2

I have this Powershell:

    Try
    {
       #Start the installer remotely
       $process = ([WMICLASS]"\\$comp\ROOT\CIMV2:Win32_Process").Create($InstallString)
       if ( $process.ReturnValue -eq 0 )
       {
          $logstr = $comp + ": spawned process " + $process.ProcessId
          Write-Host -ForegroundColor GREEN $logstr
       }
       else
       {
          Write-Host -ForegroundColor RED "${comp}: failed to create process ${InstallString}"
          Continue
       }
    }
    Catch
    {
       Write-Host -ForegroundColor RED "${comp}: error: $_.Exception.Message"
       Continue
    }

Where $comp is a valid PC name and InstallString is \\SERVERNAME\ShareFolder\setup.exe.

Within that ShareFolder is an installer and its files. I expect I can run the setup like this to remote install, but it is not working. It's falling into the else:

COMPUTERNAME: failed to create process \\SERVERNAME\ShareFolder\setup.exe

What am I missing? I can access this path outside Powershell.

This works on a local path. Do I need some special syntax in Powershell to point to this share?

This code works if the exe (well, a different installer) is located on COMPUTERNAME and the code is still executed remotely.

Zeno
  • 1,769
  • 7
  • 33
  • 61
  • What is the value of `$process.ReturnValue` ? – Paul H. Jan 29 '16 at 18:45
  • @PaulH. 2 as a return value – Zeno Jan 29 '16 at 18:49
  • OK, so that is "Access denied". Must be a permission problem somewhere. I'll have to look into this a little further. – Paul H. Jan 29 '16 at 19:00
  • Some links that might help: (http://stackoverflow.com/q/7794206/5199222) (http://www.powershellserver.com/accessing-remote-network-resources/). I think using `credSSP` may be the answer, but I haven't tested it yet. – Paul H. Jan 29 '16 at 19:37

1 Answers1

0

It could be a permission problem. According to this link: Creating Processes Remotely

A process created remotely can run under any account if the account has the Execute Method and Remote Enable permissions for root\cimv2. The Execute Method and Remote Enable permissions are set in WMI Control in the Control Panel.

Paul H.
  • 382
  • 1
  • 3
  • 16
  • I'm able to use this same `WMICLASS` line with a different installer locally The line is okay. By permission, do you mean the permission share of `ShareFolder` vs who is running the Powershell? If so, my account running this Powershell has full access to this share. – Zeno Jan 29 '16 at 18:00
  • You need to set the security for the namespace root\cimv2 for the account you are using to create the process. This link [Setting Namespace Security with the WMI Control](https://msdn.microsoft.com/en-us/library/aa393613%28v=vs.85%29.aspx) may help. You probably need to enable the Remote Enable permission if it is working locally but not remotely. – Paul H. Jan 29 '16 at 18:14
  • That's enabled. I meant that I can run the script and hit a remote machine, with the installer on the remote machine (as opposed to a network share). – Zeno Jan 29 '16 at 18:24
  • OK, I think I misunderstood the problem. – Paul H. Jan 29 '16 at 18:32
  • @Zeno it is likely the identity the process is running under. You have to have credentials to create the process, but the process is probably being created under the SYSTEM context which has no network resource access, so it has no rights to access your remote share. – Matt Gartman Jan 29 '16 at 18:33
  • @MattGartman I'm running this in a cmd window. If I type `whoami`, it gives me my network account which has full permission to this share. – Zeno Jan 29 '16 at 18:36
  • @zeno Seeing the same thing here, still seems like it is not allowing that cred to leave the box though. May be a WMI restriction. Are you able to use powershell remoting (invoke-command)? – Matt Gartman Jan 29 '16 at 18:47
  • @MattGartman While the script is running, I had it print out `$env:username` and it's still my user. – Zeno Jan 29 '16 at 18:55
  • @Zeno Feels like a double hop delegation issue. WMI can impersonate your ID but once you leave the box it needs to double hop your credentials and AD won't allow the delegation. See here for a similar question: http://stackoverflow.com/questions/2410779/network-authentication-when-running-exe-from-wmi – Matt Gartman Jan 29 '16 at 20:27