Davoud Teimouri
asked on
wmic run a batch file from UNC path on remote computer
Hi all,
Is there any solution to run a batch file from a UNC path on a remote computer by using wmic?
I want to run a command like this: wmic /node:[TargetIPaddr] /user:[admin] process call create "Start \\UNC_Path\batchfile.bat"
Is there any solution to run a batch file from a UNC path on a remote computer by using wmic?
I want to run a command like this: wmic /node:[TargetIPaddr] /user:[admin] process call create "Start \\UNC_Path\batchfile.bat"
It works in an AD domain if you first enable the "Trust this computer for delegation" for the AD computer object, and then start wmic with the impersonation level "Delegate" and the authority:
All in all, it's probably easier to first copy the batch to the target machine, run wmic with the local copy, and then delete the local copy again.
wmic.exe /node:<target> /user:<user> /password:"<password>" /implevel:Delegate /Authority:"kerberos:<domain>\<target computer name>" process call create "\\UNC_Path\batchfile.bat"
Details are in 'WMI Security Settings', https://technet.microsoft.com/en-us/library/ee156574.aspxAll in all, it's probably easier to first copy the batch to the target machine, run wmic with the local copy, and then delete the local copy again.
net.exe use \\<target>\ipc$ "<password>" /user:<user>
copy "\\UNC_Path\batchfile.bat" "\\target\admin$\Temp"
wmic.exe /node:<target> /user:<user> /password:"<password>" process call create "%Systemroot%\Temp\batchfile.bat"
del "\\<target>\admin$\Temp"
net.exe delete \\<target>\ipc$
If you want to use psexec, note that network access by the remote process will only work if you specify user and password in the psexec command line, and these will be sent to the target unencrypted; check "psexec.exe -?".
ASKER
@RantCan: Hi, I have used PSEXEC but it's not worked because admin share is disabled on our clients and I do it by creating scheduled task on the target computers. Anyway, thanks for your comment.
ASKER
@oBdA: Many thanks for your solution, I'm going to check it.
ASKER
@oBdA: Your solution needs to a shared folder and we have no shared folder on our clients because the shared folder are disabled by domain via registry. Is there any way to create a share via wmic?
OK, maybe the solution with the delegation I suggested above isn't so complicated after all ...
You can create a share remotely using WMI (see https://support.microsoft.com/en-us/kb/295622):
Second obvious thought is to simply use the "process call create" to start "net.exe share ... /grant:...". Easy - until you notice that /grant requires a comma between the account and the permissions, and no amount of escaping allows to pass a comma as part of an argument to a call with wmic.
Long story short, I ended up extracting the comma at the end of the "dir" output into a variable and then used the variable.
The following command will share "C:\Temp" as "Te mp" (just as demonstration on how to escape double quotes) and grant Everyone Full share permissions (for simplicity's sake, I left out the /node and credentials). Don't change anything except for the "Te mp" and the "C:\Temp" to what you want to use.
You can create a share remotely using WMI (see https://support.microsoft.com/en-us/kb/295622):
wmic.exe /node:<target> share call create "", "Some Comment", "", "Temp", "", "C:\Temp", 0
Unfortunately, that doesn't allow you to set share permissions, so there will only be Read permissions for Everyone, which won't do you any good since you want to write to that share.Second obvious thought is to simply use the "process call create" to start "net.exe share ... /grant:...". Easy - until you notice that /grant requires a comma between the account and the permissions, and no amount of escaping allows to pass a comma as part of an argument to a call with wmic.
Long story short, I ended up extracting the comma at the end of the "dir" output into a variable and then used the variable.
The following command will share "C:\Temp" as "Te mp" (just as demonstration on how to escape double quotes) and grant Everyone Full share permissions (for simplicity's sake, I left out the /node and credentials). Don't change anything except for the "Te mp" and the "C:\Temp" to what you want to use.
wmic.exe process call create "cmd.exe /v:on /C (for /f \"tokens=3 delims=) \" %a in ('dir C:\W*') do set Comma=%a)& net.exe share \"Te mp\"=C:\Temp /grant:Everyone!Comma!Full"
What should work, too (can't test it at the moment, and is obviously somewhat insecure) is to use explicit credentials to connect to the share:wmic.exe process call create "cmd.exe /v:ON /C net.exe use \\<Server>\<Share> \"<Password>\" /user:<User>&\\<Server>\Share\folder\batch.cmd&net.exe use \\<Server>\<Share> /delete"
Edit: fixed unwanted line break in code.
ASKER
@oBdA:
Many thanks for your solution, you are EXPERT.
I got the below error when I was running the below line:
Is there any solution to fix it?
Also second command line worked perfectly but you said that this is insecurely.
Many thanks for your solution, you are EXPERT.
I got the below error when I was running the below line:
wmic.exe process call create "cmd.exe /v:on /C (for /f \"tokens=3 delims=) \" %a in ('dir C:\W*') do set Comma=%a)& net.exe share \"Te mp\"=C:\Temp /grant:Everyone!Comma!Full"
Is there any solution to fix it?
Also second command line worked perfectly but you said that this is insecurely.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A great solution provided by an EXPERT
Thank you so much oBdA.
Thank you so much oBdA.
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx