PowerShell’s Docs PowerShell Remoting Disable PowerShell remoting: Disable-PSRemoting, WinRM, listener, firewall, LocalAccountTokenFilterPolicy

Depending on your environment, up to five steps are required you to completely disable PowerShell remoting on a Windows computer. These include blocking remote access to session configurations with Disable-PSRemoting, disabling the WinRM service, deleting the listener, disabling firewall exceptions, and setting the value of the LocalAccountTokenFilterPolicy to 0.

Latest posts by Michael Pietroforte (see all)

Disabling remote access with Disable-PSRemoting

With the help of the Disable-PSRemoting cmdlet, you can block remote access to all session configurations on the local computer. This prevents remote users from creating PowerShell sessions (PSSessions) on the local computer.

To view the current access rights, you can run this command:

Get-PSSessionConfiguration | Format-Table -Property Name, Permission

To disable remote access to all PowerShell session configurations, you can execute Disable-PSRemoting from an elevated PowerShell console:

Disable-PSRemoting -Force

The -Force parameter suppresses the usual confirmation prompts.

If you check the rights configuration again now, you will notice that remote users no longer have access.

Disable PSRemoting blocks remote access to session configurations

Disable PSRemoting blocks remote access to session configurations

See Microsoft's documentation for more details about Disable-PSRemoting.

Note that running Disable-PSRemoting does not prevent local users from creating PowerShell sessions on the local computer or remote computers.

The warning messages you see after executing Disable-PSRemoting indicate you should take a few more steps to disable PowerShell remoting. However, these steps only add extra security. After running Disable-PSRemoting, it is no longer possible to establish remote PowerShell connections.

Stop and disable the WinRM service

The Windows Remote Management (WinRM) service is Microsoft's implementation of the WS-Management (WS-Man) protocol introduced in Windows before PowerShell. It allows remote management of hardware and operating systems.

In Windows, the service is not only necessary for PowerShell remoting but also for remote server management with Server Manager (since Windows Server 2012). In addition, third-party products might rely on the service. This is why Disable-PSRemoting can't simply disable the service. Note that most of the Remote Server Administration Tools (RSAT) use the Distributed Component Object Model (DCOM) protocol and therefore don't depend on the WinRM service.

Server Manager relies on WinRM for remote management

Server Manager relies on WinRM for remote management

On Windows servers, the WinRM service starts automatically by default. On Windows workstations, the service is usually set to start automatically when you enable PowerShell remoting.

If you want to stop and disable the service for security reasons, you can do so in the Services snap-in (type "services" in the Start menu), or you can use PowerShell:

Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled -PassThru

The -PassThru parameter lets us see the result of the command.

Stopping and disabling the WinRM service with PowerShell

Stopping and disabling the WinRM service with PowerShell

Delete the listener

The third recommendation that Disable-PSRemoting gives is to delete the listener that accepts requests on any IP address. For PowerShell remoting, you can have multiple listeners on different TCP ports that process the WS-Man requests. For instance, you can have a listener for HTTP (the default) or one for HTTPS.

If you disabled the WinRM service as explained above, this disables the listener as well. If you need a listener on another port for an application other than PowerShell, you have to keep the WinRM service running. You can delete just the HTTP listener to improve security (assuming you already blocked remote access to the PowerShell session configurations).

Also note that Server Manager uses the same listener for remote server management as PowerShell remoting. To display the available listeners you can run this command:

dir wsman:\localhost\listener

Once you know the name of the listener, you can remove it with the next PowerShell command.

Remove-Item -Path WSMan:\Localhost\listener\<Listener name>

To remove all listeners, you can use this command:

Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

Another security benefit of removing the listener(s) is that if someone starts the WinRM service, this will also activate the listener. However, if you delete the listener before you disable the service, you have to add the listener again with the Enable-PSRemoting cmdlet.

