Hello,
I have a strange Problem with the WinRM-Client and so also with Server Manager on Windows 7 x64.
When I try to access a remote machine (in my domain), either with winrm or Server Manager I got the following errors:
# winrm on 64-bit OS:
C:Windowssystem32>winrm id -r:http://server1/Powershell/
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.
# Server Manager:
Server Manager cannot connect to server2. Click Retry to try to connect again.
See details …Connecting to remote server failed with the following error message : Acces is denied. For more information, see the …
It’s not a problem with the user permissions because with the same account (domain admin) on another machine (32-bit OS) it’s working without a problem.
# winrm on 32-bit OS:
C:Windowssystem32>winrm id -r:http://server1/Powershell/
IdentifyResponse
ProtocolVersion =
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0
I think there’s something wrong with winrm on Windows 7 x64 Sp1.
When checking winrm functionality using ‘winrm e winrm/config/listener’
command, I got this:
# winrm on 32-bit OS:
C:Windowssystem32>winrm e winrm/config/listener
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the dest
ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o
n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: «winrm quickconfig».
Error number: -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is run
ning and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destinat
ion, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination t
o analyze and configure the WinRM service: «winrm quickconfig».
…that’s OK, because winrm isn’t configured. But when I try the same command on 64-bit OS with the same winrm state, I got this:
# winrm on 64-bit OS:
C:Windowssystem32>winrm e winrm/config/listener
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.
ALL with elevated command prompt.
Any ideas what’s wrong?
Here are some Analytic logs, winrm on 64-bit OS:
===============================
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 19:36:24
Event ID: 1840
Task Category: Winrm Operation
Level: Error
Keywords: Error
User: DOMAINadmin
Computer: client.domain.com
Description:
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f=»http://schemas.microsoft.com/wbem/wsman/1/wsmanfault» Code=»5″ Machine=»client.domain.com»><f:Message>Access
is denied. </f:Message></f:WSManFault>
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 19:36:24
Event ID: 1042
Task Category: Response handling
Level: Error
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
WSMan operation Enumeration failed, error code 5
Here are some Analytic logs, Server Manager on 64-bit OS:
=====================================
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 261
Task Category: WSMan Session initialize
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Creating WSMan Session. The connection string is:
http://server2:5885/WSMan?PSVersion=2.0
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 295
Task Category: WSMan Session initialize
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
WSMan Create Session operation completed successfuly
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 281
Task Category: WSMan API call
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Getting WSMan Session Option (29)
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 266
Task Category: WSMan API call
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Creating WSMan shell with the ResourceUri:
http://schemas.microsoft.com/powershell/Microsoft.ServerManager
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1841
Task Category: Winrm Operation
Level: Error
Keywords: Error
User: DOMAINadmin
Computer: client.domain.com
Description:
An error was encountered while processing an operation.
Error Code: 11001
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1289
Task Category: User authentication
Level: Information
Keywords: Security,Client
User: DOMAINadmin
Computer: client.domain.com
Description:
The chosen authentication mechanism is Kerberos
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 778
Task Category: Request handling
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Sending the request for operation CreateShell to destination machine and port server2:5885
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1841
Task Category: Winrm Operation
Level: Error
Keywords: Error
User: DOMAINadmin
Computer: client.domain.com
Description:
An error was encountered while processing an operation.
Error Code: 11001
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1289
Task Category: User authentication
Level: Information
Keywords: Security,Client
User: DOMAINadmin
Computer: client.domain.com
Description:
The chosen authentication mechanism is Kerberos
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1045
Task Category: Response handling
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Received the response from Network layer; status: 200 (HTTP_STATUS_OK)
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 255
Task Category: None
Level: Information
Keywords: Activity Transfer,Server,Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Activity Transfer
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1840
Task Category: Winrm Operation
Level: Error
Keywords: Error
User: DOMAINadmin
Computer: client.domain.com
Description:
An error was encountered while processing an operation.
