Different ways of gaining remote computer access

• Author
• Recent Posts

Dan Greenhaus

Dan is an IT risk & information security analyst for a global financial company, where he is responsible for infrastructure vulnerability assessments. His primary areas of interest are Active Directory administration and the automation of repetitive tasks using PowerShell.

Latest posts by Dan Greenhaus (see all)

• Different ways of gaining remote computer access - Thu, Sep 8 2022
• Get AD user group membership with Get-ADPrincipalGroupMembership - Fri, Aug 5 2022
• Snapshot management in vSphere - Tue, Nov 2 2021

Remote Desktop

RDP is probably one of the most common methods used by Windows admins. It's built into Windows, and you start it by typing "Remote Desktop" in Start > Search.

RDP connection logon screen

Enter the Fully Qualified Domain Name of the other computer (or the computer's IP address) and your username, and click Connect. You are prompted to enter your password. If you have the proper rights for remote access, you are in.

If you can't connect, make sure RDP is enabled in the system settings of the remote computer.

Check the system properties to see if remote connections are allowed

Also, is the service stopped? Run the Services app, and make sure it's running.

Make sure the remote desktop services are running

If it is running, check whether the destination computer's Windows Firewall is running.

Check whether Windows Firewall is turned on

If it's running on the destination computer, turn it off. Don't worry; we aren't going to leave it off. Attempt to reconnect, and if it works, you confirmed the firewall was the issue. On the target computer, turn the firewall back on, and navigate to Windows Defender Firewall with Advanced Security.

Find Remote Desktop – User Mode (TCP-In) in the new window that appears, choose it, and enable it from the right panel by choosing Enable Rule.

Enable Remote Desktop Firewall rule

However, using RDP has some severe drawbacks:

• Microsoft's standard licensing (ignoring CAL licenses here because they are rarely used) is restricted to only two simultaneous users. This can be two remote users, or one remote user and one local user. When dealing with a workstation, only one user can work on the computer at a time.
• When you log into a desktop, the user is unable to do anything.
• Because only two admins are able to log in, it is difficult for multiple people to examine a machine at once for potential issues.

VMware Remote Console

VMware vSphere Remote Console is another common remote access tool for environments working with VMware. It's pretty easy to use; simply find the server you want to connect to, and launch the console.

To access the console, select the virtual system and click Launch Console

While this method is great for virtual systems, it has some severe restrictions:

• The VMware console is only available for virtual systems hosted on VMware systems. This excludes all physical servers, and all physical laptops and desktops.
• VMware console actions can be a security issue, as any actions done by a consoled-in user are not documented in the Windows logs as being done by that user but rather by whoever is logged in to the system. As a result, access to vSphere is typically restricted to VMware administrators, and sometimes system administrators with restricted privileges.

Microsoft Management Console

The other option we have is Microsoft Management Console (MMC), which is built into Windows. It allows an admin to manage Windows using a variety of administrative tools via snapins or utilities. These tools are located in the folder C:\Windows\System32\ or its subfolders, or can be accessed via the control panel.

Administrative tools that are available to users, most of which can be added as snap ins

While these tools are great for managing a Windows desktop or server, a support person who is in the local administrators group of the destination machine or a sysadmin who has administrator rights on the server can view, remotely manage, and modify the administrative tools of a remote computer.

Select this option to connect to a remote computer

With Connect to another computer, a window will pop up (see screenshot below). Simply enter the FQDN, hostname, or IP address of the destination computer, and you will be able to view that system's currently running services. You can also start, stop, or view the settings of any of those services.

You can do the same thing with the Event Viewer, including connecting to the remote computer as a different user than the one with which you are logged.

Enter the FQDN or IP address of the computer whose Event Viewer you want to access.png

If you are unable to connect to a remote computer, ensure that the following services are running on the remote computer:

• Remote Procedure Call (RPC)
• RPC Endpoint Mapper
• DCOM Server Process Launcher

The connection might be blocked by the Windows Firewall. To add a rule to allow access, run the following commands from an elevated command prompt. Make sure you use the IP and subnet masks that suit your system.

netsh advfirewall firewall add rule name="RPC endpoint mapper" dir=in action=allow protocol=TCP localport=135 profile=Domain,Private remoteip=172.16.1.0/16,LocalSubnet
netsh advfirewall firewall add rule name="File and Printer Sharing (NB-Datagram-In)" dir=in action=allow protocol=TCP localport=445 profile=Domain,Private remoteip=172.16.1.0/16,LocalSubnet
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Datagram-In)" new enable=yes profile=Domain,Private remoteip=172.16.1.0/16,LocalSubnet
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow

You can also use this method to access the registry of a remote computer.

After opening the registry editor select Connect Network Registry

From here, connect to the remote system by entering its hostname, FQDN, or IP address.

Select the hostname of the system you want to connect to

If you are in the administrators group and are getting an Access Denied message, the most likely cause is that Remote Registry is disabled, either in the registry, Windows services, or via Group Policy.

The easiest way to confirm that it's being blocked by GPO is to do a GPresult /H <insert filename here> from an elevated command prompt and see whether there are any settings under Remote Registry. The path is Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Remote Registry.

If you want to look at the registry while on the remote computer, the registry keys can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry \DisableIdleStop. If it's set to 1, the remote registry is disabled. Setting it to 0 should enable it.

