Comprehensive guide to the three execution methods supported by Scriptographer.
| Feature | PSRemoting | Copy-First | PsExec |
|---|---|---|---|
| Speed | ⭐⭐⭐⭐⭐ Fast | ⭐⭐⭐ Medium | ⭐⭐ Slow |
| Security | ⭐⭐⭐⭐⭐ Encrypted | ⭐⭐⭐ SMB | ⭐⭐ Less secure |
| Setup | Requires WinRM | Requires admin shares | Requires PsExec.exe |
| Windows Support | Win7+ / Server 2008+ | All versions | All versions |
| Firewall Ports | 5985, 5986 | 445 | 445 |
| Recommended | ✅ Yes | ❌ Legacy only |
Do you have WinRM enabled?
├─ YES → Use PSRemoting ✅
└─ NO
├─ Can you enable WinRM?
│ ├─ YES → Enable WinRM, use PSRemoting ✅
│ └─ NO
│ ├─ Are admin shares enabled?
│ │ ├─ YES → Use Copy-First ⚠️
│ │ └─ NO → Use PsExec ❌ (last resort)
│ └─ Is this Windows XP/2003?
│ └─ YES → Use PsExec ❌
Technology: PowerShell Remoting (WinRM - Windows Remote Management)
How it works:
- Scriptographer connects to target via WinRM
- Script executes in remote PowerShell session
- Output streams back in real-time
- Session closes on completion
Protocol: HTTP (port 5985) or HTTPS (port 5986)
Enable WinRM:
# Run as Administrator
Enable-PSRemoting -Force
# Verify WinRM is running
Get-Service WinRM
# Test WinRM configuration
Test-WSManConfigure Firewall:
# Allow WinRM through firewall
Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"
# Or manually add rule
New-NetFirewallRule -Name "WinRM-HTTP" -DisplayName "Windows Remote Management (HTTP-In)" `
-Enabled True -Direction Inbound -Protocol TCP -LocalPort 5985For Non-Domain Machines:
# Add to trusted hosts (use specific IPs in production)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
# Or specific machines
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.100,192.168.1.101" -ForceGroup Policy Method:
- Open Group Policy Management
- Navigate to:
Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Remote Management (WinRM) → WinRM Service - Enable: "Allow remote server management through WinRM"
- Set IPv4/IPv6 filters:
*
Firewall via GPO:
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security - Create inbound rule for ports 5985, 5986
✅ Fast - Direct PowerShell session, minimal overhead
✅ Secure - Encrypted communication (Kerberos/NTLM)
✅ Native - Built into Windows, no additional software
✅ Real-time - Streaming output as script executes
✅ Reliable - Mature, well-tested technology
❌ Requires WinRM - Must be enabled on targets
❌ Firewall - Ports must be open
❌ Configuration - Initial setup required
- Modern Windows environments (Windows 10+, Server 2016+)
- Domain-joined machines
- Environments where WinRM is standard
- High-volume deployments
- Security-conscious environments
Error: "WinRM cannot complete the operation"
# Check WinRM service
Get-Service WinRM
# Start if stopped
Start-Service WinRM
# Set to automatic startup
Set-Service WinRM -StartupType AutomaticError: "Access is denied"
# Ensure you're running as administrator
# Verify credentials have admin rights on target
# Check if user is in Remote Management Users group
Get-LocalGroupMember -Group "Remote Management Users"Error: "The WinRM client cannot process the request"
# Add to trusted hosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "TARGET-PC" -Force
# Restart WinRM
Restart-Service WinRMTechnology: SMB (Server Message Block) + Remote Execution
How it works:
- Script copied to target's admin share (
\\TARGET\C$\Windows\Temp\) - PowerShell invoked remotely to execute the script file
- Output captured and returned
- Temporary script file deleted
Protocol: SMB (port 445)
Ensure Admin Shares Enabled:
# Check if admin shares exist
Get-SmbShare | Where-Object { $_.Name -like '*$' }
# Should show: C$, ADMIN$, IPC$Enable File and Printer Sharing:
# Via PowerShell
Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled True
# Via GUI
# Control Panel → Network and Sharing Center → Advanced sharing settings
# → Turn on file and printer sharingConfigure Firewall:
# Allow SMB through firewall
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"
# Or manually
New-NetFirewallRule -Name "SMB-In" -DisplayName "SMB (TCP-In)" `
-Enabled True -Direction Inbound -Protocol TCP -LocalPort 445✅ No WinRM Required - Works when remoting is disabled
✅ Standard Protocol - SMB is widely enabled
✅ Simple - Minimal configuration needed
✅ Compatible - Works on older Windows versions
❌ Slower - File copy overhead
❌ Less Secure - SMB vulnerabilities
❌ File Residue - May leave temp files if cleanup fails
❌ Admin Shares - Must be enabled (disabled in some environments)
- Environments where WinRM is disabled
- Legacy Windows systems
- Restricted remoting policies
- Mixed Windows versions
- Fallback when PSRemoting fails
# 1. Generate unique temp filename
$tempFile = "\\$target\C$\Windows\Temp\script_$(Get-Random).ps1"
# 2. Copy script to target
Copy-Item -Path $localScript -Destination $tempFile
# 3. Execute remotely
Invoke-Command -ComputerName $target -ScriptBlock {
param($file)
& powershell.exe -ExecutionPolicy Bypass -File $file