Error Code: 5
Error String:<f:WSManFault xmlns:f=»http://schemas.microsoft.com/wbem/wsman/1/wsmanfault» Code=»5″ Machine=»client.domain.com»><f:Message>Access
is denied. </f:Message></f:WSManFault>
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1042
Task Category: Response handling
Level: Error
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
WSMan operation CreateShell failed, error code 5
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 1840
Task Category: Winrm Operation
Level: Error
Keywords: Error
User: DOMAINadmin
Computer: client.domain.com
Description:
An error was encountered while processing an operation.
Error Code: 122
Error String:<f:WSManFault xmlns:f=»http://schemas.microsoft.com/wbem/wsman/1/wsmanfault» Code=»122″ Machine=»client.domain.com»><f:Message>The
data area passed to a system call is too small. </f:Message></f:WSManFault>
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 280
Task Category: WSMan API call
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Getting message for error code 5 completed successfully. The languageCode parameter was: en-US
Log Name: Microsoft-Windows-WinRM/Analytic
Source: Microsoft-Windows-WinRM
Date: 26.3.2012 17:33:56
Event ID: 271
Task Category: WSMan API call
Level: Information
Keywords: Client
User: DOMAINadmin
Computer: client.domain.com
Description:
Closing WSMan shell
EDIT:
Results when running ‘ls wsman:localhost‘ command:
# wsman on 32-bit OS — good:
==================
PS C:Windowssystem32> ls wsman:localhost
Start WinRM Service
WinRM service is not started currently. Running this command will start the WinRM service.
Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is «Y»):
WSManConfig: Microsoft.WSMan.ManagementWSMan::localhost
Name Value
—- ——
MaxEnvelopeSizekb 150
MaxTimeoutms 60000
MaxBatchItems 32000
MaxProviderRequests 4294967295
Client
Service
Shell
Listener
Plugin
ClientCertificate
# wsman on 32-bit OS:
==============
PS C:Windowssystem32> ls wsman:localhost
Start WinRM Service
WinRM service is not started currently. Running this command will start the WinRM service.
Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is «Y»):
Get-ChildItem : Access is denied.
At line:1 char:3
+ ls <<<< wsman:localhost
+ CategoryInfo : NotSpecified: (:) [Get-ChildItem], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetChildItemCommand
PS eventlog:
—————
Log Name: Windows PowerShell
Source: PowerShell
Date: 27.3.2012 10:00:46
Event ID: 300
Task Category: Provider Health
Level: Warning
Keywords: Classic
User: N/A
Computer: client32b.domain.com
Description:
Provider Health: Access is denied. .
Details:
ProviderName=WSMan
ExceptionClass=ProviderInvocationException
ErrorCategory=InvalidOperation
ErrorId=WsManError
ErrorMessage=Access is denied.
Severity=Warning
SequenceNumber=10
HostName=ConsoleHost
HostVersion=2.0
HostId=82df410b-02a1-43d9-9584-210a8bec4e42
EngineVersion=2.0
RunspaceId=13fb3ea9-3b79-419f-b094-e2bd453d77e1
PipelineId=2
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
# wsman on 64-bit OS:
==============
PS C:Windowssystem32> ls wsman:localhost
Start WinRM Service
WinRM service is not started currently. Running this command will start the WinRM service.
Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (default is «Y»):
Get-ChildItem : Access is denied.
At line:1 char:3
+ ls <<<< wsman:localhost
+ CategoryInfo : NotSpecified: (:) [Get-ChildItem], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetChildItemCommand
PS eventlog:
—————
Log Name: Windows PowerShell
Source: PowerShell
Date: 27.3.2012 10:03:54
Event ID: 300
Task Category: Provider Health
Level: Warning
Keywords: Classic
User: N/A
Computer: client64b.domain.com
Description:
Provider Health: Access is denied. .
Details:
ProviderName=WSMan
ExceptionClass=ProviderInvocationException
ErrorCategory=InvalidOperation
ErrorId=WsManError
ErrorMessage=Access is denied.
