netsh acl setting (need alternative method - registry settings?) - powershell

I am using inno-setup to install a program that needs to unblock port 4326 on Win7 (permit acl access) so that GET operations can be done over HTTP to port 4326.
I have a powershell script that an admin can run to unblock the port. But this does not work as an inno-setup [run] command (because the local machine usually disables scripts from running). (i.e powershell.exe -nowait & script.ps1)
Is there some registry keys in the target machine that I can set that will unblock the port? That I can do pretty easily in inno-setup since the setup.exe runs as an admin. I guess a self-contained EXE could do the same thing.
Here is the script that I would like to replace with just setting the registry settings in HKLM.
set-alias netsh c:\Windows\System32\netsh.exe
$PORT = 4326
$domain = $Env:userdomain
$name = $Env:username
$ErrorActionPreference = "Continue";
netsh http delete urlacl url=http://*:$PORT/
netsh http add urlacl url=http://*:$PORT/ user=$domain\$name

i think you can find firewall rules in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
suggestion :
maybe you can just export this key as .reg and import it on the other station .

Instead of using netsh, use the WinApi HttpSetServiceConfiguration instead. You can call this (and its related functions) directly from Inno's [Code] (specifically, in CurStepChanged(ssPostInstall)), given the correct prototype declaration. See the Using DLLs topic in the help file.

See running netsh.exe as a post-install in inno-setup for a continuation of this question. But I basically, jachguate's answer of running netsh.exe as a post install seems the right way to go.

Related

Required Help in RDP Automation

Below script is to Automate RDP and I am stuck with below two points:
How to map local drive as mapped drive in RDP session(tsclient) using
powershell script/command
Example like this in RDP : drivestoredirect:s:value
RDP Automation - PowerShell Script :
cmdkey /list | ForEach-Object{if($_ -like "*target=TERMSRV/*"){cmdkey /del:($_ -replace " ","" -replace "Target:","")}}
echo "Connecting to Server Name"
$Server="Server Name"
$User="Username"
$Password="Password"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client" /v "AuthenticationLevelOverride" /t "REG_DWORD" /d 0 /f
You can't control all aspects of your connection when using mstsc.exe via command line. The information for mapping local resources in the TS session are stored in the RDP file.
If not specified, it will use the default.rdp file located in "My Documents" folder (hidden file).
If you configure the default RDP to map local resources, all subsequent connections will also have the local resources mapped... but if you change it again, it will apply to all next connections.
So a better approach will be to create one *.rdp file and use it as a template in your script:
Create Template RDP file:
Launch mstsc.exe
Configure all options as per your needs
Save the file somewhere and use it in your script (i.e C:\Temp\MyRDPtemplate.rdp)
Now, change your script in order to use this template file when connecting to a Server:
mstsc "C:\temp\MyRDPtemplate.rdp" /v:$Server
When you first connect to a Server while mapping local resources, you will receive a warning message:
If you want to avoid this message, add the following registry key before launching:
reg add "HKCU\Software\Microsoft\Terminal Server Client\LocalDevices" /v $Server /t "REG_DWORD" /d 0x4d /f
mstsc "C:\temp\MyRDPtemplate.rdp" /v:$Server
There may be a global parameter you can add to avoid this message for all Servers (like for "AuthenticationLevelOverride") but I don't know for sure.
On last word about the stored credentials... if you use cmdkey /generic:xxx, you don't need to specify the service type (TERMSRV), that's the purpose of the /generic switch. But it also works fine...
PS: Very last remark, if you want to bypass the certificate prompt (in case your server doesn't present a valid one, you should add the registry key AuthenticationLevelOverride before connecting to the Server. Also note that this key is valid for all connections.
Another choice is get a help form some 3rd-part tools for RDP.
https://github.com/VShawn/PRemoteM

Run a script after a Windows 10 (non-Domain) Reset to enable RDP

For the Reset function, I go to Settings > Updates and Security > Recovery > Reset this PC. So this is a choice that I make, and on that basis I want to choose for that system to run a script after the Reset - and we know that should be possible as we can create completely customised Windows installation ISOs that install apps and Features in a clean state, so can someone tell me how to do a quite simple things - to just get Windows to run a PowerShell script after that Reset?
Actually, I only want to run a couple of lines:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
i.e. This will enable RDP and allow me to connect remotely and continue the configuration without having to plug in a monitor and keyboard and mouse all just to run the above two commands. As per title, this is a non-Domain scenario so accessing the system as Domain Admin is not possible (and really a Domain should not be necessary, these are my systems on my local network).
The other reason that should make all of the above completely possible is that performing a Reset is not an absolute reset as it retains user information (my main user is still there with the password intact), so just enabling RDP would make everything possible post-Reset.
For reference, nothing in the following have helped me to achieve this goal so far:
Run a powershell script on a remote system with elevated permissions to enable remoting
https://interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-remote-desktop
The easiest way to do this is to download PStools from Microsoft and use psexec to give yourself remote access:
psexec \\machinename reg add hklm\system\currentcontrolset\control\terminal server /f /v fDenyTSConnections /t REG_DWORD /d 0
psexec \\machinename netsh firewall set service remoteadmin enable
psexec \\machinename netsh firewall set service remotedesktop enable
psexec will let you supply credentials with -u and -p

