Welcome to PowerShell Hell

I finally figured out why the error messages in PowerShell are in bright red. It’s because it’s the color of flames and/or red hot coals and it means you may be in PowerShell Hell. That’s what recently happened when I updated the Antivirus on my PC from Eset NOD32 version 4 to version 5. A few days after updating, I was in PowerShell Hell as shown below:

When trying to run Get-ChildItem against WSMan:localhost, I received the following:

Get-ChildItem : WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (12152) is: The server returned an invalid or unrecognized response .
At line:1 char:1
+ dir WSMan:localhost
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ChildItem], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.Get
ChildItemCommand

When trying to use Invoke-Command (PowerShell Remoting), I received the following error which made me think the issue was on the destination end and not the source. I tried the same command from another machine and it worked without issue so that eliminated the computer I was trying to run PowerShell remoting commands against as the problem.

[remote-pc] Connecting to remote server remote-pc failed with the following error message : The WinRM client cannot process the request. The encrypted message body has an invalid format and cannot be decrypted. Ensure that the service is encrypting the message body according to the specifications. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken

When trying to use Enter-PSSession (1 to 1 Remoting), I received the following error:

Enter-PSSession : Connecting to remote server localhost failed with the following error message : The WinRM client cannot process the request. The encrypted message body has an invalid format and cannot be decrypted. Ensure that the service is encrypting the message body according to the specifications. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession localhost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (localhost:String) [Enter-PSSession], PSRemotingT
ransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

When trying to run Enable-PSRemoting, I received another error. I was able to use cmdlets that had a computer name parameter such as Get-Process without issue though.

<f:WSManFault xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”995″ Machine=”localhost“><f:Message>WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (12152) is: The server returned an invalid or unrecognized response . </f:Message></f:WSManFault>
At line:59 char:13
+ Set-WSManQuickConfig -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

This took a fair amount of time to track down since I’d made several changes to my machine between the time the antivirus was updated and the time I discovered the problems. By default NOD32 version 5 does protocol filtering on HTTP connections which is evidently needed by all of the PowerShell commands that were generating errors. You could disable this protocol filtering all together (not recommended). This will require a reboot if you chose to use this method to resolve the problems:

My recommended way of resolving this issue is to add exceptions for PowerShell and the PowerShell ISE under Protocol filtering > Excluded Applications:

All of the issues went away once these exceptions were added:

µ

5 Comments

  1. Don Jones

    Bad, bad antivirus! This must’ve been hell to track down indeed.

    FYI – for other folks who may run across this – any cmdlet (except Invoke-Command, Enter-PSSession, and other Remoting-specific cmdlets) that has a -ComputerName parameter doesn’t necessarily use Remoting and WinRM/WS-MAN. Get-Process and Get-Service, for example, rely (I think) on the Remote Registry Service. They use RPCs, not HTTP, so they wouldn’t run into the issue you did.

    I’m going to update the Remoting guide to include this – I didn’t realize antivirus programs were being so intrusive these days!

    Reply
  2. Bonnie Runimas

    This is very useful! Thanks Mike, glad we met at TechEd. 🙂

    Reply
  3. Satish

    Hi.. i am using mcafee antivirus. how i can fix this issue.

    Reply
  4. Rob Wiley

    This totally saved me today. Thank-you so much Mike.

    Reply

Leave a Reply

%d bloggers like this: