Can I RDP through mstsc and run a script on that remote desktop?

Question

I'm writing a script which needs to RDP to a few servers, do processes there and then come back.

mstsc /v:<computer> by itself looks great as it's security/credential prompt is the same as if you manually executed it.

However, after some research it appears that's meant to be a command line utility and nothing more because trying things like:

mstsc /v:104.209.198.181 | Invoke-Command -ScriptBlock {"New-Item C:\Users\<me>\Desktop\Success.txt -ItemType file"}

doesn't work.

So I tried Enter-PSSession <computer> -Credential $env:UserName which people use but it looks like a mess to deal with compared to mstsc because it looks primitive (an article I read yesterday tried to say this type of prompt is ALWAYS a phishing scam which obviously it's not but try telling management), it doesn't auto-populate domains, and I get a WinRM error which I'm sure will be a rabbit hole.

So is it possible to RDP with mstsc and then pipe commands to it so they're executed on that computer?

MSTSC is primitive compared to Enter-PSSession. WinRM is not a rabbit hole. Almost everything you want to do with GUI, you can do with PowerShell. What is it that you are trying to do anyway? — Sid, Jul 11 '18 at 20:35
Maybe post a question about your WinRM errors instead of writing it off as a "rabbit hole"? — Maximilian Burszley, Jul 11 '18 at 20:57

Maximilian Burszley · Accepted Answer · 2018-07-11T22:17:30.107

2

The answer is no. You cannot initiate some kind of pipe using MSTSC.exe.

You can, however, use PSRemoting to send the command like you're trying to do already:

Invoke-Command -ComputerName '<FQDN>' -ScriptBlock {
    New-Item -Path "$HOME\Desktop\Success.txt" -ItemType File
}

If you don't know the FQDN, then look up the IP using DNS:

[System.Net.Dns]::GetHostEntry('104.209.198.181')

All this failing.. you can fall back on WMI, but you don't get any console feedback:

$WmiArgs = @{
    'Class'        = 'Win32_Process'
    'Name'         = 'Create'
    'ArgumentList' = 'powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "New-Item -Path $HOME\Desktop\Success.txt -ItemType File"'
    'ComputerName' = '104.209.198.181'
}
Invoke-WmiMethod @WmiArgs

While I tested the above is working, you can shorthand even this!

([wmiclass]'\\104.209.198.181\root\cimv2:win32_process').
    Create('powershell -NoP -NonI -W Hidden -C "New-Item -Path $HOME\Desktop\Success.txt -ItemType File"')

With this method, however, you cannot pass credentials.

edited Jul 11 '18 at 22:17

answered Jul 11 '18 at 21:03

Maximilian Burszley

18,243
4
34
63

Technically speaking, you *can* pass credentials if you use `cmd.exe /c "runas ....."`. But I'm not even about to attempt that abomination of string escaping, and you have to previously have executed `runas /savecred` with the same account for it to work. – codewario Jul 11 '18 at 21:51
1

@BendertheGreatest And if there is containerization of workstations in play, `runas.exe` may not play nice. – Maximilian Burszley Jul 11 '18 at 21:52
@BendertheGreatest `$HOME` resolves as an automatic variable on the endpoint when the command is executed. It will run into issues if the username has spaces in it, however. – Maximilian Burszley Jul 11 '18 at 21:53
There are many hoops and limitations that come with runas. I was simply stating it's technically possible if someone wanted to pursue it. – codewario Jul 11 '18 at 21:53
Doh - I removed the comment. Long day, you are right – codewario Jul 11 '18 at 21:54

Can I RDP through mstsc and run a script on that remote desktop?

1 Answers1