Contents
Principle
Using the "Local Group Policy Editor", it is possible to add the execution of a Powershell script at Windows shutdown. As this operation is performed with the "system" account, some operations have to be performed if the chosen mode is "rsh" or "ssh".
opa0 mode preparation
If the combination of username/password is used, there is no need for configuration.
If an encrypted file is used to store the password using the "cryptedpsys" parameter, it must be created on a session as "system" account.
To do so, open a cmd.exe window as Administrator and run the following command:
C:\WINDOWS\system32>C:\Charon\psexec.exe -i -s cmd.exe |
A new window will popup. To check you're connected as "system", run:
|
Run the following command to create the encrypted file:
C:\WINDOWS\system32>powershell -command |
Run the Powershell script in check mode:
C:\WINDOWS\system32>powershell -file c:\charon\charon_cleanshutdown.ps1 -config c:\charon\myds20vms.ini -check |
then check the "OPA0 was successful" message is displayed followed by "Command successfully completed."
It is recommended to move the psexec.exe program file to a secured folder or to remove it when it is no more needed (check completed)
rsh mode preparation
A proxy has to be defined at OpenVMS level hence the local "system" user must be specified. This user name is translated depending on the language of the Windows distribution.
It is then highly recommended to install an English version of Windows to avoid issues with accents and non standard characters when creating this proxy.
Execute the same operations as described in chapter "Using rsh" for Tru64 or VMS to enable remote connection for the "SYSTEM" user.
This is case sensitive so for Tru64, specify "SYSTEM" and not "system" in the .rhosts file
It is highly recommended to test the execution of the script in check mode while connected as "system" account. To do so, use the psexec.exe program file provided in the kit or download it from the Microsoft Sysinternals page.
Open a cmd.exe window as Administrator and run the following command:
C:\WINDOWS\system32>C:\Charon\psexec.exe -i -s cmd.exe |
A new window will popup. To check you're connected as "system", run:
|
Run the Powershell script in check mode:
C:\WINDOWS\system32>powershell -file c:\charon\charon_cleanshutdown.ps1 -config c:\charon\myds20vms.ini -check |
then check the "RSH was successful" message is displayed followed by "Command successfully completed."
It is recommended to move the psexec.exe program file to a secured folder or to remove it when it is no more needed (check completed)
ssh mode preparation
Execute the same operations as described in chapter "Using ssh" for Tru64 or VMS to create a key pair with "SYSTEM" user with a different identity file.
To do so, use the psexec.exe program file provided in the kit or download it from the Microsoft Sysinternals page.
Open a cmd.exe window as Administrator and run the following command:
C:\WINDOWS\system32>C:\Charon\psexec.exe -i -s cmd.exe |
A new window will popup. To check you're connected as "system", run:
|
Remember to specify a different identity file in the .ini file. This can be done thanks to the "identityfsys" parameter (see: Using ssh)
Run the Powershell script in check mode:
C:\WINDOWS\system32>powershell -file c:\charon\charon_cleanshutdown.ps1 -config c:\charon\myds20vms.ini -check |
then check the "SSH was successful" message is displayed followed by "Command successfully completed."
It is recommended to move the psexec.exe program file to a secured folder or to remove it when it is no more needed (check completed)
Windows settings - Local group policy
Adding the script to the shutdown Powershell scripts
Open the "Local Group Policy Editor" (run gpedit.msc) and go to the Shutdown script setup:
Select the "Powershell Scripts" tab, click on the "Add..." button, specify the path to the charon_cleanshutdown.ps1 script and its parameters:
Display instructions in shutdown scripts as they run
It is recommended to enable the display instructions during shutdown to check the Charon Legacy OS shutdown is correctly performed.
Open the "Local Group Policy Editor" (run gpedit.msc) and go to the "Computer Configuration" → "Administrative Templates" → "System" → "Scripts" setup:
Enable this functionality and optionally leave a comment:
Specify maximum wait time for Group Policy scripts
By default the script executed at Windows shutdown have a default timeout of 10 minutes (600 seconds). It is possible to change this value in case the shutdown takes more time.
Open the "Local Group Policy Editor" (run gpedit.msc) and go to the "Computer Configuration" → "Administrative Templates" → "System" → "Scripts" setup:
Enable this functionality, define the new timeout and optionally leave a comment:
Windows shutdown example
This example is given for a Windows 10 Professional version running Charon-AXP V4.10 B202-03. The emulated Alphaserver is a DS20 running OpenVMS 8.4:
The PowerShell window is displayed during Windows shutdown thanks to the enabled "Display instructions in shutdown scripts as they run" feature and the putty / OPA0 window is opened thanks to the "openconsolecmd" and "openconsolearg" parameters in the .ini file.
Full log as defined in the .ini file:
20200326:154759:INFO :0: Using 'C:\Charon\myds20vms_shutdown.log' as log file / append
=
Parameters taken from configuration file:
commandparams=-o Ciphers=+3des-cbc -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss
guestsystem=192.168.152.149
identityfile=C:\Charon\win10bmrsa
identityfsys=C:\Charon\win10bmrsa_system
logfile=C:\Charon\myds20vms_shutdown.log
mode=ssh
openconsolearg=-load OPA0 -P 10007
openconsolecmd=C:\Program Files\CHARON\Build_20203\x64\putty
os=VMS
servicename=ds20vms
sshbin=C:\Program Files (x86)\OpenSSH\ssh.exe
username=system
waitbeforestop=10
=
20200326:154759:INFO :0: 'ssh' will be used
20200326:154759:INFO :0: Using 'C:\Charon\win10bmrsa_system' as identity file.
