Hello,
I've a very strange problem while using "Invoke-VMScript" through PowerCLI 6.5 Release 1 build 4624819 to my Windows Server 2012R2. The command is only executed, if I'm logged in on the console or using rdp with the same user i specified for the "-GuestCredential" parameter.
If I'm not logged in with the same user, I can see that a cmd.exe Process is spawned by vmtoolsd.exe which in turn starts powershell.exe, but my commands are not executed.
cmd.exe and poewershell.exe are both assigned to the correct user.
Has anyone an idea, what is going on here and how to fix this?
PowerCLI vis:\*********\> Get-PowerCLIVersion
PowerCLI Version
----------------
VMware PowerCLI 6.5 Release 1 build 4624819
---------------
Component Versions
---------------
VMware Cis Core PowerCLI Component 6.5 build 4624453
VMware VimAutomation Core PowerCLI Component 6.5 build 4624450
VMWare ImageBuilder PowerCLI Component 6.5 build 4561891
VMWare AutoDeploy PowerCLI Component 6.5 build 4561891
VMware Vds PowerCLI Component 6.5 build 4624695
VMware Cloud PowerCLI Component 6.5 build 4624821
VMware HA PowerCLI Component 6.0 build 4525225
VMware HorizonView PowerCLI Component 7.0.2 build 4596620
VMware Licensing PowerCLI Component 6.5 build 4624822
VMware PCloud PowerCLI Component 6.5 build 4624825
VMware Storage PowerCLI Component 6.5 build 4624820
VMware vROps PowerCLI Component 6.5 build 4624824
VMware vSphere Update Manager PowerCLI 6.5 build 4540462
Did you already check the Windows eventlogs?
There might be an indication why starting the cmd with that account fails.
You could also add the Verbose switch, and see if that gives extra clues.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
If I use -Verbose the output is:
The Windows Eventlog on the vm doesn't show anything special.
Application Eventlog:
vmtoolsd: Username and password successfully validated for MyUserName
Security Eventlog:
Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: SYSTEM
Kontoname: MyServerName$
Kontodomäne: MyDomain
Anmelde-ID: 0x3E7
Anmeldetyp: 2
Identitätswechselebene: Identitätswechsel
Neue Anmeldung:
Sicherheits-ID: MyDomain\MyUsername
Kontoname: MyUsername
____________________________________________________________________________________________________________________________
Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: MyDomain\MyUser
Kontoname: MyUser
Kontodomäne: MyDomain
Anmelde-ID: 0x61907D6
Berechtigungen: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
From PowerShell Eventlog VMWare Tools run the following command:
powershell -NonInteractive -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBPAHUAdABwAHUAdABGAG8AcgBtAGEAdAAgAHQAZQB4AHQAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0AQwBvAG0AbQBhAG4AZAAgACcAJgAgAHsAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUAfQAnACAAPgAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQARQBNAFAAXABwAG8AdwBlAHIAYwBsAGkAdgBtAHcAYQByAGUAMQA0ADEAIgA7ACAAZQB4AGkAdAAgACQAbABhAHMAdABlAHgAaQB0AGMAbwBkAGUA
The Encoded Part translates to:
powershell.exe -OutputFormat text -NonInteractive -Command '& {$PSVersionTable}' > "C:\Windows\TEMP\powerclivmware141"; exit $lastexitcode
If I'm logged in with the same user, I see the following process tree:
VMtools => CMD => PowerShell => Powershell
If I'm not logged in the process tree is as following:
VMtools => CMD => PowerShell
Everything marked bold above is run by my test user, so spawning processes with that credentials works fine, but for some reasons the PowerShell process that otherwise is spawned from PowerShell isn't started. This happens even on a newly installed Windows 2012 R2 VM with VMware tools.
Edit: Now I found something useful in the logs. VMware-vmsvc loggs to C:\Windows\vmware-vmsc the following:
[Mai 04 15:55:03.192] [ warning] [vix] VixToolsPrintFileExtendedInfo: Posix_Stat(C:\Windows\TEMP\powerclivmware199) failed with 2
[Mai 04 15:55:03.192] [ message] [vix] VixToolsInitiateFileTransferFromGuest: opcode 188 returning 0
Now I also tried giving everyone full Access to C:\Windows\Temp, but that doesn't help neither. I can see how to that file gets created and deleted, but Invoke-VMscript is still not outputting anything...
Edit 2: Now I found a workaround the following works:
dir | Invoke-VMScript -ScriptType Bat -ScriptText 'call powershell.exe -Command import-module Microsoft.PowerShell.Utility; Write-Host "test"' -GuestCredential $guestCredential
But the following doesn't return anything, in fact, the commands provided in the ScriptText parameter are not even executed:
Invoke-VMScript -ScriptType Powershell -ScriptText 'import-module Microsoft.PowerShell.Utility; Write-Host "test"' -GuestCredential $guestCredential
Edit 3: I think I found the bug, the way how VMware invokes powershell seams to cause it to fail while loading some essential modules. "Microsoft.PowerShell.Management", "Microsoft.PowerShell.Utility". So the "> C:\Windows\temp\powerclivmware199" part fails with the error:
The above error is not really from the process that is spawned by VMware, but by the same way VMware Tools does to take on the identity of the user. I used Process Hacker to "Run as this user" on the process VMware spawned. But I'm very confident, that this is exaclty what happens with the Powershell process that is spawned by the VMware Tools.
After that I tried to Import the failing module using -Debug, so i was able to trace it down to the Import of the alias.
Here is a screenshot comparing the outputs of the two imports on the top in a "normal" powershell and on the bottom in an similarly invoked powershell (like VMware does)
I think, this is a bug, that only VMware can solve. Maybe it only ocures because I updated powershell to Version 5 manually using KB3134758, which is not installed on 2012R2 by Default. But I have no System to test that right now.
Sorry for the reply to an old post but I'm having the exact same issue on W2K R2 server with powershell 4.0 on the guest.
I've used 'invoke-vmscript' at least a hundred times in many environments without this problem... I'm still looking for a solution so if you have a solution in the meantime, please share.
Thakns in advance.