run powershell command over cmd

Question

I'm trying to run this powershell command over cmd.. it worked when i run it directly from powershell.. but when i try to run if from cmd i get errors

Powershell Command:

(Get-WmiObject -Class Win32_Product -Filter "Name='Symantec Endpoint Protection'" -ComputerName localhost. ).Uninstall()

How I run it (cmd):

powershell.exe -Command (Get-WmiObject -Class Win32_Product -Filter Name='Symantec Endpoint Protection' -ComputerName localhost. ).Uninstall()

Output:

Get-WmiObject : Invalid query "select * from Win32_Product where Name=Symantec 
Endpoint Protection"
At line:1 char:2
+ (Get-WmiObject -Class Win32_Product -Filter Name='Symantec Endpoint P ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-WmiObject], Management 
   Exception
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.C 
   ommands.GetWmiObjectCommand
 
You cannot call a method on a null-valued expression.
At line:1 char:1
+ (Get-WmiObject -Class Win32_Product -Filter Name='Symantec Endpoint P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

is complicated.. i'm running this over metasploit admin/smb/psexec_command module under authority\system token, and i'm getting powershell errors . basically what i wanna do is uninstall "Symantec Endpoint Protection" over powershell — cosa, Aug 08 '20 at 18:04
If it worked when you ran it in PowerShell, it will not work again, because you've already uninstalled it! — Compo, Aug 08 '20 at 20:12
As an aside: The CIM cmdlets (e.g., `Get-CimInstance`) superseded the WMI cmdlets (e.g., `Get-WmiObject`) in PowerShell v3 (released in September 2012). Therefore, the WMI cmdlets should be avoided, not least because PowerShell [Core] (version 6 and above), where all future effort will go, doesn't even _have_ them anymore. For more information, see [this answer](https://stackoverflow.com/a/54508009/45375). — mklement0, Aug 09 '20 at 01:17

score 0 · Answer 1 · answered Aug 08 '20 at 17:05

0

Try this:

powershell.exe -Command "& {(Get-WmiObject -Class Win32_Product -Filter """Name='Symantec Endpoint Protection'""" -ComputerName XOS-MS182. ).Uninstall()}"

answered Aug 08 '20 at 17:05

Wasif

14,755
3
14
34

Note that there's no reason to use `& { ... }` in order to invoke code passed to PowerShell's CLI via the `-command` (`-c`) parameter - just use `...` directly. Older versions of the [CLI documentation](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_pwsh) erroneously suggested that `& { ... }` is required, but this has since been corrected - see [this GitHub docs issue](https://github.com/MicrosoftDocs/PowerShell-Docs/issues/2750). – mklement0 Aug 09 '20 at 01:40

js2010 · Answer 2 · 2020-08-08T17:37:28.933

0

Try these. The parentheses mean something special to cmd. The filter would require two sets of quotes. Since the pipe is inside the double quotes, cmd ignores it.

powershell "(Get-WmiObject -Class Win32_Product -ComputerName localhost | where name -eq 'symantec endpoint protection').Uninstall()"

powershell "Get-WmiObject win32_product -cn localhost | ? name -eq 'symantec endpoint protection' | remove-wmiobject"

edited Aug 08 '20 at 17:37

answered Aug 08 '20 at 17:25

js2010

23,033
6
64
66

Another option is to use `-EncodedCommand` which avoids shell quoting madness altogether – Joey Aug 08 '20 at 17:43
i get this new error Where-Object : A positional parameter cannot be found that accepts argument 'endpoint'. At line:1 char:63 + ... rName THUNDERDB | where name -eq symantec endpoint protection).Uninst ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Where-Object], ParameterBi ndingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell .Commands.WhereObjectCommand – cosa Aug 08 '20 at 18:12
1

There's single quotes around '`symantec endpoint protection'.` – js2010 Aug 08 '20 at 18:46

score 0 · Answer 3 · answered Aug 08 '20 at 18:30

0

You don't need to use powershell for this task, from an elevated Windows Command Prompt, (cmd), you could use wmic instead:

