WinRS: Microsoft’s Disappointing Answer to SSH for Remote Administration

Update June 2 2015: FINALLY, Y’ALL! Looking Forward: Microsoft: Support for Secure Shell (SSH)


I’m currently playing with Windows Server 2008 Core and I’m really at a loss trying to figure out why Microsoft seems to go out of its way not to adopt SSH. SSH seems like such an easy and straightforward answer to remote administration. Unix administrators have long used SSH but Windows administrators are given WinRS, a command line tool that requires that you run it each time you need to execute a command on a remote system. So instead of arriving at a remote prompt as you would with SSH and simply typing “ipconfig”, you must type “winrs -r:myserver ipconfig”

winrs -r:myserver every time!

I’m hoping things have changed in Windows 2008, but so far, I can’t find any way for WinRS to be interactive. A blog post on TechNet back in 2006 suggests that interactivity is going to be a feature at some point:

Currently any commands you execute can’t be interactive or prompt for input. WinRS just executes what you specify and returns the results.

Unfortunately, it’s nearly a year and a half later and no progress seems obvious. I hope I’m wrong and someone can show me the light or, even better, perhaps we’ll see PowerShell+SSH hit the final version of Windows 2008. Many admins already have an SSH client as part of their toolkit and sure, WinRS runs over HTTP(S) and opening just one port is nice but the same goes for SSH. Port 22 or 80, I don’t really care. WinRS seems to have its value, but not as a replacement for SSH. Give me SSH or give me both.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security
12 comments on “WinRS: Microsoft’s Disappointing Answer to SSH for Remote Administration
  1. Aaron K says:

    Try this:
    winrs -r:myserver cmd

    then you will have an interactive shell….

  2. Craig says:

    Also try psexec, although I am sure you are well aware of this tool

  3. RobD. says:

    Aaron K’s comment is true, you can open an interactive prompt with his instructions.

    WinRS (remote shell) and WinRM (remote management) are Microsoft’s implementation of WS-Management, which in the future may be used to manage not only operating systems, but bare hardware and mobile devices. Yes, there is overlap with SSH, but eventually it should do everything SSH does and more.

    Check out http://en.wikipedia.org/wiki/WS-Management

    …and also this blog post for more on WinRM:

    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx

  4. ecard guy says:

    So are there any other limitations to remote shell compared to SSH now that this inactive question is answered?

    I’m asking about functionality but another big thing I hate is having to know multiple ways of doing things for linux/windows. I know they are different OS but it sure is nice when everybody is on one standard.

  5. jmi says:

    ECARD GUY: I’ve looked (very briefly) at the links provided and I’m not seeing anything about tunelling connections or file transfer, two of the really useful things SSH does alongside providing a remote shell.

  6. Jason says:

    Are there other limitations… well, I’m just beginning to discover server 2008 and am having a bit of a rough time with remote admin without launching my local vmware install and using remote desktop over windows. As best I can tell winrs works okay over a slow connection–but it’s all SOAP based. Now I’ve got to have a webserver running on the host with all of the normal associated risks.

    Here’s what I’m used to doing with ssh that I can’t tell how to do with winrs:
    * Running a VPN through it
    * Tunneling a socks5 proxy through it if I don’t have remote root access to run a VPN (ssh -D 1080)
    * passwordless authentication via keys or ssh-agent
    * fixed commands
    * restricting where a user with a given key can login
    * restrict the commands a given key can use
    * All the other handy crap I can do with bash. Oh yeah…it’s linked against the marvelous readline library, which actually lets me effectively admin over a slow link.

    Looks like this will be yet another windows server I’ll end up tossing cygwin onto…

  7. Jake says:

    I haven’t been able to get winrs to work with mklink. For example, if I have a machine (foo) where I create a symbolic link from one local folder to a network mapped drive (e.g. mklink /d c:usersmemyfolder x:temp), then from a different machine (bar), I winrs into “foo” and try to navigate “myfolder”, but it fails with “The system cannot find the path specified.”

    * winrs -r:foo “dir c:usersme” //works fine, even “sees” myfolder
    * winrs -r:foo “dir c:usersmemyfolder” //fails with said error

    Any ideas on how to work around this? Or am I missing something simple?
    Thanks.

    • Jake says:

      Actually, I’ve narrowed it down to winrs not working with mapped network shares. Simply trying a “dir x:” fails (assuming x: is mapped to a network share). Is there some security checkbox I need to click to allow full access to the share from a remote shell session?

  8. zuyq5def says:

    Several points:
    1. Doesn't matter if a comment is "late" – at least to people who are searching the web for an answer and find this blog…

    2. You can use netsh.exe to tunnel, a la SSH, in windows: netsh interface portproxy add v4tov4 listenport=1234 connectaddress=hostnameOfOtherMachine connectport=http

    3. Use the winrs -allowDelegate parameter to access shares on the remote. You may need to do some additional WINRM configuration if you use this.

    4. If you have access to a machine with WINRS, then you should also be able map drives to that machine – giving you file transfer.

    5. winrs is designed to execute CMD.EXE subcommands, such as DIR, etc. CMD /C is not necessary

    6. If you are looking for a highly functional way to do remote command line management I suggest Powershell and ps remoting. It very seamlessly supports 1 to 1 remote management alongside 1 to many remote management. And powershell gives you a huge arsenal of interoperability: .NET, COM, Win32 APIs, WMI, existing command line utilities, and more.

  9. Stan says:

    You can use powershell remoting:

    Enter-PSSession -ComputerName web1

    Or Execute commands against multiple computers:

    $s = New-PSSession (gc computers.txt)
    Invoke-Command $s { Get-Host }

1 Pings/Trackbacks for "WinRS: Microsoft’s Disappointing Answer to SSH for Remote Administration"
  1. […] Update According to Microsoft, there will be “a technology like this included in Windows Server 2008 called WinRS; or Windows Remote Shell. This command line tool allows administrators to remotely execute most cmd.exe commands using the WS_Management protocol.” Too bad it sucks! […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*