Deleting the listener

Deleting the listener

Disable the firewall exceptions

The third recommendation of the Disable-PSRemoting cmdlet is to disable the firewall exceptions for WS-Management communications. The default TCP ports for the listener are 5985 (HTTP) and 5986 (HTTPS). A while back, Microsoft changed the ports from 80 and 443 to the new ports for security reasons and probably due to conflicts with web servers.

Enabling PowerShell remoting through Enable-PSRemoting automatically opens port 5895 in the Windows Firewall. To disable the firewall exceptions, you can use the Windows Firewall with Advanced Security MMC snap-in (type "firewall" in the Start menu) and search for Windows Remote Management (HTTP-In) rules. There is one rule for the network profile domain (private) and one for public ones. Click Inbound Rules, then right-click each rule and select Disable.

Disable Windows Firewall exceptions

Disable Windows Firewall exceptions

Alternatively, you can use PowerShell:

Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled
Disable the remoting firewall exceptions with PowerShell

Disable the remoting firewall exceptions with PowerShell

This command disables both rules.

Note: If the language of your Windows installation is not English, you can use the Name parameter instead of  DisplayName. See comment below.

LocalAccountTokenFilterPolicy token

The last point of the Disable-PSRemoting warning message is misleading:

Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Administrators group on the computer.

On computers that are not members of an Active Directory domain, Enable-PSRemoting adds the LocalAccountTokenFilterPolicy registry entry to the location below and sets the value to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

The purpose of this registry setting is to ensure users can't execute remote commands with an administrator access token without triggering a User Account Control (UAC) prompt that wouldn't display on the administrator's remote console. Setting LocalAccountTokenFilterPolicy to 0 prevents remote PowerShell sessions entirely.

LocalAccountTokenFilterPolicy in the registry

LocalAccountTokenFilterPolicy in the registry

This registry key does not affect computers that are members of an Active Directory domain. In this case, Enable-PSRemoting does not create the key, and you don't have to set it to 0 after disabling remoting with Disable-PSRemoting. If an administrator establishes a remote PowerShell session to a domain member, this will automatically elevate the remote commands on the remote machine.

You can use the PowerShell command below to change the setting on a standalone machine:

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0
avatar

Discussion (11)

  1. I have had months of attempted trials and now fully hate Microsoft. This was just executed, and sincerely hope it functions, more, it appears to be clear and exactly what i needed to get these RATS off my PCs.    Thank you very much

    I am going to purchase a MAC. I have not decided weather to break all of window devices I currently have, seven in all.

    IN no means am i a rookie, nor a professional. I am capable and preform well, with research, and usually thorough. this is the best clearest write up with directed understanding I have come across, thank you again.

  2. I have two concerns, when I Disabled the listeners, the screen displayed nothing in the recursive command, and errors when prompted to  list…

    if there were no objects, does this give the error? and yet does commanding the entire listeners removed/disabled function regardless?

    I used the command    “disable -PSremoting -Force”   in the start of this application.  Does this matter? Do I need to execute this command againg, or what am I missing here? if anything?

    Finally, this command at the end, “Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

    do i need to insert the user name in the code above in place of Name for this application to work exactly? and its location, or?

    this would conclude disabling the remote access, or now I enter the Disable -psremoting -force at the end…

    do these settings stay on shut down and restarting?

    what would change them? a installation?

    thank you. I have program experience, but its been a while, and I do not have experience with power shell above doing things like this, hence the confusion

    it seems that maybe I needed to restart the remoting due the first command I wrote to disable it? then execute it same order and then disable the remote access using the disable remote access force command?

    somewhere here i am off track or confused

    I copy my text so you have reference to look thanks

    PS C:\WINDOWS\system32> Disable-PSRemoting -Force
    WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
    ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
    nistrators group on the computer.

