Depending on your environment, up to five steps are required you to completely disable PowerShell remoting on a Windows computer. These include blocking remote access to session configurations with Disable-PSRemoting, disabling the WinRM service, deleting the listener, disabling firewall exceptions, and setting the value of the LocalAccountTokenFilterPolicy to 0.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Disabling remote access with Disable-PSRemoting
With the help of the Disable-PSRemoting cmdlet, you can block remote access to all session configurations on the local computer. This prevents remote users from creating PowerShell sessions (PSSessions) on the local computer.
To view the current access rights, you can run this command:
Get-PSSessionConfiguration | Format-Table -Property Name, Permission
To disable remote access to all PowerShell session configurations, you can execute Disable-PSRemoting from an elevated PowerShell console:
Disable-PSRemoting -Force
The -Force parameter suppresses the usual confirmation prompts.
If you check the rights configuration again now, you will notice that remote users no longer have access.
See Microsoft's documentation for more details about Disable-PSRemoting.
Note that running Disable-PSRemoting does not prevent local users from creating PowerShell sessions on the local computer or remote computers.
The warning messages you see after executing Disable-PSRemoting indicate you should take a few more steps to disable PowerShell remoting. However, these steps only add extra security. After running Disable-PSRemoting, it is no longer possible to establish remote PowerShell connections.
Stop and disable the WinRM service
The Windows Remote Management (WinRM) service is Microsoft's implementation of the WS-Management (WS-Man) protocol introduced in Windows before PowerShell. It allows remote management of hardware and operating systems.
In Windows, the service is not only necessary for PowerShell remoting but also for remote server management with Server Manager (since Windows Server 2012). In addition, third-party products might rely on the service. This is why Disable-PSRemoting can't simply disable the service. Note that most of the Remote Server Administration Tools (RSAT) use the Distributed Component Object Model (DCOM) protocol and therefore don't depend on the WinRM service.
On Windows servers, the WinRM service starts automatically by default. On Windows workstations, the service is usually set to start automatically when you enable PowerShell remoting.
If you want to stop and disable the service for security reasons, you can do so in the Services snap-in (type "services" in the Start menu), or you can use PowerShell:
Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled -PassThru
The -PassThru parameter lets us see the result of the command.
Delete the listener
The third recommendation that Disable-PSRemoting gives is to delete the listener that accepts requests on any IP address. For PowerShell remoting, you can have multiple listeners on different TCP ports that process the WS-Man requests. For instance, you can have a listener for HTTP (the default) or one for HTTPS.
If you disabled the WinRM service as explained above, this disables the listener as well. If you need a listener on another port for an application other than PowerShell, you have to keep the WinRM service running. You can delete just the HTTP listener to improve security (assuming you already blocked remote access to the PowerShell session configurations).
Also note that Server Manager uses the same listener for remote server management as PowerShell remoting. To display the available listeners you can run this command:
dir wsman:\localhost\listener
Once you know the name of the listener, you can remove it with the next PowerShell command.
Remove-Item -Path WSMan:\Localhost\listener\<Listener name>
To remove all listeners, you can use this command:
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
Another security benefit of removing the listener(s) is that if someone starts the WinRM service, this will also activate the listener. However, if you delete the listener before you disable the service, you have to add the listener again with the Enable-PSRemoting cmdlet.
Disable the firewall exceptions
The third recommendation of the Disable-PSRemoting cmdlet is to disable the firewall exceptions for WS-Management communications. The default TCP ports for the listener are 5985 (HTTP) and 5986 (HTTPS). A while back, Microsoft changed the ports from 80 and 443 to the new ports for security reasons and probably due to conflicts with web servers.
Enabling PowerShell remoting through Enable-PSRemoting automatically opens port 5895 in the Windows Firewall. To disable the firewall exceptions, you can use the Windows Firewall with Advanced Security MMC snap-in (type "firewall" in the Start menu) and search for Windows Remote Management (HTTP-In) rules. There is one rule for the network profile domain (private) and one for public ones. Click Inbound Rules, then right-click each rule and select Disable.
Alternatively, you can use PowerShell:
Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled
This command disables both rules.
Note: If the language of your Windows installation is not English, you can use the Name parameter instead of DisplayName. See comment below.
LocalAccountTokenFilterPolicy token
The last point of the Disable-PSRemoting warning message is misleading:
Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Administrators group on the computer.
On computers that are not members of an Active Directory domain, Enable-PSRemoting adds the LocalAccountTokenFilterPolicy registry entry to the location below and sets the value to 1.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
The purpose of this registry setting is to ensure users can't execute remote commands with an administrator access token without triggering a User Account Control (UAC) prompt that wouldn't display on the administrator's remote console. Setting LocalAccountTokenFilterPolicy to 0 prevents remote PowerShell sessions entirely.
