{"id":72941,"date":"2015-10-05T00:01:00","date_gmt":"2015-10-05T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/10\/05\/troubleshoot-winrm-with-powershellpart-1\/"},"modified":"2019-02-18T09:35:00","modified_gmt":"2019-02-18T16:35:00","slug":"troubleshoot-winrm-with-powershellpart-1","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/troubleshoot-winrm-with-powershellpart-1\/","title":{"rendered":"Troubleshoot WinRM with PowerShell—Part 1"},"content":{"rendered":"

Summary<\/b>: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to look at WinRM logs.<\/span><\/p>\n

\"Hey, Hey, Scripting Guy! I am having problems with WinRM. When I use the Get-CimInstance<\/b> cmdlet, it fails. When I specify the –DCOM<\/b> protocol for Get-CimInstance<\/b>, it works. I suspect I have a WinRM problem. How can I go about troubleshooting it?<\/p>\n

—TB<\/p>\n

\"Hey, Hello TB,<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. One of the great things about Windows, regardless of the version, is that there are some awesome diagnostics and operational logs. I am not talking about the traditional event logs that have been around since the earliest versions of WinNT (System, Application, and Security logs)—rather, I am talking about the hundreds of other logs that exist.<\/p>\n

Of course, I can open the Event Viewer and go to Microsoft  > Windows > Windows Remote Management, then find the Operational log:<\/p>\n

\"Image<\/a><\/p>\n

But that is a lot of mousing around. So I can use the Get-WinEvent<\/b> cmdlet, the –ListLog<\/b> parameter, and a wildcard character to see all of the logs that exist:<\/p>\n

Get-WinEvent -ListLog *<\/p>\n

When I get through that list, I can look for the log. There is a major issue here, however. First of all, Microsoft-Windows-Windows kind of looks like an error, but, it is really there. Then the Remote Management\/Operational part does not appear to exist. The good thing is that I can use wildcard characters and avoid a lot of typing. Here is the command I use:<\/p>\n

Get-WinEvent -ListLog *windows-windows*<\/p>\n

The command and its associated output are shown here:<\/p>\n

\"Image<\/a><\/p>\n

Nope. There is no Windows-Remote-Management anywhere to be found. Dude!<\/p>\n

So, I am reduced to piping my log output to More<\/b>, and paging through, one page at a time. Can you say time consuming, frustrating, and total waste of time? Try it. I bet you can.<\/p>\n

Get-WinEvent -ListLog * | more<\/p>\n

Finally, I find that (for whatever reason), they decided to rename the log name from the display name. I bet that was done to save time.<\/p>\n

PS C:\\> Get-WinEvent -ListLog *winrm*<\/p>\n

LogMode   MaximumSizeInBytes RecordCount LogName<\/p>\n

——-             ——————       ———–          ——-<\/p>\n

Circular             1052672          16 Microsoft-Windows-WinRM\/Operational<\/p>\n

Clear the operational log<\/h2>\n

Windows PowerShell has a Clear-EventLog<\/b> cmdlet, but that only works with traditional logs. To work with the hundreds of other event logs, I need to use the Wevtutil.exe program. Luckily, I can call this command-line tool inside Windows PowerShell, and even pipe stuff to it.<\/p>\n

The first thing I like to do when I am troubleshooting is dump the log, and then take steps to re-create the problem. Here is the command to dump the WinRM log:<\/p>\n

Get-WinEvent -ListLog *winrm* | % {wevtutil.exe cl $_.LogName}<\/p>\n

Now I go back and check to ensure that the log is in fact dumped. These commands and the associated output are shown here:<\/p>\n

\"Image<\/a><\/p>\n

I want to enable the WinRM log. To do this, again I use the Wevtutil.exe command. But because the command prompts, I need to feed it a Y<\/b> (for yes). I can feed a Y<\/b> to the command by using the echo command. The command to enable the log is shown here:<\/p>\n

Get-WinEvent -ListLog *winrm* | % {echo y | wevtutil.exe sl $_.LogName \/e:true}<\/p>\n

To double-check that the log is enabled, I pipe the output from Get-WinEvent<\/b> to Format-List<\/b>:<\/p>\n

PS C:\\> Get-WinEvent -ListLog *winrm*  | fl *<\/p>\n

FileSize                       : 69632<\/p>\n

IsLogFull                      : False<\/p>\n

LastAccessTime                 : 8\/6\/2015 4:23:05 PM<\/p>\n

LastWriteTime                  : 9\/30\/2015 4:46:32 PM<\/p>\n

OldestRecordNumber             : 0<\/p>\n

RecordCount                    : 0<\/p>\n

LogName                        : Microsoft-Windows-WinRM\/Operational<\/p>\n

LogType                        : Operational<\/p>\n

LogIsolation                   : Application<\/p>\n

IsEnabled                      : True<\/p>\n

IsClassicLog                   : False<\/p>\n

SecurityDescriptor             : O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;<\/p>\n

                                 ;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A<\/p>\n

                                 ;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-<\/p>\n

                                 32-573)<\/p>\n

LogFilePath                    : %SystemRoot%\\System32\\Winevt\\Logs\\Microsoft-Windows<\/p>\n

                                 -WinRM%4Operational.evtx<\/p>\n

MaximumSizeInBytes             : 1052672<\/p>\n

LogMode                        : Circular<\/p>\n

OwningProviderName             : Microsoft-Windows-WinRM<\/p>\n

ProviderNames                  : {Microsoft-Windows-WinRM}<\/p>\n

ProviderLevel                  :<\/p>\n

ProviderKeywords               :<\/p>\n

ProviderBufferSize             : 64<\/p>\n

ProviderMinimumNumberOfBuffers : 0<\/p>\n

ProviderMaximumNumberOfBuffers : 64<\/p>\n

ProviderLatency                : 1000<\/p>\n

ProviderControlGuid            :<\/p>\n

To disable the log, I set it to false. This command appears here:<\/p>\n

Get-WinEvent -ListLog *winrm* | % {echo y | wevtutil.exe sl $_.LogName \/e:false}<\/p>\n

And, I can check the output once again with this command:<\/p>\n

PS C:\\> (Get-WinEvent -ListLog *winrm*).isenabled<\/p>\n

False<\/p>\n

I obviously don’t want to do all this typing, so I can put these commands in a script easily, or I can create a function and add them to a module. The cool thing is that I can also add other logs. I can even run the commands remotely by using Windows PowerShell remoting (assuming that you get it working).<\/p>\n

TB, that is all there is to using Windows PowerShell to help troubleshoot your WinRM connection.  Join me tomorrow when I will talk about more cool stuff. <\/span><\/p>\n

I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

Ed Wilson, Microsoft Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to look at WinRM logs.  Hey, Scripting Guy! I am having problems with WinRM. When I use the Get-CimInstance cmdlet, it fails. When I specify the –DCOM protocol for Get-CimInstance, it works. I suspect I have a WinRM problem. How can I go about […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[622,3,134,45,620],"class_list":["post-72941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-logging","tag-scripting-guy","tag-troubleshooting","tag-windows-powershell","tag-winrm"],"acf":[],"blog_post_summary":"

Summary: Ed Wilson, Microsoft Scripting Guy, talks about using Windows PowerShell to look at WinRM logs.  Hey, Scripting Guy! I am having problems with WinRM. When I use the Get-CimInstance cmdlet, it fails. When I specify the –DCOM protocol for Get-CimInstance, it works. I suspect I have a WinRM problem. How can I go about […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=72941"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/72941\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=72941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=72941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=72941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}