winrm/wsman enumerate PullResponse size

Alexander Anikin 0 Reputation points
2023-07-03T08:35:51.4266667+00:00

Hi, I'm trying to get a large enumeration via WinRM (log events). But I can't make WinRm to return more than 50 entries per Pull request. WinRm config:

C:\Windows\system32>winrm get winrm/config
Config
    MaxEnvelopeSizekb = 2000
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts = *
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 1500
        EnumerationTimeoutms = 240000
        MaxConnections = 300
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
        AllowRemoteAccess = true
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 7200000
        MaxConcurrentUsers = 2147483647
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 2147483647
        MaxMemoryPerShellMB = 2147483647
        MaxShellsPerUser = 2147483647

MaxBatchItems supposed to define how much items one could get through pull request:

"MaxBatchItems Specifies the maximum number of elements that can be used in a Pull response"

But in fact it doesnt send more than 50 entries(xmlfragments) per pull request.

I send following enumerate request via PostMan, following with pull request for returned enumeration context:

    <s:Body>
        <wsen:Enumerate>
            <wsman:OptimizeEnumeration/>
            <wsman:Filter Dialect="http://schemas.microsoft.com/wbem/wsman/1/WQL">select InsertionStrings from Win32_NTLogEvent where Logfile = 'Security'</wsman:Filter>
            <wsman:MaxElements>2000/wsman:MaxElements>
        </wsen:Enumerate>
    </s:Body>

    <s:Body>
        <wsen:Pull>
            <wsen:EnumerationContext>uuid:{{enum_uuid}}</wsen:EnumerationContext>
            <wsen:MaxElements>2000</wsen:MaxElements>
        </wsen:Pull>
    </s:Body>

Upon further investigation I discovered that limiting factor is not MaxBatchItems, but actual size of a PullRespone message. I checked EventLog (event id 1044) and found that server never send more that 51 chunks of max mtu in one Pull Response ("SOAP [listener sending index 1 of 51 total chunks (1500 bytes)] ".

So the question is if there is a way to increase the size of returned Rull Response? MaxEnvelopeSizekb and MaxBatchItems doesn't seem to affect this behavior.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,560 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,586 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.