} -ArgumentList "C:\Windows\Temp\$(Split-Path $tempFile -Leaf)"
# 4. Cleanup
Remove-Item -Path $tempFile -ForceError: "Access to the path is denied"
# Verify admin shares are accessible
Test-Path "\\TARGET-PC\C$"
# Check permissions
Get-Acl "\\TARGET-PC\C$"
# Ensure you have admin rights
net use \\TARGET-PC\C$ /user:DOMAIN\AdminUserError: "The network path was not found"
# Test connectivity
Test-Connection TARGET-PC
# Check if SMB is enabled
Get-SmbConnection
# Verify firewall allows SMB
Test-NetConnection TARGET-PC -Port 445Script Doesn't Execute
# Check execution policy on target
Invoke-Command -ComputerName TARGET-PC -ScriptBlock {
Get-ExecutionPolicy
}
# Set to RemoteSigned if needed
Invoke-Command -ComputerName TARGET-PC -ScriptBlock {
Set-ExecutionPolicy RemoteSigned -Force
}Technology: Sysinternals PsExec utility
How it works:
- PsExec.exe connects to target via SMB
- Installs temporary service on target
- Executes PowerShell with script
- Returns output
- Removes service
Protocol: SMB (port 445)
Download PsExec:
# Download from Microsoft Sysinternals
# https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
# Extract PsExec.exe to:
# - Same folder as Scriptographer
# - Or add to PATHAdd to PATH (Optional):
# Add to user PATH
$env:PATH += ";C:\Tools\PsExec"
# Or system PATH (requires admin)
[Environment]::SetEnvironmentVariable("PATH",
$env:PATH + ";C:\Tools\PsExec",
[EnvironmentVariableTarget]::Machine)Enable File and Printer Sharing:
Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled TrueDisable UAC Remote Restrictions (if needed):
# Warning: Reduces security
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWORD -Force✅ No WinRM - Doesn't require PowerShell Remoting
✅ Old Windows - Works on XP, Server 2003
✅ Fallback - When other methods fail
✅ Service Execution - Can run as SYSTEM
❌ Requires PsExec - External dependency
❌ Slow - Service installation overhead
❌ Antivirus - May be flagged as malware
❌ Less Secure - No encryption
❌ Deprecated - Microsoft recommends PSRemoting instead
- Very old Windows systems (XP, 2003)
- When both PSRemoting and Copy-First fail
- Legacy infrastructure
- Compatibility testing
- Last resort only
# Execute script via PsExec
psexec.exe \\$target -accepteula -nobanner `
powershell.exe -ExecutionPolicy Bypass -Command "& { $scriptContent }"Error: "PsExec is not recognized"
# Verify PsExec is in PATH
where.exe psexec
# Or specify full path
& "C:\Tools\PsExec\psexec.exe" \\TARGET-PC cmdError: "Access is denied"
# Ensure admin credentials
psexec.exe \\TARGET-PC -u DOMAIN\AdminUser -p Password cmd
# Check if admin shares are accessible
net use \\TARGET-PC\ADMIN$Antivirus Blocks PsExec
# Add PsExec to antivirus exclusions
# Or use alternative: PAExec (PsExec alternative)
# https://www.poweradmin.com/paexec/Error: "The handle is invalid"
# Accept EULA first
psexec.exe -accepteula
# Or run once manually to accept
psexec.exe \\localhost cmd| Scenario | Recommended Method |
|---|---|
| Modern domain environment | PSRemoting |
| WinRM disabled, can't enable | Copy-First |
| Windows XP/2003 targets | PsExec |
| High security requirements | PSRemoting |
| Mixed Windows versions | Copy-First |
| Firewall blocks WinRM | Copy-First or PsExec |
| Maximum performance | PSRemoting |
| Minimal configuration | Copy-First |
Test: Deploy simple script to 10 machines
| Method | Average Time | Success Rate |
|---|---|---|
| PSRemoting | 2.3 seconds | 100% |
| Copy-First | 4.7 seconds | 98% |
| PsExec | 8.1 seconds | 95% |
| Method | Encryption | Authentication | Audit Trail |
|---|---|---|---|
| PSRemoting | ✅ Yes (Kerberos/NTLM) | ✅ Strong | ✅ Event logs |
| Copy-First | |||
| PsExec | ❌ No |
Can't Connect to Any Targets
-
Check Network Connectivity:
Test-Connection TARGET-PC ping TARGET-PC
-
Verify Credentials:
# Test with explicit credentials $cred = Get-Credential Test-WSMan TARGET-PC -Credential $cred
-
Check Firewall:
Test-NetConnection TARGET-PC -Port 5985 # WinRM Test-NetConnection TARGET-PC -Port 445 # SMB
Intermittent Failures
- Network Issues - Check for packet loss
- Target Overload - Reduce concurrent executions
- Timeout - Increase timeout values
- Antivirus - May block execution
See individual method sections above for detailed troubleshooting.
✅ Test First - Always test on localhost or single machine
✅ Start Small - Deploy to small groups before mass deployment
✅ Monitor Logs - Watch output for errors
✅ Use Appropriate Method - Choose based on environment
✅ Document - Note which method works for which targets
✅ Use PSRemoting - When possible for encryption
✅ Least Privilege - Use minimal required permissions
✅ Audit - Export and review execution logs
✅ Credentials - Never hardcode passwords
✅ Firewall - Only open required ports
✅ Concurrent Limit - Don't overwhelm network (default: 5)
✅ Batch Deployments - Group similar targets
✅ Off-Peak - Deploy during low-usage times
✅ Optimize Scripts - Keep scripts efficient
Need Help? See Troubleshooting Guide or User Manual.