Solved

PS Remoting returning local data instead of remote

Posted on 2014-02-28
12
587 Views
Last Modified: 2014-03-12
Anyone ever seen this before?
I'm using PowerShell Remoting to query a remote machine for a couple of registry values (I'll just show one for this example).  What I'm currently seeing is when I run Get-Item, the values returned are actually for my local machine (I confirmed this by changing one of the registry values and re-running the command).  When I run Get-ItemProperty however, the value returned is from the remote machine.  See the code block below for examples of running the commands and look at the "Start" value.

PS C:\test\ps> Invoke-Command -computername wkstn1.domain.com -scriptblock {Get-Item HKLM:\System\CurrentControlSet\Services\msahci }


    Hive: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services


Name                           Property                                    PSComputerName                            
----                           --------                                    --------------                            
msahci                         Start           : 2                         wkstn1.domain.com               
                               Type            : 1                                                                   
                               ErrorControl    : 3                                                                   
                               ImagePath       :                                                                     
                               \SystemRoot\system32\drivers\msahci.sys                                               
                               Group           : SCSI Miniport                                                       
                               DriverPackageId :                                                                     
                               mshdc.inf_amd64_neutral_a69a58a4286f0b22                                             

PS C:\test\ps> Invoke-Command -computername wkstn1.domain.com -scriptblock {Get-ItemProperty HKLM:\System\CurrentControlSet\Services\msahci }


Start           : 0
Type            : 1
ErrorControl    : 3
ImagePath       : \SystemRoot\system32\drivers\msahci.sys
Group           : SCSI Miniport
DriverPackageId : mshdc.inf_x86_neutral_f64b9c35a3a5be81
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msahci
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
PSChildName     : msahci
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry
PSComputerName  : wkstn1.domain.com
RunspaceId      : a9ce6130-b4c5-4bca-8691-6391477b3e93
 

Open in new window


I have a feeling it's just a quirk of my machine, that it's entered a weird state after being up too long, and that it will go away after I reboot it, but I wanted to throw the question out there to see if anyone else had experienced it.  I'm running Win7 64-bit with PS 3.0 installed.
0
Comment
Question by:footech
  • 7
  • 5
12 Comments
 
LVL 16

Assisted Solution

by:cantoris
cantoris earned 500 total points
ID: 39896933
What does this show:
Invoke-Command -ComputerName wkstn1.domain.com -ScriptBlock { ipconfig } 

Open in new window

Is that your IP or the remote machine's?

And from your machine, try
ping wkstn1.domain.com
and
nslookup wkstn1.domain.com

Any surprises there?

Finally, I presume when you changed one of the registry values, you were just using regedit, not PowerShell?
0
 
LVL 39

Author Comment

by:footech
ID: 39897944
That shows the IP of the remote machine.

All the DNS info is correct.  Both ping and nslookup return the correct info.  I've also referenced the remote machine by both its FQDN and its NetBIOS name to make sure there's no difference there.

Yes, when I changed the registry value I just used regedit.

Now for some additional information.
I have rebooted my machine and the behavior is still occurring (I really thought it would go away after a reboot)!  I have performed the same query against a different remote machine than what I did yesterday and the results are the same.

I'm starting to think PS 3.0 might be involved in some way.  I've only got a couple of machines with PS 3.0 installed to test with though, and one is down for the weekend.  Here's the results when I run the same Get-Item command on a different machine with PS 2.0 installed.
PS C:\temp> Get-Item HKLM:\System\CurrentControlSet\Services\msahci


    Hive: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services


SKC  VC Name                           Property
---  -- ----                           --------
  0   6 msahci                         {Start, Type, ErrorControl, ImagePath...}

PS C:\temp> Invoke-Command -computername mywkstn.domain.com -scriptblock { Get-Item HKLM:\System\Cur
rentControlSet\Services\msahci }


    Hive: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services


SKC  VC Name                           Property                                 PSComputerName
---  -- ----                           --------                                 --------------
  0   6 msahci                         {Start, Type, ErrorControl, ImagePath... mywkstn.domain.com

