question

KitchLaw-8764 avatar image
0 Votes"
KitchLaw-8764 asked RichMatheisen-8856 commented

Add-WindowsCapability and ubuntu2004.exe(the WSL installer) fails to work under WinRM

I'm trying to write some PowerShell scripts to automate server maintenance routines, through the Attune app(https://www.servertribe.com/comunity-edition/), which utilizes the WinRM protocol.
I found out that both Add-WindowsCapability and ubuntu2004.exe can be run successfully from a local or RDP session of the target Windows machine, but running them from Attune / EnterPSSession remote session through WinRM failed with the following errors:

Add-WindowsCapability with "Access is denied."

ubuntu2004.exe with "Program 'ubuntu2004.exe' failed to run: A specified logon session does not exist. It may already have been terminated."

Our team has discussions about these issues here, but no results. They impose an obstacle to implement a fully unattended solution, please anyone can help us, thanks!

121443-%E5%9B%BE%E7%89%87.png

121415-%E5%9B%BE%E7%89%87.png

121386-%E5%9B%BE%E7%89%87.png



windows-serverwindows-server-powershell
图片.png (4.0 KiB)
图片.png (120.3 KiB)
图片.png (4.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KitchLaw-8764 avatar image
0 Votes"
KitchLaw-8764 answered

Great thanks to RichMatheisen-8856's detailed analysis and suggestions, we've found a workaround with Windows task scheduler, Add-WindowsCapability and ubuntu2004.exe all worked this way. Here's what we did(all steps are run through WinRM / Servertribe's Attune, aka remotely unattended management):

  1. Clear "Users must enter a user name and password to use this computer" and reboot the computer, to make sure a session is logged on at the console, which is required for scheduled tasks with "Run only when user is logged on" option set(which is itself required to run Add-WindowsCapability successfully)

    $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    $DefaultUsername = "{win10cred1.user}"
    $DefaultPassword = "{win10cred1.password}"
    Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String
    Set-ItemProperty $RegPath "DefaultUsername" -Value "$DefaultUsername" -type String
    Set-ItemProperty $RegPath "DefaultPassword" -Value "$DefaultPassword" -type String

  2. Create a onetime scheduled task, please see detailed script within the blueprint here . The key to the success of this task is "Run only when user is logged on" and "Run with highest privileges" options.

    # Run the task 15 seconds after task creation
    $ts = New-TimeSpan -Seconds 15
    $Trigger = New-ScheduledTaskTrigger -Once -At ((Get-date) + $ts)

    # Run only when user is logged on / Run with highest privileges
    $principal = New-ScheduledTaskPrincipal -UserId "{win10cred1.user}" -RunLevel Highest
    $Action= New-ScheduledTaskAction -Execute "powershell.exe" -Argument "Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0"
    $setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
    Register-ScheduledTask -TaskName "Add-WindowsCapability OpenSSH.Server" -Trigger $Trigger -Principal $principal -Action $Action -Settings $setting -Force


The result is that, when scheduled time's up, a window will appear in the console session running the specified command, avoid getting errors compared to run the command directly from WinRM.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered RichMatheisen-8856 commented

What credentials are you using in the Enter-PSSession? IIRC, using the admin credentials on the remote machine should elevate the session.

· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The credential I'm using is a user in the Administrators group(non AD environment).

121462-%E5%9B%BE%E7%89%87.png

121425-%E5%9B%BE%E7%89%87.png


0 Votes 0 ·
图片.png (48.8 KiB)
图片.png (8.2 KiB)

Try it with the local administrator account/password. The SID for that account might work. The "-500" RID should get a lot of a whole bunch of permissions/privileges.

0 Votes 0 ·

We tried local Administrator for Windows Server 2019 with the Add-WindowsCapability CmdLet, which came out to be the same "Access is denied." error.

After all, a local or RDP session can work(on Win10 using the aforementioned Administrators grouped user, and on 2019 the Administrator user), but switching to remote PowerShell session or the Attune app with the same account, the errors occurred. So I don't think the specific user SID has something to do with the problem.

0 Votes 0 ·
Show more comments
RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered KitchLaw-8764 commented

For the "specified logon session does not exist. It may already have been terminated" problem, is the "ubuntu2004.exe" file in a directory that's in your PATH environment variable? If not, provide the full file path and not just the exe name.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hi, Rich. Sorry for the late reply.
I've checked that "ubuntu2004.exe" is in the PATH, both running "ubuntu2004.exe" or with the full path specified, all produced the same "specified logon session does not exist".

I also noticed that the actual executable which is in the PATH that I'm calling, the file size is 0 byte, is something named 'app execution alias'. Other similar aliases also have "A specified logon session does not exist" error from remote session(for example python3.exe).
The reparse points are under "C:\Program Files\WindowsApps\". After granting access to this folder(recursively set acl to subitems), calling python3.exe directly from here(in remote pssession), the Microsoft Store window appears in the local GUI session, just like running the app execution alias in a local pssession.
So, in conclusion, WinRM currently don't support running 'app execution alias'.
123287-%E5%9B%BE%E7%89%87.png
(left one is a local session)

0 Votes 0 ·
图片.png (589.7 KiB)

But another problem arises, running ubuntu2004.exe under "C:\Program Files\WindowsApps\" remotely, doesn't appear to have any output, rather than giving an interactive shell, when running ubuntu2004.exe(either with alias or with real exe) locally will do. It's similar to the difference of running wsl.exe remotely compared to locally.
Also, the first-time invocation of "ubuntu2004.exe install --root" after installing WSL, fails remotely.
123177-%E5%9B%BE%E7%89%87.png
So I think that there're some issues of WSL with WinRM,

0 Votes 0 ·
图片.png (66.5 KiB)

I think (after reading this: 513) that the problem may lie with the way Windows Store apps are packaged. The comment by "ghost" on July 13th has a lot to say and provides references to other reported problems.


1 Vote 1 ·
Show more comments