I am using appcmd.exe to add IP addresses to the ipSecurity module of IIS. I am using a very basic Powershell script which reads a list from a web service of no more than 10-20 IPs, and I am adding those into the ipSecurity. I then run my Powershell through Task Scheduler, every 5 minutes to keep this list updated.
The command I am using via Powershell to add the IPs is
& $appcmd set config -section:system.webServer/security/ipSecurity /+"[ipAddress='$ip_address',subnetMask='$subnet_address',allowed='False']" /commit:apphost | Out-null
Perhaps it's important to say that on every execution of my Powershell, I am clearing first this list entirely using this command.
& $appcmd clear config /delete:true /section:system.webServer/security/ipSecurity /commit:apphost | Out-null
and then I add the new, updated IP list.
When I do this, I have noticed that the IIS service may drop. It does not happen always. But sometimes it does. When I stop the scheduler my IIS service works like a charm.
Any help? I couldn't find anything related at the Microsoft pages to be honest.
thank you
Related
I am trying to understand what is the correct way to uninstall a service.
According to Microsoft here, there are two ways to uninstall a service:
// Using installutil
installutil -u <yourproject>.exe
// Or using Powershell
Remove-Service -Name "YourServiceName"
In both examples, Microsoft states the following thing:
After the executable for a service is deleted, the service might still be present in the registry. If that's the case, use the command sc delete to remove the entry for the service from the registry.
sc.exe delete "YourServiceName"
Assuming most people will run a script to uninstall a given service using one of the above methods, how can we determine (from a batch or powershell script) if the uninstall worked properly or not (so that I can only conditionally run sc.exe)? In other words, how can we check that a service is still in the registry as per the Microsoft quote.
Also, I have been so far using sc.exe without prior uninstalling and it seems to have the desired effect.
ie. My service gets removed from the list of running Windows services and I am able to start with a fresh new installation of my service.
Is this a bad approach? If so, why is it a bad approach?
I have a script hosted on Windows 2016 server. This script is used by all IT teams.
Currently, to run the script, users use the following command:
powershell \\ServerName.mydomain1\Share\MyScript.ps1
Everything is working fine.
I would like to create a DNS alias like MyScript.mydomain2.
I can access to the server correctly ussing the alias. But, if I want to run the script using
powershell \\MyScript.mydomain2\Share\MyScript.ps1
it does not work. I've got an error told me I must sign the script.
If I use the serveur name instead alias, all is working. If I create an alias in the same domain than the server, all is working. If the alias is stored in another DNS domain, I've got the error.
The problem was the SPN on the server. Because an alias is used, a new SPN "HOST/MyScript.mydomain2" have to be added.
It workss fine now.
Thank you for your help,
Olivier
The new UNC path is not among the locations your systems trust for script execution. To resolve the issue you can either:
Sign the script.
Add \\MyScript.mydomain2\Share to the list of trusted locations (more specifically to the "Local Intranet" zone, e.g. via group policy). See the Scripting Guy blog for details.
Override the execution policy when invoking the script:
powershell -ExecutionPolicy Bypass -File \\MyScript.mydomain2\Share\MyScript.ps1
Beware that overriding the execution policy will only work if it isn't defined via local or group policies.
I am working on making some scripts to make my job a little bit easier.
One of the things i need is too download some files to use. I first used powershell with the command Invoke-WebRequest.
It is working really well, however it dont run on windows 7 computeres, as they have powershell 2. As i have about as many windows 7 pc's as win 10 i need to find another way.
I found that Start-BitsTransfer is a good way that should work on most computeres. My problem now is, that when using the script via my remote support session it runs the script on the local service account, and then BitsTransfer wont run and gives me an error. (0x800704DD)
Is there a way to get around that problem, or any command that can be used on both win 7 and 10 and run from the local service account?
You should update PowerShell as gms0ulman states, but if you are not the person who is in charge of this decision, you have to take other steps.
This error code...
0x800704DD
The error message ERROR_NOT_LOGGED_ON, occurs because the System Event Notification Service (SENS) is not receiving user logon notifications. BITS (version 2.0 and up) depends on logon notifications from Service Control Manager, which in turn depends on the SENS service. Ensure that the SENS service is started and running correctly.
By default, BITS runs under the LocalSystem account. To modify, stop or restart BITS, you must be logged on as an administrator. In your situation, when you log on a regular account and start the PS in elevated privilege, the BITS doesn’t run under regular user account. To resolve it, you may need to configure the log on user for BITS. Please visit the following link to configure how a service is started.