This registry key does not affect computers that are members of an Active Directory domain. In this case, Enable-PSRemoting does not create the key, and you don't have to set it to 0 after disabling remoting with Disable-PSRemoting. If an administrator establishes a remote PowerShell session to a domain member, this will automatically elevate the remote commands on the remote machine.
You can use the PowerShell command below to change the setting on a standalone machine:
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0
I have had months of attempted trials and now fully hate Microsoft. This was just executed, and sincerely hope it functions, more, it appears to be clear and exactly what i needed to get these RATS off my PCs. Thank you very much
I am going to purchase a MAC. I have not decided weather to break all of window devices I currently have, seven in all.
IN no means am i a rookie, nor a professional. I am capable and preform well, with research, and usually thorough. this is the best clearest write up with directed understanding I have come across, thank you again.
I have two concerns, when I Disabled the listeners, the screen displayed nothing in the recursive command, and errors when prompted to list…
if there were no objects, does this give the error? and yet does commanding the entire listeners removed/disabled function regardless?
I used the command “disable -PSremoting -Force” in the start of this application. Does this matter? Do I need to execute this command againg, or what am I missing here? if anything?
Finally, this command at the end, “Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0”
do i need to insert the user name in the code above in place of Name for this application to work exactly? and its location, or?
this would conclude disabling the remote access, or now I enter the Disable -psremoting -force at the end…
do these settings stay on shut down and restarting?
what would change them? a installation?
thank you. I have program experience, but its been a while, and I do not have experience with power shell above doing things like this, hence the confusion
it seems that maybe I needed to restart the remoting due the first command I wrote to disable it? then execute it same order and then disable the remote access using the disable remote access force command?
somewhere here i am off track or confused
I copy my text so you have reference to look thanks
PS C:\WINDOWS\system32> Disable-PSRemoting -Force
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
nistrators group on the computer.
PS C:\WINDOWS\system32> WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
nistrators group on the computer.
Get-PSSessionConfiguration | Format-Table -Property Name, Permission
At line:3 char:8
+ 1. Stop and disable the WinRM service.
+ ~~~~
Unexpected token ‘Stop’ in expression or statement.
At line:4 char:8
+ 2. Delete the listener that accepts requests on any IP address.
+ ~~~~~~
Unexpected token ‘Delete’ in expression or statement.
At line:5 char:8
+ 3. Disable the firewall exceptions for WS-Management communicatio …
+ ~~~~~~~
Unexpected token ‘Disable’ in expression or statement.
At line:6 char:8
+ 4. Restore the value of the LocalAccountTokenFilterPolicy to 0, w …
+ ~~~~~~~
Unexpected token ‘Restore’ in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
PS C:\WINDOWS\system32> Get-PSSessionConfiguration | Format-Table -Property Name, Permission
Name Permission
—- ———-
microsoft.powershell NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm…
microsoft.powershell.workflow NT AUTHORITY\NETWORK AccessDenied, BUILTIN\Administrators AccessAllowed, BUILTIN\Remot…
microsoft.powershell32 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm…
PS C:\WINDOWS\system32> Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled -PassThru
Stop-Service : A parameter cannot be found that matches parameter name ‘PassThruSet-Service’.
At line:1 char:20
+ Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled – …
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Stop-Service], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.StopServiceCommand
PS C:\WINDOWS\system32> Stop-Service WinRM -PassThru
Status Name DisplayName
—— —- ———–
Stopped WinRM Windows Remote Management (WS-Manag…
PS C:\WINDOWS\system32> Set-Service WinRM -StartupType Disabled -PassThru
Status Name DisplayName
—— —- ———–
Stopped WinRM Windows Remote Management (WS-Manag…
PS C:\WINDOWS\system32> dir wsman:\localhost\listener
dir : Cannot find path ‘localhost\Listener’ because it does not exist.
At line:1 char:1
+ dir wsman:\localhost\listener
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (localhost\Listener:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\WINDOWS\system32> Remove-Item -Path WSMan:\Localhost\listener\listener
Remove-Item : Cannot find path ‘WSMan:\localhost\Listener’ because it does not exist.
At line:1 char:1
+ Remove-Item -Path WSMan:\Localhost\listener\listener
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (WSMan:\localhost\Listener:String) [Remove-Item], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand
PS C:\WINDOWS\system32> Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
PS C:\WINDOWS\system32> Set-NetFirewallRule -DisplayName ‘Windows Remote Management (HTTP-In)’ -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled
DisplayName Profile Enabled
———– ——- ——-
Windows Remote Management (HTTP-In) Domain, Private False
Windows Remote Management (HTTP-In) Public False
PS C:\WINDOWS\system32> Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0
PS C:\WINDOWS\system32> Disable-PSRemoting -Force
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
nistrators group on the computer.
