sachingaikwad
Enthusiast
Enthusiast

Use Invoke-VMScript to lock remote machine

Jump to solution

I have a requirement to lock Virtual machine after running a process. The user I'm logged in with is a domain admin user, If I execute the command "C:\windows\system32\rundll32.exe user32.dll, LockWorkStation" from cmd.exe inside the VM, the VM locks.

But if I pass the same command using "Invoke-VMScript", Command doesn't work i.e. system doesn't gets locked and the ScriptOutput is empty. Please suggest.

Here is my command and the output:

$TARGET_VM = Get-VM "VM_NAME"

$Command_text='cmd.exe /c  `"C:\windows\system32\rundll32.exe user32.dll, LockWorkStation`"'

Invoke-VMScript -VM $TARGET_VM -ScriptText $Command_text -GuestUser "domain\user" -GuestPassword "Password" -Verbose

Output:

VERBOSE: Performing the operation "Invoke-VMScript" on target "VM_NAME"

VERBOSE: 5/24/2020 10:42:32 PMInvoke-VMScriptFinished execution

ScriptOutput                                                                                                                         

--------------------------------------------------------------------------------------------------------------------------------------

|                                                                                                                                     

--------------------------------------------------------------------------------------------------------------------------------------

I tried -Verbose option - and the verbose output is not much helpful

In the VMware.log, there is no useful info:

2020-05-24T20:42:32.805Z| vmx| I125: VigorTransportProcessClientPayload: opID=37662f0b-2c-64d6 seq=270909: Receiving GuestOps.ListProcesses request.

2020-05-24T20:42:32.945Z| vcpu-1| I125: VigorTransport_ServerSendResponse opID=37662f0b-2c-64d6 seq=270909: Completed GuestOps request with messages.

2020-05-24T20:42:32.976Z| vmx| I125: VigorTransportProcessClientPayload: opID=159a9797-1c-64db seq=270920: Receiving GuestOps.InitiateFileTransferFromGuest request.

2020-05-24T20:42:33.033Z| vcpu-1| I125: VigorTransport_ServerSendResponse opID=159a9797-1c-64db seq=270920: Completed GuestOps request with messages.

2020-05-24T20:42:33.938Z| vmx| I125: VigorTransportProcessClientPayload: opID=1c21fd4d-2f-64e1 seq=270939: Receiving GuestOps.DeleteFile request.

2020-05-24T20:42:33.999Z| vcpu-1| I125: VigorTransport_ServerSendResponse opID=1c21fd4d-2f-64e1 seq=270939: Completed GuestOps request.

Please let me know if a system can locked using "Invoke-VMScript"?

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership

I did refer to the Guest credentials in my previous reply.

It seems that there is an option with the tsdiscon command (introduced in Windows 2000).

That command takes a sessionId for the session you want to lock.

You have to provide the user that has the session open.

$vmName = 'MyVM'

$userName = 'lucd'


$guestUser = 'administrator'

$guestPswd = 'VMware1!'

$cred = New-Object -TypeName pscredential -ArgumentList $vicred.User,(ConvertTo-SecureString -String $viCred.Password -AsPlainText -Force)


$code = @'

`$line = Invoke-expression -Command 'query session' | where{`$_ -match '$userName'}

`$sessionId = (`$line -split '\s+')[3]

Invoke-Expression -Command "tsdiscon `$sessionId"

'@

$sInvoke = @{

    VM = $vmName

    ScriptType = 'powershell'

    ScriptText = $ExecutionContext.InvokeCommand.ExpandString($code)

    GuestCredential = $cred

}

Invoke-VMScript @sInvoke


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
4 Replies
LucD
Leadership
Leadership

The code you run through Invoke-VMScript runs in the background, not as an interactive session.

And that code is started from the VMware Tools process, albeit with the guest credentials you pass to Invoke-VMScript.

You are locking your session, but that is not an interactive session.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
sachingaikwad
Enthusiast
Enthusiast

@LucD Thank you for the reply. As you know Host user and Host-password parameters are deprecated. So is it possible to lock the interactive session using Guest credentials?  I would like to lock the console session-1 (output of query session).

I looked https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.powercli.cmdletref.doc%2FInvoke-VMS...​ but looks like there is no parameter which accepts "session".

0 Kudos
LucD
Leadership
Leadership

I did refer to the Guest credentials in my previous reply.

It seems that there is an option with the tsdiscon command (introduced in Windows 2000).

That command takes a sessionId for the session you want to lock.

You have to provide the user that has the session open.

$vmName = 'MyVM'

$userName = 'lucd'


$guestUser = 'administrator'

$guestPswd = 'VMware1!'

$cred = New-Object -TypeName pscredential -ArgumentList $vicred.User,(ConvertTo-SecureString -String $viCred.Password -AsPlainText -Force)


$code = @'

`$line = Invoke-expression -Command 'query session' | where{`$_ -match '$userName'}

`$sessionId = (`$line -split '\s+')[3]

Invoke-Expression -Command "tsdiscon `$sessionId"

'@

$sInvoke = @{

    VM = $vmName

    ScriptType = 'powershell'

    ScriptText = $ExecutionContext.InvokeCommand.ExpandString($code)

    GuestCredential = $cred

}

Invoke-VMScript @sInvoke


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
sachingaikwad
Enthusiast
Enthusiast

Thank you so much LucD​ this worked like a charm Smiley Happy

0 Kudos