NoMachineProfile: Avoid creation of user profiles on remote machines?

[ecbftw]

When logging in to remote systems to run some simple scripts, we're finding the user profile directories are being created (e.g. c:\users\MyWinRMUser). This is undesirable in many cases.

I ran across the -NoMachineProfile option here, which might avoid this:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.1

How would we specify that session option with pypsrp? More info in:
https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.remoting.pssessionoption.nomachineprofile?view=powershellsdk-1.1.0
https://www.reddit.com/r/PowerShell/comments/aw57xh/newpssession_without_creating_a_profile/

Thanks!

[jborean93]

You need to register your PS Configuration with the NoProfile option on the remote host then connect to that configuration using the name as the value of configuration_name when initialising the RunspacePool. This is how you can connect to Exchange and JEA endpoints as well as your own registered configurations.

[ecbftw]

Thanks for pointing me in the right direction on this. I finally have time to look into it again. The problem I'm having is that I don't have the ability to log in to thousands of machines to create a new PSConfiguration first before using WinRM with them. If I did this, then it would create the undesirable user profile during that first session! The New-PSSession command seems to allow the setting of options without first registering a profile through something like:

Enter-PSSession -ComputerName Server01 -SessionOption (New-PSSessionOption -NoMachineProfile)

Is there an equivalent with your module?

[jborean93]

My apologies I thought you were talking about the -NoProfile option in PowerShell itself. I'll have to try it out on the actual PowerShell client but at a guess I believe it's part of the shell creation side and unfortunately there is no way to control this behaviour with the RunspacePool creation in this library. If my suspicions are correct you would have to pass through the no_profile=True kwarg at

pypsrp/pypsrp/powershell.py

Lines 93 to 94 in c704874

	self.shell = WinRS(connection, resource_uri=resource_uri, id=self.id,
	input_streams='stdin pr', output_streams='stdout')

but this can't be done through any public way right now.

[ecbftw]

Thanks for the clarification. I did actually try setting no_profile=True yesterday via a monkey patch as a test and it didn't seem to help (testing against Windows 2019 Server and a domain account). I found this reference which seems to indicate WINRS_NOPROFILE already defaults to TRUE:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wsmv/593f3ed0-0c7a-4158-a4be-0b429b597e31

The documentation I'm finding is all very confusing, so I think when I find time again I'm going to just sniff the protocol stream from Microsoft's client and try to figure out where I could add the extra XML blob in pypsrp.

[jborean93]

When I compare the data exchanged with New-PSSessionOption -NoMachineProfile and without and the only real difference I can see is that WINRS_NOPROFILE is set to true and not present when the option is set. So the no_profile kwarg for the WinRS shell is the place this needs to be set.

I found this reference which seems to indicate WINRS_NOPROFILE already defaults to TRUE:

it could be for normal shells it is true but maybe for the PowerShell it is not. I can definitely see that PowerShell itself doesn't set the key when the default pssession options are done and it is only present when -NoMachineProfile is set. I can also verify when I change the code to set no_profile when creating the WinRS shell that it is using the default user profile.

[ecbftw]

Thanks for investigating further. I'm a little confused because it still creates a user profile directory even with this setting, so perhaps some of the things I've read elsewhere are false or no longer true. At the end of the day, I just want to avoid creating a user profile directory at all, but that may not be possible.

[jborean93]

I'm not sure sorry, it wouldn't be the first time that some of the WSMan settings like WINRS_NOPROFILE doesn't do anything. I've found that in recent Windows versions the WINRS_SKIP_CMD_SHELL option also does nothing anymore. Unfortunately I'm stuck with the limitations of what Windows offers me, if you can find a way that works using native PowerShell then I can look to see what it does but if that also doesn't work then I cannot do much else sorry.