Open in new window

You'll probably notice in the above that it doesn't return any info about the values for the properties, and unless I use Get-ItemProperty I can't see the values.  I also see the same results as above when I enter an interactive remote session.  I think the machine I had the remote session to had PS 3.0 installed, but not certain, so I'll have to confirm with another machine that I'm certain of.
I'll perform some more tests on Monday with another PS 3.0 machine.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 0 total points
ID: 39901603
I was wrong in my last post.  The machine I was connecting to with a remote session had PS 2.0 installed, so the reason for the difference in output was not at all related to being in a remote session.
So there's definitely different behavior depending on whether PS 3.0 is installed or not vs. PS 2.0 (haven't tested PS 4.0).  It seems PS 3.0 likes to try to display some info about the values contained within a registry key when you use Get-Item, whereas PS 2.0 does not (it only shows the info as seen in the last post).

I have repeated my tests from another machine with PS 3.0 installed and it shows the exact same behavior as my original machine I was testing with - namely that the info about registry values that PS 3.0 tries to display may not be correct when you're trying to use PS Remoting to query another machine.  It seems like it always tries to fill in this information with data from the local machine.  It's worth to note that this does not take place when you are in an interactive remote PS session.
0
 
LVL 16

Expert Comment

by:cantoris
ID: 39901762
Just a weird thought, try passing in the registry path in your script block in single quotes.

I've also seen different output from the registry provider between PowerShell versions before, though I've not used it massively.
0
 
LVL 39

Author Comment

by:footech
ID: 39903854
Unfortunately single quotes have no effect.

I'll do a little more reading to see if I can find any other report of similar behavior, but it seems like I've stumbled on quirk of PowerShell.
0
 
LVL 39

Accepted Solution

by:
footech earned 0 total points
ID: 39913233
Busy week and I couldn't get back to this sooner...
The explanation for this behavior appears to come from the formatting file "Registry.format.ps1xml".  In PS 3.0 it tries to be helpful by displaying info about the values contained within the key retrieved by Get-Item.  Here's the relevant section:

$result = (Get-ItemProperty -LiteralPath $_.PSPath |
    Select * -Exclude PSPath,PSParentPath,PSChildName,PSDrive,PsProvider |
    Format-List | Out-String | Sort).Trim()
$result = $result.Substring(0, [Math]::Min($result.Length, 5000) )
if($result.Length -eq 5000) { $result += "..." }
$result

Open in new window

The object returned from a query of a remote machine will have a PSPath property that looks like "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msahci".  When the formatting of the object occurs back on the local machine, it uses this PSPath with Get-ItemProperty, and so is actually doing a lookup on local values.

It seems the appropriate solution would be for PS to recognize when the registry object returned is a deserialized object and adjust its formatting correctly to handle this situation.  Get-Item isn't really meant to get values from the registry, only keys (Get-ItemProperty should be used when interested in the values), so when the formatting tries to "helpful", in this scenario it is actually providing false data about the values.

I might see if I can change the formatting to handle this better, but I've never played around with the formatting before so we'll see.  Also it's not a critical issue since I know to use Get-ItemProperty when looking for registry values and their data.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Expert Comment

by:cantoris
ID: 39913287
Nice find!
That's quite an astonishing oversight on MS's part.  Have you tried it in PowerShell 4 to see if it does it there too?
0
 
LVL 39

Author Comment

by:footech
ID: 39913884
Unfortunately I can confirm that it still occurs with PS 4.0.
0
 
LVL 16

Expert Comment

by:cantoris
ID: 39913893
In that case, perhaps you should report it here:
https://connect.microsoft.com/PowerShell
0
 
LVL 39

Author Comment

by:footech
ID: 39914079
Thanks for the suggestion, I have done so.
0
 
LVL 39

Author Closing Comment

by:footech
ID: 39922899
Ultimately I was able to find the answer behind the behavior myself, but I appreciate cantoris' willingness to bounce some ideas around.
0
 
LVL 16

Expert Comment

by:cantoris
ID: 39924105
Many thanks for the points - very generous given that you fixed the problem yourself!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now