pypsrp icon indicating copy to clipboard operation
pypsrp copied to clipboard

Published 20 hours ago verified publisher icon jborean93

NoMachineProfile: Avoid creation of user profiles on remote machines?

Open ecbftw opened this issue 3 years ago • 7 comments

When logging in to remote systems to run some simple scripts, we're finding the user profile directories are being created (e.g. c:\users\MyWinRMUser). This is undesirable in many cases.

I ran across the -NoMachineProfile option here, which might avoid this: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.1

How would we specify that session option with pypsrp? More info in: https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.remoting.pssessionoption.nomachineprofile?view=powershellsdk-1.1.0 https://www.reddit.com/r/PowerShell/comments/aw57xh/newpssession_without_creating_a_profile/

Thanks!

ecbftw avatar May 24 '21 17:05 ecbftw

You need to register your PS Configuration with the NoProfile option on the remote host then connect to that configuration using the name as the value of configuration_name when initialising the RunspacePool. This is how you can connect to Exchange and JEA endpoints as well as your own registered configurations.

jborean93 avatar May 24 '21 21:05 jborean93

Thanks for pointing me in the right direction on this. I finally have time to look into it again. The problem I'm having is that I don't have the ability to log in to thousands of machines to create a new PSConfiguration first before using WinRM with them. If I did this, then it would create the undesirable user profile during that first session! The New-PSSession command seems to allow the setting of options without first registering a profile through something like:

Enter-PSSession -ComputerName Server01 -SessionOption (New-PSSessionOption -NoMachineProfile)

Is there an equivalent with your module?

ecbftw avatar Jun 19 '21 15:06 ecbftw

My apologies I thought you were talking about the -NoProfile option in PowerShell itself. I'll have to try it out on the actual PowerShell client but at a guess I believe it's part of the shell creation side and unfortunately there is no way to control this behaviour with the RunspacePool creation in this library. If my suspicions are correct you would have to pass through the no_profile=True kwarg at https://github.com/jborean93/pypsrp/blob/c70487480cbb651a89ee7d3efe5dfd21014ecc92/pypsrp/powershell.py#L93-L94 but this can't be done through any public way right now.

jborean93 avatar Jun 20 '21 09:06 jborean93

Thanks for the clarification. I did actually try setting no_profile=True yesterday via a monkey patch as a test and it didn't seem to help (testing against Windows 2019 Server and a domain account). I found this reference which seems to indicate WINRS_NOPROFILE already defaults to TRUE: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/593f3ed0-0c7a-4158-a4be-0b429b597e31

The documentation I'm finding is all very confusing, so I think when I find time again I'm going to just sniff the protocol stream from Microsoft's client and try to figure out where I could add the extra XML blob in pypsrp.

ecbftw avatar Jun 20 '21 14:06 ecbftw

When I compare the data exchanged with New-PSSessionOption -NoMachineProfile and without and the only real difference I can see is that WINRS_NOPROFILE is set to true and not present when the option is set. So the no_profile kwarg for the WinRS shell is the place this needs to be set.

I found this reference which seems to indicate WINRS_NOPROFILE already defaults to TRUE:

it could be for normal shells it is true but maybe for the PowerShell it is not. I can definitely see that PowerShell itself doesn't set the key when the default pssession options are done and it is only present when -NoMachineProfile is set. I can also verify when I change the code to set no_profile when creating the WinRS shell that it is using the default user profile.

jborean93 avatar Jun 21 '21 01:06 jborean93

Thanks for investigating further. I'm a little confused because it still creates a user profile directory even with this setting, so perhaps some of the things I've read elsewhere are false or no longer true. At the end of the day, I just want to avoid creating a user profile directory at all, but that may not be possible.

ecbftw avatar Jun 24 '21 15:06 ecbftw

I'm not sure sorry, it wouldn't be the first time that some of the WSMan settings like WINRS_NOPROFILE doesn't do anything. I've found that in recent Windows versions the WINRS_SKIP_CMD_SHELL option also does nothing anymore. Unfortunately I'm stuck with the limitations of what Windows offers me, if you can find a way that works using native PowerShell then I can look to see what it does but if that also doesn't work then I cannot do much else sorry.

jborean93 avatar Jun 24 '21 20:06 jborean93