Configure How a Service is Started
Services are often run with default settings — for example, a service
may be disabled automatically at startup. However, you can use the
Services snap-in to change the default settings for a service. This is
useful if you are troubleshooting service failures or if you need to
change the security account under which a service runs. Membership in
Account Operators or Domain Admins, Enterprise Admins, or equivalent,
is the minimum required to complete this procedure. Review the details
in "Additional considerations" in this topic.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755249(v=ws.10)
I also agree that you should not continue supporting PowerShell 2.0. Ideally, ditch Windows 7 (it's way too old now), if you can't do that, upgrade PowerShell, if you can't do that, find a new job, if you can't do that, then I guess bring on the workarounds!
postanote's answer covers the BITS angle.
The other thing you can do is just use the .Net framework's underlying libraries, which is exactly what Invoke-RestMethod and Invoke-WebRequest do (those cmdlets were introduced in PowerShell 3.0, but the guts of them were around much longer).
try {
$wc = New-Object -TypeName System.Net.WebClient
$wc.DownloadFile($url, $path)
finally {
$wc.Dispose()
}
Most people don't bother disposing IDisposable objects in PowerShell so you'll see a lot of shorthand around like this:
(New-Object Net.WebClient).DownloadFile($url, $path)
Which is probably fine if your script's process isn't going to be around for a while, but it's good to keep in mind in case you incorporate this into something of a larger scale.
Scenario: Windows service with Powershell host embedded into it. Single runspace is allocated at startup. Multi-dll solution.
Requirement: Need to access .NET classes inside running service. From a local Powershell instance using
Enter-PSHostProcess -Name MyService
...gives me exactly what I want since I can access the .NET classes.
[MyNameSpace.MyClass]::CallStaticFunction()
Question: How can this Powershell behavior be made available to remote endpoints using Enter-PSSession to a custom endpoint? From the Register-PSSessionConfiguration we can specify a dll but this will spawn up a process and won't connect to a running instance. Not interested in writing proxy via HTTPS, or named pipes, but using the native functionality offered in Powershell for .NET support.
Is it possible to extend this via PSSessions? Or would we just have to first do Enter-PSSession or Invoke-Command?
Reviewing the sources it appears that Enter-PSHostProcess and Enter-PSSession are very independent mechanisms. Enter-PSHostProcess communicates via named pipes, while Enter-PSSession uses WinRM (which is effectively uses http(s) over ports 5985/5986. I don't think you need either Enter-PSSession or Invoke-Command if you want interactive access to a local service process through Enter-PSHostProcess.
You may have already done this, but to try this out I started up both Powershell.exe and Powershell_ise.exe, then from the former used this command to connect to the later:
get-process Powershell_ise | Enter-PSHostProcess
and the prompt changed to include the PID of the ISE. Just to be sure static methods worked as you are expecting, I killed the ISE from the Powershell.exe command line using the command:
[System.Environment]::exit(0)
Powershell creates the named pipe this connects to using the default security descriptor for the thread, which typically allows access only to LocalSystem, Administrators, and the account the process is running under. My test worked because both processes were running under the same account (I didn't need administrator priv.)
To be clear however, Enter-PSHostProcess makes no provision for connecting to processes on another machine. It might be possible to double-hop, connecting to the machine first using Enter-PSSession, then connecting to the process using Enter-PSHostProcess.
I use a powershell script, triggered by teamcity, to spin up new Windows Server VMs. Currently, when the machine is up and running, I need to log in via the VMM console to make a couple of configuration changes (enable file sharing, network discovery, msdeploy and remoting over winrm) in order to allow other teamcity jobs to be able to deploy enterprise apps to the VM.
I haven't found any way to run my config setup scripts on the new VM other than by using the GUI console in VMM. For VMHosts, there is Invoke-SCScriptCommand, but this doesn't work for virtual machines themselves. Am I missing something or do I have to alter the template that my VM's are built from, in order to get the required config on the VMs?
One way you could achieve what you require is by putting all your config changes in a powershell script sitting inside VM template and adding it to VM's startup scripts.
The script's first step is checks whether the config changes have been applied in the past by checking some kind of a flag(ie. a file c:\deployed.flag) and last step is to create the flag.
if(Test-Path c:\deployed.flag){
## deployment script run already, do nothing
}
else{
## your config changing code block
New-Item c:\deployed.flag -Type f
}
In VMWare/PowerCLI you can run Invoke-VMScript which executes command directly on a VM via VMWare tools but alas Hyper-V Integration Services don't have such functionality.