Restart-Service : Service ‘Windows Remote Management (WS-Management) (winrm)’ cannot be started due to the following
error: Cannot start service winrm on computer ‘.’.
At line:30 char:17
+ Restart-Service winrm -force -confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service]
, ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.RestartServiceCommand
Get-ChildItem : The client cannot connect to the destination specified in the request. Verify that the service on the
destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following
command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.
At line:98 char:3
+ Get-ChildItem ‘WSMan:\localhost\Plugin\’ -Force:$force | ? { $_.nam …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ChildItem], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetChildItemCommand
PS C:\WINDOWS\system32>
As to the listener, I am unsure what your problem is. Just run this command, to see if you removed the listener sucessflly:
As to the LocalAccountTokenFilterPolicy token, this only matters if you want to disable PowerShell remoting on machines that are not AD members. You just run the command as is, without changing the Name parameter:
OK. So this is my deduction and knowledge surrounding my issue.
Remote access to my PC(S) has been vivid for four weeks minimum. Until now i made many conceptions of “knowing whats happening” and thought I have suppressed and fixed the issue many times. The time has long passed where I care about my files, data, or any relevance of it. I have installed windows approximately 30 times, and in different ways, with new and updated files to settings to recovery’s and followed many well written instructions. As far as i can tell, I have not been able to remove access to my registry and the use of my system or network in any way effective.
Each time i reset, install or other, my computer develops its own name and set of admins, and allocation of IP address using my “windows” maybe? additionally, the use of operational control is beyond my belief, the functions to prevent, revert or stop this is been improving as my skill to eradicate has. The files such as execution of recover will be rewritten as the set up starts and the allocation of my hard drive often in not on my PC. this was a shock at first time i removed a session to find i had nothing on my hard drive, and unintentionally rebooted via LAN or wan.
I could describe some this for hours, I have literally spent over 200 hours and gone nowhere.
one major issue, I believe I cannot install a clean set up. no easily. somehow the detection of my adapters, and new installation of ones i make sure are disabled and uninstalled, revert back and during installation or files, or system, both, and downloads caught out of the air and set to destroy (deploy opposite sometimes)
example, intel assistants, they seem to get many drivers for me during the process of installation. and otherwise intels software appears not to notice this due its operation are normal, but i am not operation them. and I am locked out of my bios. not password, it literally went around my bios password and strangely disabled it. i can enter into this, and all the settings are lightly highlighted, and i cannot do anything but F1 for help that doesn’t explain the fuction correctly and the esc button to exit.
the only thing i have not done is go back to windows 8.1 which may be what i should have done all along. i wouldn’t remove any issues, nor prevent them and only would have less ability to fight it. but, it may give me some how a way to install windows again removing the bios restrictions? I don’t know
any suggestions?
Hi Michael
Great article.
We are seeing small amounts of WinRM being generated in our network. (workstation to server)
Can you think of any reason Windows OS/ an application would generate this traffic?
Mike, thanks. Server Manager uses WinRM.
Forest, I have the exact issue. Get the May Windows 10 V1 & patch it via update. Use the 1st PS command Mike listed here. No listeners are present. It's a messed up VM running of an ACL file that is stored in the NVRam called "OfflineRecEnv.etl". Nothing will remove it but deacon. Just do the 1st command & block the ports. Block the entire variable range as well. TCP 49152-65535. Yes, you still have a local machine but the VM will be blocked from the access control.
Hi Michael,
I think it would be better change disable the firewall exeptions from language dependent to more universial by using -Name instead -DisplayName.
#Disable the firewall exceptions
Set-NetFirewallRule -Name 'WINRM-HTTP-Compat-In-TCP' -Enabled False -PassThru | Select –Property DisplayName, Profile, Enabled
What do you think ?
Karol, that makes sense. I added a note to the article. Thanks for the hint!
I have been suffering from neighbors keep hacking our dell notebooks and network and i start fear they hack any online purchases or accounts plus no privacy they even magify screens even when my daughters studding doing her assignments online
I don’t know what is the issue no matter disable WPS change all password continues and use complex ones for page and connection all did not work use monitor and keep ending process disable remote stuff in fire wall some how they still could log in and even when i disable phone option i don’t use i find it again in process
i reach to article when i was trying to know was certain process risk or not and i am happy i reach here thank you a lot for haring
just small thing
i could not execute below denied though i am admin i have single account and i notice though i am the admin some things i try to ends denied and some options not there for me to edit on is this related to central net in country or net company or this because hikers managed to disable some options for me and took control?
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0
why power shell needed in general away from remote excucution
Omg Im not the only one. I have a psychotic neighbor doing the same thing to my entire network. He’s even hacked into my dvr units n ip cameras. And the local police is totally useless. No attempt to shut down access to my devices has been successful and I’ve tried nearly everything. Has anyone here found a way to get rid of the pests in their network ??