command -ComputerName MyServer1 -FilePath C:\pentest\Invoke-Mimikatz.ps1 -Credential demo\serveradmin
Run a script, here called “pentest”, on a remote system.
Enter-PsSession –ComputerName server1.domain.com

Enter-PsSession –ComputerName server1.domain.com –Credentials domain\serveradmin
Initiate a persistent session on a remote machine.
Exit-PsSession
Exit a session on a remote machine.

Additional Resources

If you want to take your PowerShell skills to the next level, or just need to brush up on the basics, take a look at these resources:

Books:

Online:

For a guided learning experience, check out this free PowerShell course, presented by Adam Bertram — you’ll learn how to automate Active Directory tasks with PowerShell.

A Final Word

As your PowerShell skills develop, you will find that remoting gives you access to a powerful new tool that will make your workflow far more efficient. It allows you to run PowerShell on remote machines as easily as you can on your own computer and can be used to automate many processes related to user management and system maintenance.

Just remember that the extra power that PowerShell remoting gives you should be used responsibly. Make sure that your network stays secure as you are setting up PowerShell remoting, and use a cyber threat intelligence system such as Varonis Edge to scan for network threats and protect your systems from cyberattack.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.