Severity=Warning
SequenceNumber=12
HostName=ConsoleHost
HostVersion=2.0
HostId=e35b8ed2-c254-42db-a7a6-f266f0c12950
EngineVersion=2.0
RunspaceId=ce43d14c-72f8-42ae-acaa-15fd178a8c15
PipelineId=14
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
‘
‘
::::::::::::: SOLUTION :::::::::::::
I tuned up my ESET NOD32 — Protocol filtering.
‘
—— Lukas ——
- Remove From My Forums
-
Question
-
Perhaps I’m way out of my league here, but what I assume should be a relatively simple process has left me searching countless documentation for answers with no solution.
I have a Windows 7 Ult. client (in a workgroup) and a Server 2008 R2 machine. I’m attempting to use remote Server Manager on the Windows 7 client. I’ve gone through the steps indicated in this article, namely adding the trusted hosts to the configuration: http://technet.microsoft.com/en-us/library/dd759202.aspx
My issue is that I am unable to perform any operation with WinRM without receiving an Access Denied error
WSManFault Message = Access is denied. Error number: -2147024891 0x80070005 Access is denied.I am running it as an elevated user with the same result.
Any advise would be much appreciated.
Answers
-
Hi David,
Thank you for the reply.
I had already changed that registry entry based on some documentation I read but that did not make any difference.
I was able to work around the issue by opening another command window with «runas /user:Administrator» and then proceeding to change the winrm settings.
— Adam
-
Marked as answer by
Monday, December 14, 2009 5:36 AM
-
Marked as answer by
Время на прочтение
2 мин
Количество просмотров 64K
Итак вышел Windows Management Framework для всех ОС, даже для XP.
Для меня там, кроме собственно, PowerShell 2.0, основное это WinRM. В приложении к PowerShell это просто способ выполнять команды на удалённом компе.
Вот как это сделать:
0. Поставить Windows Management Framework Core
1. Для конфигурирования winrm, на той машине, которая будет сервером:
1.1 зайти в cmd.exe (я пытался сделать это из-под ISE, но оно не работает с интерактивными консольными программами)
1.2 запустить winrm qc
1.3 ответить Y на вопрос об изменениях
2. Теперь можно в PowerShell ISE на клиентской машине нажать иконку с изображением терминала, набрать имя сервера и учетную запись, потом ввести пароль и работать с привычным ISE на удалённой машине.
А еще с помощью набора команд *-PSSession возможет такой сценарий. Зайти на удаленную машину, выполнить там длительную операцию, вернуться и сообщить пользователю, что всё сделано.
P.S. Boomburum переслал сообщение от анонимуса:
«Здравствуйте! Требуется помощь, т.к. сам способа решения не нашел ;)). В общем, проблема такая — не знаю как связаться с автором одного из топиков. (конкретно — habrahabr.ru/post/73613/). Данная статья подтолкнула меня на знакомство с сетевыми возможностями powershell. При настройке данной возможности на пк с Windows XP SP3 возникла проблема — выскочила ошибка следующего содержания:
**********************************************************************
PS C:Documents and SettingsAdministrator> winrm qc
WinRM is not set up to receive requests on this machine.
The following changes must be made:
Start the WinRM service.
Make these changes [y/n]? y
WinRM has been updated to receive requests.
WinRM service started.
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.
PS C:Documents and SettingsAdministrator>
**********************************************************************
Я долго-долго искал пути решения данной проблемы в Интернете, но всё никак — ничего путного найти не мог. В общем,
Для решения данной проблемы следует зайти в Пуск->Администрирование ->Локальная политика безопасности ( Local Security Settings — secpol.msc) -> Параметры безопасности (Security option) -> Ищем «Сетевой доступ: модель совместного доступа и безопасности для локальных учетных записей» (Network Access: Sharing and security model for local accounts) -> изменяем политику на «Обычная -…» (Classic -…) -> Перезагружаемся и всё — проблеме конец!
Огромная просьба, отправьте это сообщение автору данного топика, т.к. я не могу этого сделать самостоятельно. Пускай он это разместит, т.к. русскоязычной части населения сети Интернет это очень сильно упростит поиск решения данной проблемы. Проблема довольно широко распространена! Но мною была замечена только на Windows XP. (Все проверялось на виртуальной машине с чистой системой). Заранее огромно спасибо!»