    PS C:\WINDOWS\system32> WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
    ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
    nistrators group on the computer.
    Get-PSSessionConfiguration | Format-Table -Property Name, Permission
    At line:3 char:8
    + 1. Stop and disable the WinRM service.
    + ~~~~
    Unexpected token ‘Stop’ in expression or statement.
    At line:4 char:8
    + 2. Delete the listener that accepts requests on any IP address.
    + ~~~~~~
    Unexpected token ‘Delete’ in expression or statement.
    At line:5 char:8
    + 3. Disable the firewall exceptions for WS-Management communicatio …
    + ~~~~~~~
    Unexpected token ‘Disable’ in expression or statement.
    At line:6 char:8
    + 4. Restore the value of the LocalAccountTokenFilterPolicy to 0, w …
    + ~~~~~~~
    Unexpected token ‘Restore’ in expression or statement.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    PS C:\WINDOWS\system32> Get-PSSessionConfiguration | Format-Table -Property Name, Permission

    Name Permission
    —- ———-
    microsoft.powershell NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm…
    microsoft.powershell.workflow NT AUTHORITY\NETWORK AccessDenied, BUILTIN\Administrators AccessAllowed, BUILTIN\Remot…
    microsoft.powershell32 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm…

    PS C:\WINDOWS\system32> Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled -PassThru
    Stop-Service : A parameter cannot be found that matches parameter name ‘PassThruSet-Service’.
    At line:1 char:20
    + Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled – …
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Stop-Service], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.StopServiceCommand

    PS C:\WINDOWS\system32> Stop-Service WinRM -PassThru

    Status Name DisplayName
    —— —- ———–
    Stopped WinRM Windows Remote Management (WS-Manag…

    PS C:\WINDOWS\system32> Set-Service WinRM -StartupType Disabled -PassThru

    Status Name DisplayName
    —— —- ———–
    Stopped WinRM Windows Remote Management (WS-Manag…

    PS C:\WINDOWS\system32> dir wsman:\localhost\listener
    dir : Cannot find path ‘localhost\Listener’ because it does not exist.
    At line:1 char:1
    + dir wsman:\localhost\listener
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (localhost\Listener:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

    PS C:\WINDOWS\system32> Remove-Item -Path WSMan:\Localhost\listener\listener
    Remove-Item : Cannot find path ‘WSMan:\localhost\Listener’ because it does not exist.
    At line:1 char:1
    + Remove-Item -Path WSMan:\Localhost\listener\listener
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (WSMan:\localhost\Listener:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    PS C:\WINDOWS\system32> Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

    PS C:\WINDOWS\system32> Set-NetFirewallRule -DisplayName ‘Windows Remote Management (HTTP-In)’ -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled

    DisplayName Profile Enabled
    ———– ——- ——-
    Windows Remote Management (HTTP-In) Domain, Private False
    Windows Remote Management (HTTP-In) Public False

    PS C:\WINDOWS\system32> Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

    PS C:\WINDOWS\system32> Disable-PSRemoting -Force
    WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or Enable-PSSe
    ssionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Admi
    nistrators group on the computer.
    Restart-Service : Service ‘Windows Remote Management (WS-Management) (winrm)’ cannot be started due to the following
    error: Cannot start service winrm on computer ‘.’.
    At line:30 char:17
    + Restart-Service winrm -force -confirm:$false
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service]
    , ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.RestartServiceCommand

    Get-ChildItem : The client cannot connect to the destination specified in the request. Verify that the service on the
    destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service
    running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following
    command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.
    At line:98 char:3
    + Get-ChildItem ‘WSMan:\localhost\Plugin\’ -Force:$force | ? { $_.nam …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-ChildItem], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetChildItemCommand

    PS C:\WINDOWS\system32>

     

    • As to the listener, I am unsure what your problem is. Just run this command, to see if you removed the listener sucessflly:

      dir wsman:\localhost\listener

      As to the LocalAccountTokenFilterPolicy token, this only matters if you want to disable PowerShell remoting on machines that are not AD members. You just run the command as is, without changing the Name parameter:

      Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

  3. OK. So this is my deduction and knowledge surrounding my issue.

    Remote access to my PC(S) has been vivid  for four weeks minimum. Until now i made many conceptions of “knowing whats happening” and thought I have suppressed and fixed the issue many times.  The time has long passed where I care about my files, data, or any relevance of it.  I have installed windows approximately 30 times, and in different ways, with new and  updated files to settings to recovery’s and followed many well written instructions.  As far as i can tell, I have not been able to remove access to my registry and the use of my system or network in any way effective.

