Cannot Start Service when launching installer with script from remote Powershell runspace

0
votes

I'm launching an installer on a remote machine using powershell with a remote runspace:

some code hidden but you get the jist...

I create my PSCredential in C#:

PSCredential pwd = new PSCredential(cred.UserName,PowerShellEngine.GenerateSecurePassword(cred.Password)); ConnectionInfo = new WSManConnectionInfo( false, cred.HostName, 5985, "/wsman","http://schemas.microsoft.com/powershell/Microsoft.PowerShell",pwd); ConnectionInfo.AuthenticationMechanism = AuthenticationMechanism.Default;

Create the runspace, and execute the script

        //Load the script
        string script = System.IO.File.ReadAllText(scriptFileName);

        using (Runspace runspace = CreateRunSpace())
        {
            runspace.Open();
            Pipeline pipeline = runspace.CreatePipeline();
            pipeline.Commands.AddScript(script);

            if (parameters != null)
            {
                foreach (KeyValuePair<string, string> parm in parameters)
                {
                    pipeline.Commands[0].Parameters.Add(parm.Key, parm.Value);
                }
            }

            pipeline.Commands.Add("out-default");
            pipeline.Invoke();
        }

Script.... (the part that matters)

$installStatement = [System.Diagnostics.Process]::Start( $App, $Switches ) $installStatement.WaitForExit() "Process Exit Code: $LastExitCode"

The process start fine.. end up with:

MSI (s) (3C:18) [21:06:18:923]: Product: xxxx -- Error 1920.Service xxxx failed to start. Verify that you have sufficient privileges to start system services.

I've verified the process runs as the local administrator which works fine from the command prompt is using PSExec. I assume this must have to do with WSMAN permissions or security wrapped around the runspace itself ?

Is there a policy or something that needs to be set to allow a powershell runspace to be able to start services in an installer?

Thanks, Gavin

2
powershellpowershell-2.0

2 Answers

0
votes

Appears WinRM runs under the NETWORK SERVICE account which probably doesn't have permission to start/stop windows services...

I can't change Windows Remote Management to run as Local System because other services (HTTP, RPCSS) are dependent on it and are apparently running under the same process)

Is there a way to grant NETWORK Service the ability to start/stop services ?

0
votes

WinRM service should run under network service. It will impersonate you to whoever you set when running the script. Could you please check that you have applied the credential you created and that user (from credentials) is able to start services? Just log in as this user and try to start some.

You could also simplify stuff. Write Test.ps1 with the code to start service and run this code:

$pass = ConvertTo-SecureString "password" -AsPlainText -Force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "domain\username", $pass 


Invoke-Command -ComputerName "remoteMachine" -FilePath "Test.ps1" -Credential $credentials -ArgumentList $parameters

If all settings are correct you should get your service started.

On a side note, it looks to me that you are doing relatively simple task in a very complex way.