How do I restore WinRM on a Windows 2008 R2 machine back to it’s ‘out-of-the-box’ state? Or alternatively, how do I get WinRM to start talking to me again?
I’m logged in as administrator via RDP. Any attempt to access or configure winrm is met with Access is Denied.
I have 3 other servers where WinRM works fine.
At some point in the last 2 months WinRM has become inaccessible on the 4th server.
I have spent about 2 days reading, researching, and trying different things to get WinRM working again. Here are a few:
- help about_Remote_Troubleshooting
- Jonathan Jordan’s WinRM Trouble Shooting post
- PowerShell remoting guide
- a bunch of these Google hits
- not a duplicate of none of these answers solved my problem, nor did they answer my question on how to reset WinRM to a default, install state.
LocalAccountTokenFilterPolicy is set to 1
Firewall rules are the same for all of the servers.
The Windows Remote Management service is up and running.
Here are some examples of what I’m seeing with various commands:
PS C:> winrm id IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0
winrm quickconfig
PS C:> winrm quickconfig
WinRM already is set up to receive requests on this machine.
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
winrm enumerate winrm/config/listener
PS C:> winrm enumerate winrm/config/listener
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorUI
Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Access is denied.
At line:15 char:26
+ if ((!$pluginName) -or <<<< !(test-path "$pluginDir"))
+ CategoryInfo : InvalidOperation: (:) [], InvalidOperationException
+ FullyQualifiedErrorId : WsManError
Join-Path : Access is denied.
At line:22 char:35
+ $pluginFileNamePath = Join-Path <<<< "$pluginDir" 'FileName'
+ CategoryInfo : NotSpecified: (:) [Join-Path], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.JoinPathCommand
Test-Path : Cannot bind argument to parameter 'Path' because it is an empty string.
At line:23 char:19
+ if (!(test-path <<<< "$pluginFileNamePath"))
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.Test
PathCommand
Get-Item : Cannot bind argument to parameter 'LiteralPath' because it is an empty string.
At line:29 char:43
+ $pluginFileName = get-item -literalpath <<<< "$pluginFileNamePath"
+ CategoryInfo : InvalidData: (:) [Get-Item], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.GetI
temCommand
Set-PSSessionConfiguration : Session Configuration "Microsoft.PowerShell" is not a PowerShell based shell.
At line:89 char:27
+ Set-PSSessionConfiguration <<<< $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7] $args[8]
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-PSSessionConfiguration
and Server Manager
I want to kill a process remotely in powershell using
invoke-command -cn computername -script { stop-process name }
I made sure the network at the destination computer wasn’t set to public, and I managed to run enable-psremoting on the destination.
Now trying to run Invoke-Command ... at the source
but i’m getting some errors
PS C:Usersusername> invoke-command -cn sag35 -script { stop-process name }
[sag35] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
PS C:Usersusername>
I looked up about winrm.cmd and adding a trusted host
I was then honored with this rather repetitive error message
`PS C:Usersusername> winrm set winrm/config/client ‘@{TrustedHosts=»sag35″}’
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: «winrm quickconfig».Error number: -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: «winrm quickconfig».
PS C:Usersusername>`
ADDED
Further to what Trondh wrote about needing winrm at the source.. I did winrm qc, mentioned in this article I now have winrm at source and dest, I can do winrm id(which I understand is a local ping).
I also managed to get the trustedhosts line to work for each comp e.g.
winrm set winrm/config/client '@{TrustedHosts="compA"}'
Though an error.. when I do win id -r:compA(from compB) or win id -r:compB(from compA). I get the same error whichever comp, and it is an administrative PowerShell prompt.
I ran: reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f as mentioned here and here but no need because that value was already in the registry, and port 5985 for http is open and through the Windows 7 firewall on those computers within my LAN. Port 5986 (for HTTPS) is closed, but I probably only need 5985/http. I understand that this port was set up automatically, and I can see is accessible.
this technet article suggested some tests like winrm id to ping, and with -r for a remote ping.
PS C:Windowssystem32> winrm id -r:compB
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.