WMIC.exe Product Where "Name='Symantec Endpoint Protection'" Call Uninstall

answered Aug 08 '20 at 18:30

Compo

36,585
5
27
39

yeah i tried that before but for some reasons that i dont know.. it didn't work – cosa Aug 08 '20 at 18:54
It only doesn't work if you do not run it from an elevated `cmd.exe` window 'Run as administrator', you do not have a Microsoft Installer product installed with the matching name string `Symantec Endpoint Protection`, or the installation was somehow corrupted, and the uninstall is therefore unable to continue. What exactly is the output from this command instead `WMIC.exe Product Where "Name='Symantec Endpoint Protection'" List Status`, _(perferably ran within an elevated `cmd.exe` instance too)_? – Compo Aug 08 '20 at 19:11
i run it using psexec with nt authority\system.. and no output from both of commands – cosa Aug 08 '20 at 23:46
If you are sending it as a parameter to another command, @cosa, you would have told us this from the outset wouldn't you? So I'm not quite sure what you mean! Please [edit your question](https://stackoverflow.com/posts/63317666/edit), to include the code with [[tag:psexec]] in it, and add the tag. And please ensure that you do something to notify the other answerers that your question has been corrected. – Compo Aug 09 '20 at 01:06
yeah a told them that i'm trying to run it over psexec and it was a pentestlab – cosa Aug 09 '20 at 02:02
@cosa, which part of my previous comment did you read? because you responded to it, without doing any of the things in its content. **You must change your question, it is not currently representative of the task.** – Compo Aug 09 '20 at 09:26
i'm too lazy.. sorry lmao – cosa Aug 09 '20 at 10:23

Doug Maurer · Accepted Answer · 2020-08-08T20:15:28.903

The other answers already answer your question of running powershell over CMD. I'd like to recommend you stop using the Win32_Product wmi class. You can read any of the never ending articles explaining why. As for building commands with arguments, I recommend splatting. As a bonus specifically regarding removing SEP, here is a snippet from a production script used to remove Symantec Endpoint using MSIexec and the guid.

$DateStamp = get-date -Format yyyyMMddTHHmmss
$logFile = '{0}-{1}-{2}.log' -f 'SymantecUninstall',$PC,$DateStamp
$locallog = join-path 'c:\windows\temp' -ChildPath $logFile

$uninstalljobs = Foreach($PC in $SomeList){

    start-job -name $pc -ScriptBlock {
    Param($PC,$locallog)
        $script = {
        Param($locallog)
        $MSIArguments = @(
            "/x"
            ('"{0}"' -f '{A0CFB412-0C01-4D2E-BAC9-3610AD36B4C8}')
            "/qn"
            "/norestart"
            "/L*v"
            $locallog
        )
        
        Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow
        }
        Invoke-Command -ComputerName $pc -ArgumentList $locallog -ScriptBlock $script
    } -ArgumentList $PC,$locallog

}

Just update the guid to match your product. If you want to pull the uninstall string from the registry and use that, it would also be preferable to Win32_Product.

Here are a couple of ways you can find the uninstallstring.

$script = {
    $ErrorActionPreference = 'stop'
    "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" | foreach{
        try
        {
            $key = reg query $_ /f "Symantec Endpoint" /s | select -skip 1 -first 1
            $key = $key -replace 'HKEY_LOCAL_MACHINE','HKLM:'
            (Get-ItemProperty $key -Name UninstallString).UninstallString
        }
        catch{}
    }
}
powershell.exe -command $script

or

$script = {
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" | foreach{
        Get-childitem $_ |
            Where {($_ | get-itemproperty -Name displayname -ea 0).displayname -like 'Symantec Endpoint*'} |
            Get-ItemPropertyValue -name UninstallString
    }
}
powershell.exe -command $script

thank's for your participation but this is a pentest lab.. i have only a shell access how i will get the installation key to run the script ! — cosa, Aug 08 '20 at 19:11
You can simply read the registry. If this is for a pentest... the LAST thing you want to do is trigger EVERY msi to reregister itself... — Doug Maurer, Aug 08 '20 at 19:13
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /f "Symantec Endpoint" /s reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /f "Symantec Endpoint" /s — Doug Maurer, Aug 08 '20 at 19:20

run powershell command over cmd

4 Answers4