    Each time i reset, install or other, my computer develops its own name and set of admins, and allocation of IP address using my “windows” maybe? additionally, the use of operational control is beyond my belief, the functions to prevent, revert or stop this is been improving as my skill to eradicate has. The files such as execution of recover will be rewritten as the set up starts and the allocation of my hard drive often in not on my PC.  this was a shock at first time i removed a session  to find i had nothing on my hard drive, and unintentionally rebooted via LAN or wan.

    I could describe some this for hours, I have literally spent over 200 hours and gone nowhere.

    one major issue, I believe I cannot install a clean set up. no easily.  somehow the detection of my adapters, and new installation of ones i make sure are disabled and uninstalled, revert back and during installation or files, or system, both, and downloads caught out of the air and set to destroy (deploy opposite sometimes)

    example, intel assistants, they seem to get many drivers for me during the process of installation. and otherwise intels software appears not to notice this due its operation are normal, but i am not operation them.   and I am locked out of my bios. not password, it literally went around my bios password and strangely disabled it.  i can enter into this, and all the settings are lightly highlighted, and i cannot do anything but F1 for help that doesn’t explain the fuction correctly and the esc button to exit.

    the only thing i have not done is go back to windows 8.1 which may be what i should have done all along. i wouldn’t remove any issues, nor prevent them and only would have less ability to fight it.  but, it may give me some how a way to install windows again removing the bios restrictions?  I don’t know

    any suggestions?

    avatar
  4. Hi Michael
    Great article.
    We are seeing small amounts of WinRM being generated in our network. (workstation to server)
    Can you think of any reason Windows OS/ an application would generate this traffic?

  5. Forest, I have the exact issue. Get the May Windows 10 V1 & patch it via update. Use the 1st PS command Mike listed here. No listeners are present. It's a messed up VM running of an ACL file that is stored in the NVRam called "OfflineRecEnv.etl". Nothing will remove it but deacon. Just do the 1st command & block the ports. Block the entire variable range as well. TCP 49152-65535. Yes, you still have a local machine but the VM will be blocked from the access control.

     

  6. Hi Michael,

    I think it would be better change disable the firewall exeptions from language dependent to more universial by using -Name instead -DisplayName.

    #Disable the firewall exceptions
        Set-NetFirewallRule -Name 'WINRM-HTTP-Compat-In-TCP' -Enabled False -PassThru | SelectProperty DisplayName, Profile, Enabled

     Set-NetFirewallRule -Name 'WINRM-HTTP-Compat-In-TCP' -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled

    What do you think ? 

    avataravatar
  7. I have been suffering from neighbors keep hacking our dell notebooks and network and i start fear they hack any online purchases or accounts plus no privacy they even magify screens even when my daughters studding doing her assignments online
    I don’t know what is the issue no matter disable WPS change all password continues and use complex ones for page and connection all did not work use monitor and keep ending process disable remote stuff in fire wall some how they still could log in and even when i disable phone option i don’t use i find it again in process
    i reach to article when i was trying to know was certain process risk or not and i am happy i reach here thank you a lot for haring
    just small thing
    i could not execute below denied though i am admin i have single account and i notice though i am the admin some things i try to ends denied and some options not there for me to edit on is this related to central net in country or net company or this because hikers managed to disable some options for me and took control?

    Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

    why power shell needed in general away from remote excucution

  8. Omg Im not the only one. I have a psychotic neighbor doing the same thing to my entire network. He’s even hacked into my dvr units n ip cameras. And the local police is totally useless. No attempt to shut down access to my devices has been successful and I’ve tried nearly everything. Has anyone here found a way to get rid of the pests in their network ??

Leave a Reply

Your email address will not be published. Required fields are marked *

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account