This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 25%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hello PowerShell Community,
First time asking a question. I have been tasked to execute a .bat script written by Hyperion that issues start/stop "sc.exe" commands across 4 servers.
If I manually run the script with the hyperion account "As Admin" from the server where the .bat files exist, the command works perfectly.
When I try to run the .bat script from powershell with a {Start-Process -FilePath D:\Oracle\Scripts\Hyp_Services_stop.bat -Verb RunAs -Wait} command remotely, the command partially works on the server where the .bat resides, but gets a "[SC] OpenSCManager FAILED 5: Access is denied." error.
If the .bat script is running as Administrator why does the command only work locally?
The commands in the .bat script look like this:
echo stopping Financial Reporting services. %date% %time% >> %LOGFILE%
sc \ServerNameHere.domain.com stop "HyS9FRReports_epmsystem1"
choice /n /t 5 /d y > nul
I'm attaching the script I have written. Any suggestions would be greatly appreciated.171385-hyperionscript.txt
When Get-Service is used there are limitations on what is returned
What's the problem?
PS C:\> get-service -Name LanmanServer
Status Name DisplayName
------ ---- -----------
Running LanmanServer Server
PS C:\> get-service -DisplayName Server
Status Name DisplayName
------ ---- -----------
Running LanmanServer Server
PS C:\> get-service -DisplayName Server | Format-List -Property *
Name : LanmanServer
RequiredServices : {SamSS, Srv2}
CanPauseAndContinue : False
CanShutdown : False
CanStop : True
DisplayName : Server
DependentServices : {RAPSService, Browser}
MachineName : .
ServiceName : LanmanServer
ServicesDependedOn : {SamSS, Srv2}
ServiceHandle : SafeServiceHandle
Status : Running
ServiceType : Win32OwnProcess, Win32ShareProcess
StartType : Automatic
Site :
Container :
Thanks, the "Format-List -Property *" is the best option for me.
BTW if you try to display a Service with more than 15 characters in it, the NAME is truncated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
When you run that script manually, do you use "Run as administrator"? If you do, are you prompted by UAC to confirm that it's okay to run it?
When you run the script on the remote machine you're probably (well, likely) encountering the same UAC challenge -- except you're never going to see it. Since nobody confirms that running the script is okay, the challenge fails.
That's not a PowerShell problem, it's a security decision you have to make -- continue using UAC, modify how UAC is configured, or stop using UAC.
This is the infamous double hop problem. From Desktop1 you are doing an Invoke-Command to Server1. That authentication works. But the bat file you execute then reaches out to other servers via "sc \servername". That is the double hop and that authentication fails.
One workaround for your situation would be to define a scheduled task that runs the D:\Oracle\Scripts\Hyp_Services_stop.bat
file. Define that task without any triggers and set it to run as your Hyperion admin account. You will need to enter that account's password when you define the task so that it can authenticate to all of the other servers. (You are effectively simulating logging on with that account and running the bat interactively.)
Then in the scriptblock that the Invoke-Command executes, you would issue a "Start-ScheduledTask -TaskName" to kick off the task.
The downside to that option is that if the password for the account changes, you will need to update that for the scheduled task.
Your other alternatives are to use the ConfigurationName parameter....
https://www.ipswitch.com/blog/the-infamous-double-hop-problem-in-powershell
..or the credSSP solution.
https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/
If you use either of those 2 solutions, I recommend just calling cmd.exe directly and not use Start-Process. That way any stdout/stderr that is not captured in the log file will be returned in the Invoke-Command.
$PlanningCommand = {cmd.exe /c D:\Oracle\Scripts\Hyp_Services_start.bat }
Hello Friends!!
Double Hop was the issue. I ended up creating a new script that just issues an Invoke-Command to each server involved. Now I'm having an issue with the Get-Service command. When the sc.exe command is used it returns the fully qualified Name and DisplayName. When Get-Service is used there are limitations on what is returned in these fields.
Does anyone have a suggestion on how to return the fully qualified NAME and DisplayName? Of a sample of how I can execute "sc.exe query"?
Thanks.
Ken Ski
@MotoX80 Last question for this challenge I have undertaken.
How do I redirect the "VERBOSE" message to an outfile?
I have found many examples on how to pipe to an out-file, or redirect using variations of (4>&1), (*>&1), but none have worked for me.
The Invoke-Command is writing to my outfile, but the Scriptblock command is writing into the spool file of the job I execute. I would like all the messages written into my outfile.
Thank you in advance.
KenSki
Redirect stream #4 (the "Verbose" stream) to stream #1 (STDOUT). Add this to the end of the Invoke-Command:
4>&1
See "help about_redirection" for more information.
I tried that and other variations but I get an error. To me the error appears to be ignoring the redirect and doesn't know how to translate the path I'm trying to redirect to.
Here is my command:
Invoke-Command -ComputerName 'servername.domain.com' -ScriptBlock {Stop-Service -name 'HyS9CALC_epmsystem1' -verbose} 4>&1 C:\Folder\Where\Script\Is\executed\from\log.txt
I also tried adding it in the ScriptBlock:
Invoke-Command -ComputerName 'servername.domain.com' -ScriptBlock {Stop-Service -name 'HyS9CALC_epmsystem1' -verbose 4>&1 C:\Folder\Where\Script\Is\executed\from\log.txt}
Here is the Error:
Invoke-Command : A positional parameter cannot be found that accepts argument 'C:\Folder\Where\Script\Is\executed\from\log.txt'.
At C:\Folder\Where\Script\Is\executed\from\Remote_HyServicesStop_With_WriteOutput.ps1:72 char:2
BTW - I was using this site as a reference:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_redirection?view=powershell-7.2
Your log file name is in the wrong place.
$result = Invoke-Command -ComputerName 'test10'-Credential $Credential -ScriptBlock {
Stop-Service -name 'wsearch' -verbose 4>&1
Start-Sleep 5
Start-Service -name 'wsearch' -verbose 4>&1
}
"-----------"
"Here are the results"
$result
$result | out-file C:\temp\log.txt
""
"Here is whats in the file"
Get-Content C:\temp\log.txt
Thank you!! Have a great day....