WinRM服务被远程脚本

时间:2017-09-11 18:47:06

标签: powershell

我们遇到PowerShell脚本会偶尔杀死远程服务器上的WinRM服务的情况。这是脚本:

    $results = Invoke-Command -computername $hostname -ScriptBlock { Invoke-Expression "C:\Windows\System32\inetsrv\appcmd.exe list WP" }

    $query = 'Select IDPROCESS,workingsetprivate,name from Win32_PerfFormattedData_PerfProc_Process WHERE name LIKE "w3wp%"'

    $Pools = Get-WmiObject -computername $hostname -query $query

    foreach ($result in $results)
    {
        $obj = New-Object -TypeName PSObject
        $result -match '\d+' | Out-Null
        $AppPoolID = $Matches[0]

        $result -match '(?<=:)\S*(?=\))' | Out-Null
        $AppPoolName = $Matches[0]

        $Memory = $Pools | where IDPROCESS -eq $AppPoolID | Select -ExpandProperty workingsetprivate

        $obj | Add-Member -MemberType NoteProperty -Name ID -Value $AppPoolID
        $obj | Add-Member -MemberType NoteProperty -Name Name -Value $AppPoolName
        $obj | Add-Member -MemberType NoteProperty -Name Memory -Value $Memory

        Write-Host "$AppPoolName=$Memory"
    }

我从未见过WinRM被远程脚本杀死的情况。该脚本每六分钟运行一次,成功率为99.9%,但偶尔会失败。

以下是目标计算机上事件日志的错误:

  

错误应用程序名称:svchost.exe_WinRM,版本:6.1.7600.16385,   时间戳:0x4a5bc3c1错误模块名称:wsmsvc.dll,版本:   6.3.9600.16406,时间戳:0x5244e817异常代码:0xc0000005故障偏移量:0x0000000000120da9故障进程id:0x9fb0故障   应用程序启动时间:0x01d32aba968aefb7错误应用程序路径:   C:\ Windows \ System32 \ svchost.exe错误模块路径:   c:\ windows \ system32 \ wsmsvc.dll报告ID:   4c9bd468-96fd-11E7-bbb4-005056ba0048

有什么想法吗?

0 个答案:

没有答案