Unable to pass parameters to powershell script via SSH

I'm trying to run a basic powershell script over ssh, the script is this:
param($passedUrl)
Function Launch-Site($url) {
start chrome $url
}
Launch-Site $passedUrl
When I run this in powershell, in the correct directory, with the command
.\launchSite.ps1 google.co.uk
It runs as expected, it launches google chrome and goes to google.co.uk. However, when I use the same command from my ssh terminal (in the correct directory), it does nothing and gives me no errors as far as I can tell.
The default shell is set to powershell. I can run normal scripts that don't have any parameters passed to them, so I'm thinking this is just some security with windows that isn't letting me pass the parameter. Is there any way to get around/fix this?
For this you will need to use a PowerShell remote session. Something along the lines of:
New-PSSession -HostName HOSTNAME -UserName UserName
Hostname being an IP or FQDN. It will prompt you for a username for authentication. This can be stored also as a variable to pass into the module as well.

Using $env:username in a logon script is not working

I have this setup with a GPO to run as a logon script, obviously to map a drive for clients.
net use H: \\server1\share\$env:username
Dead simple. If I put in a specific username in place of the variable then it works. Also, if I run this script directly on a client machine it works.
Do you get an error? Does it helps if you wrap the path in double quotes?
"\\server1\share\$env:username"
That should work with or without the quotation marks. Are the clients all Windows 7? I believe that Powershell logon/startup scripts don't work on earlier versions, even if you have Powershell installed, because it's an add-on rather than a native shell. If you're using downlevel clients, you can invoke the powershell script from a cmd batch file. But if you're going to do that, might as well skip Powershell and just run net use H:\\server1\share\%username% from your batch file.
Run this in a .bat file as a login script (use a FQDN for the server name):
net use H: \\server.example.com\share\%USERNAME%
If that not works, your GPO is just not yet applied. You can force that by running on the machine gpupdate /force.
For testing make sure that the GPO is applied to the right OU to the group "Authenticated Users" (computers are in the group too). And if that is not working, you can also "Enforce" the GPO. Don't forget to do a gpupdate /force after any change to the GPO or it settings.
You can also try a .js logon script like:
var WSH = new ActiveXObject("WScript.Shell");
// Map share
WSH.Run("net use H: \\\\server.example.com\\share");

Run remote process by powershell

I have the following line of code to create object to access to a remote server before I associate it with user name, password and process:
$process = [WMIClass]"\\remoteServer\ROOT\cimv2:Win32_Process"
I tried this on two PCs, one is OK without any errors, but another one I am going to run has an exception:
Cannot convert value "\\remoteServer\ROOT\cimv2:Win32_Process" to type "System.Manage
ment.ManagementClass". Error: "Access is denied. (Exception from HRESULT: 0x800
70005 (E_ACCESSDENIED))"
The remoteServer is the same one. Not sure what I have to set on local PC or remote PC to make this work? On both client PCs, the user names are all member of Administrators.
Have you considered looking into PowerShell remoting? If your running PowerShell 2.0 I'd recommend that you take a look at it. Once you have set up remoting you'll be able to execute commands on the remote server using the Invoke-Command:
Invoke-Command -ComputerName {serverName} –ScriptBlock { commands }
The ScriptBlock can contain any powershell commands so you will be able to start processes on the remote machine with this mechanism. To enable remoting you'll need to use the Enable-PSRemoting cmdlet and you can get details of this at http://blogs.msdn.com/powershell/archive/2009/04/30/enable-psremoting.aspx and http://technet.microsoft.com/en-us/library/dd819498.aspx
Is there some reason you don't want to use psexec?
http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx
I know this is an old post, but what I think you need to do is run the following command on the remote machine:
"Get-ExecutionPolicy"
it sounds like its set to "Restricted" which means it will not run any "Invoke-Commands" commands, or remote scripts.
You can change it to 1 of 7 options:
Unrestricted____(least secure but if you need to troubleshoot set this option)
RemoteSigned__(will only all scripts with a signature, this a so so option)
AllSigned______(Best option if youu need to run remote scripts, but all will beed signed)
Restricted_____(I believe this option is set by default in windows 7 nad WS2k8)
Default
Bypass
Undefined