You can also check Windows Services and start the remote registry service.

If you cant connect via remote registry make sure the remote registry is running

SMB shares

Another method for remote computer access is accessing administrative shares on the remote system with SMB shares.

If you open Computer Management on a Windows desktop, you will see several options, including shared folders. If you select Shares, you will see several default shares.

The default Windows shares if you created additional shares they are also listed in Computer Management

To access these shares from your local computer, simply open File Explorer, and use the following syntax: \\<IP address or FQDN of remote machine\<share name>. In the example below, I am connected to the C drive of the computer located at 192.168.1.65, and I have full access to any and all files, all from my local desktop.

This is how is looks like when when you connect to C

Note that all MMC and SMB share accesses are logged in the Windows security log. Remote access requires administrator rights on the remote machine. Below is an example log for C$.

An example of a Windows security log when someone remotely accesses a share

PowerShell remoting

For any Windows admin, PowerShell is a key tool to help automate many of the tasks you do. Of course, you can also use PowerShell to access a remote computer.

To do so, PowerShell remoting must be enabled. To test whether PowerShell remote is enabled, run the following command on the target machine from an elevated command prompt:

Test-WsMan <RemoteCOMPUTERName>.

The error below occurs when you try to test the connection, and PSremoting isn't enabled.

Error if PSremoting isnt enabled

To enable PowerShell remoting in PowerShell 7, run this command:

Enable-PSRemoting -force

Success message when WinRM starts

If you now test again, access to the remote computer via PowerShell should work.

A successful test wsman response

With PowerShell, we can start a remote session to a single machine using this command:

Enter-PSSession <server name>

Once you are connected, any commands that you type at the prompt run on the remote computer, and the results are displayed on the local computer.

Another important cmdlet using PowerShell remoting is Invoke-Command, which has the following syntax:

Invoke-Command -computer name <computername1>,<computername2> -scriptblock {<insert all commands here>}  

Any returned output is displayed on the local computer. Any time I need to query multiple remote computers or make changes to multiple machines, this is the cmdlet I use.

For example, if I wanted to retrieve the values of the run key on RemoteComputer, I could run this command:

Invoke-Command -Computer RemoteComputer -scriptblock {
    Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run
}

However, Enter-PSsession and Invoke-Command are not the only ways to connect to a remote computer via PowerShell, because many cmdlets have built-in remote capabilities. For example, if I wanted to view the 100 most recent PowerShell logs from a remote computer using PowerShell 7, I could run this command:

Get-WinEvent -ComputerName "192.168.1.65" -LogName PowerShellCore/Operational -MaxEvents 100

Using PowerShell to get the most recent PowerShell Core events from the event log

The screenshot below shows the corresponding event in the Event Viewer.

Using Event Viewers GUI to get the most recent PowerShell Core events from the event log

The primary advantage of using the CLI over the GUI is that you can filter and sort by using a pipe| followed by Where-Object -property <insert criteria>, such as event ID, message contents, and age. Here is how I could find the PowerShell logs from today:

Get-WinEvent -ComputerName "192.168.1.65" -LogName PowerShellCore/Operational | Where-Object { $_.TimeCreated -ge ((Get-Date) - (New-TimeSpan -Day 1)) }

If I want to filter down further to search only those logs that contain the phrase IPC, I can do this:

Get-WinEvent -ComputerName "192.168.1.65" -LogName "PowerShellCore/Operational" | Where-Object { $_.TimeCreated -ge ((Get-Date) - (New-TimeSpan -Day 1)) } |Where-Object -property Message -like "*IPC*"

Getting remote event logs with Get WinEvent

If I want to see which logs I can access on a remote computer and return the list as a table, I can run this command:

Get-WinEvent -ComputerName "192.168.1.65"  -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize

PsExec

The last way to access a remote is to use PsExec. PsExec has been part of Microsoft's Sysinternals tool suite for over a decade, and requires nothing to be installed on the remote machine for it to work.

There are only three requirements to use PsExec on a remote machine: the user needs to be a member of the administrator group, both the local and remote computers must have File and Print Sharing enabled, and the Admin$ share (default setting) must be defined on the remote system.

For example, if you want to open the registry editor on 192.168.1.65, you can use the following command:

psexec64 -i \\192.168.1.65 c:\windows\regedit

with the following results:

Starting regedit on a remote computer using PsExec

Opening regedit on a remote computer using PsExec

If you want to see which account was used to run this command, you can use the whomai command.

Running whomai with PsExcec

If you need to specify different credentials, run this:

psexec \\<remote computer> -u remote\administrator -p adminpass ipconfig

With this command, you can remotely start or stop a service:

psexec64 \\192.168.1.65 net start spooler

Remotely starting a service using PsExec

One thing to keep in mind: some antivirus programs falsely identify PsExec as a dangerous file. This happens because malware has been known to use PsExec to transfer viruses. Thus, you can ignore these warnings because you know for sure that the application you are using is a Microsoft tool and that you are not malware. 😉

Conclusion

This article only skims the surface of what you can do with these tools, and I only covered the most common ways to gain remote computer access. One thing to remember is that you will need to be a member of the administrators group to use all the remote tools covered in this article.