none
MS-WSMV WINRS_SKIP_CMD_SHELL no longer working RRS feed

  • Question

  • Hi

    I am trying to use WinRM to executable a process without going through the cmd.exe shell and from the docs on the Command message [1] it seems like WINRS_SKIP_CMD_SHELL is what I want to use. The docs state for this option

    If set to TRUE, this option requests that the server runs the command without using cmd.exe; if set to FALSE, the server is requested to use cmd.exe. By default the value is FALSE. This does not have any impact on the wire protocol.

    My understanding is that if I set that option to TRUE then WinRM will run the command outside of cmd.exe, similar to just calling it directly by CreateProcess and using the Command element as the lpApplicationName parameter. Depending on the OS I am using, this either does what I expect or it it just ignores the option. On Server 2008, 2008 R2, and 2012; winrshost.exe will spawn the executable specified by the Command element, bypassing cmd.exe directory. But for newer OS' Server 2012 R2, 2016, 1709, ...; it seems to ignore this option and spawns it through cmd.exe like normal

    As an example, here is the SOAP message sent by my client to a Windows 2016 host

    <s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
    <s:Header>
        <wsa:To>https://SERVER2016.domain.local:5986/wsman</wsa:To>
        <wsa:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</wsa:Action>
        <wsa:MessageID>uuid:29bfe377-4767-47fe-b186-7e77855dd2ec</wsa:MessageID>
        <wsman:OptionSet>
            <wsman:Option Name="WINRS_SKIP_CMD_SHELL">TRUE</wsman:Option>
        </wsman:OptionSet>
        <wsa:ReplyTo>
            <wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
        </wsa:ReplyTo>
        <wsman:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</wsman:ResourceURI>
        <wsman:SelectorSet>
            <wsman:Selector Name="ShellId">DCA996C7-AD4B-44C3-8915-EDB8BE56BAC1</wsman:Selector>
        </wsman:SelectorSet>
    </s:Header>
    <s:Body>
        <rsp:CommandLine>
            <rsp:Command>powershell.exe</rsp:Command>
            <rsp:Arguments>Start-Sleep</rsp:Arguments>
            <rsp:Arguments>10</rsp:Arguments>
        </rsp:CommandLine>
    </s:Body>
    </s:Envelope>
    

    It has set the option WINRS_SKIP_CMD_SHELL to TRUE and it is telling the WinRM service to start powershell.exe with the arguments Start-Sleep and 10. When looking at Process Explorer I can see that powershell.exe is being created from cmd.exe and not winrshost.exe

    Using Process Monitor I can see winrshost.exe is calling CreateProcess with "C:\Windows\System32\cmd.exe /C powershell.exe Start-Sleep 10".

    My questions are

    • Is this the expected behaviour when setting WINRS_SKIP_CMD_SHELL on hosts Server 2012 R2 and newer
    • If it is, does this mean WINRS_SKIP_CMD_SHELL does nothing on these newer versions
    • Is there another way to bypass cmd.exe and get WinRM to spawn the process using the executable I specify with the Command element directly on the newer hosts

    Thanks

    Jordan

    [1] https://msdn.microsoft.com/en-us/library/cc251697.aspx

    Thursday, March 29, 2018 12:53 AM

Answers

  • Forum update:

    This issue is resolved. Windows versions from Windows 8.1/WS2012R2 to the current version ignore the command options WINRS_SKIP_CMD_SHELL and WINRS_CONSOLEMODE_STDIN.

    Two bugs are filed to document this fact in MS-WSMV and against Windows. 


    Regards, Obaid Farooqi

    Thursday, April 12, 2018 4:54 PM
    Owner

All replies

  • Hi Jordan,

    Thank you for your question. One of the Open Specifications support team members will reply shortly to assist you with this issue.

    Best regards,
    Tom Jebo 
    Sr Escalation Engineer
    Microsoft Open Specifications Support

    Thursday, March 29, 2018 5:36 AM
    Moderator
  • Hi Jborean93:

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Thursday, March 29, 2018 7:01 PM
    Owner
  • Hi Jborean93:

    Please send me an email at the address dochelp at Microsoft dot com. I need the procmon traces that you mentioned in the post.


    Regards, Obaid Farooqi

    Monday, April 2, 2018 12:30 AM
    Owner
  • Hi Obaid

    I've just sent an email with the procmon traces attached. It contains a trace for the same WinRM messages sent to a Server 2008 and a Server 2016 host that displays shows the different behaviour. Just for a brief snippet here is the procmon entry that shows the differences.

    Server 2008 running C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe Write-Host  hi

    Server 2016 running C:\Windows\system32\cmd.exe /C C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe Write-Host  hi

    The test I ran was exactly the same code just with the different target servers. Please let me know if you need any more info from me.

    Thanks

    Jordan

    Monday, April 2, 2018 4:03 AM
  • Forum update:

    This issue is resolved. Windows versions from Windows 8.1/WS2012R2 to the current version ignore the command options WINRS_SKIP_CMD_SHELL and WINRS_CONSOLEMODE_STDIN.

    Two bugs are filed to document this fact in MS-WSMV and against Windows. 


    Regards, Obaid Farooqi

    Thursday, April 12, 2018 4:54 PM
    Owner