20200326:154759:INFO :0: Service 'ds20vms' is Running (Display name: ds20vms)
20200326:154759:INFO :0: Testing guest system '192.168.152.149' response
20200326:154802:INFO :0: Opening console.
20200326:154802:INFO :0: Invoking 'ssh' command and executing shutdown as WIN10-MAIN$ ...
20200326:154802:INFO :0: C:\Program Files (x86)\OpenSSH\ssh.exe -i C:\Charon\win10bmrsa_system -q -l system -o BatchMode=yes -o Ciphers=+3des-cbc -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss 192.168.152.149 '@SYS$MANAGER:CHARON_SHUTDOWN.COM'
20200326:154804:INFO :0: Output results:
20200326:154804:INFO :0:
20200326:154804:INFO :0: $ PURGE /KEEP=20 SYS$MANAGER:CHARON_SHUTDOWN.LOG
20200326:154804:INFO :0: $ RUN /DETACH SYS$SYSTEM:LOGINOUT.EXE /INPUT=SYS$MANAGER:CHARON_SHUTDOWN -
20200326:154804:INFO :0: /OUTPUT=SYS$MANAGER:CHARON_SHUTDOWN.LOG /UIC=[1,4]
20200326:154804:INFO :0: %RUN-S-PROC_ID, identification of created process is 00000129
20200326:154804:INFO :0: $ ENDIF
20200326:154804:INFO :0: $ ENDIF
20200326:154804:INFO :0: $ EXIT
20200326:154804:INFO :0: $
20200326:154804:INFO :0: $ !
20200326:154804:INFO :0: $ ! Force any output to the standard output device.
20200326:154804:INFO :0: $ ! Most useful when client is Un*x.
20200326:154804:INFO :0: $ !
20200326:154804:INFO :0: $ ! V5.4-03
20200326:154804:INFO :0: $ ! WRITE SYS$OUTPUT -
20200326:154804:INFO :0: $ ! "ssh-rcmd 'f$getjpi("","USERNAME")' logged out at 'f$time()'" ! V5.4-02
20200326:154804:INFO :0:
20200326:154804:INFO :0: $ WRITE SYS$OUTPUT ""
20200326:154804:INFO :0:
20200326:154804:INFO :0: $
20200326:154804:INFO :0: $ IF (SSHD$ERROR .NES. SSHD$INPUT_OUTPUT)
20200326:154804:INFO :0: $ ENDIF
20200326:154804:INFO :0: $
20200326:154804:INFO :0: $ ! SS_NORMAL, SSH was succcessful, command should send its error over net.
20200326:154804:INFO :0: $ EXIT 1
20200326:154804:INFO :0: Checking command results...
20200326:154804:INFO :0: Command successfully completed.
20200326:154806:INFO :0: Testing connection to '192.168.152.149' = True
20200326:154829:INFO :0: Testing connection to '192.168.152.149' = False
20200326:154839:INFO :0: Sleeping for 10 seconds...
20200326:154849:INFO :0: Stopping service ds20vms
20200326:154850:INFO :0: Service is Stopped
20200326:154850:INFO :0: Done.
OPA0 console log (needs to be defined in the Charon configuration file):
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4
Username:
Error reading command input
Timeout period expired
%%%%%%%%%%% OPCOM 26-MAR-2020 15:47:53.75 %%%%%%%%%%%
Message from user AUDIT$SERVER on VMS084
Security alarm (SECURITY) and security audit (SECURITY) on VMS084, system id: 11
08
Auditable event: Local interactive login failure
Event time: 26-MAR-2020 15:47:53.75
PID: 00000126
Process name: _OPA0:
Username: <login>
Process owner: [SYSTEM]
Terminal name: _OPA0:
Image name: $1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Status: %LOGIN-F-CMDINPUT, error reading command input
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:32.18 %%%%%%%%%%%
Message from user INTERnet on VMS084
INTERnet ACP SSH Accept Request from Host: 192.168.152.132 Port: 55627
SHUTDOWN -- Perform an Orderly System Shutdown
on node VMS084
%SHUTDOWN-I-OPERATOR, this terminal is now an operator's console
%SHUTDOWN-I-DISLOGINS, interactive logins will now be disabled
%SET-I-INTSET, login interactive limit = 0, current interactive value = 0
%SHUTDOWN-I-STOPQUEUES, the queues on this node will now be stopped
SHUTDOWN message on VMS084 from user SYSTEM at VMS084 Batch 15:48:33
VMS084 will shut down in 0 minutes; back up LATER. Please log off node VMS084.
SHUTDOWN
%SHUTDOWN-I-SITESHUT, the site-specific shutdown procedure will now be invoked
%SHUTDOWN-I-STOPUSER, all user processes will now be stopped
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:33.44 %%%%%%%%%%%
Message from user INTERnet on VMS084
INTERnet ACP NOLISTEN Process creation success: Service - FTP
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:33.60 %%%%%%%%%%%
Message from user INTERnet on VMS084
INTERnet ACP Error during process startup, Nolisten Service Disabled - FTP Serve
r
%SHUTDOWN-I-STOPACMESRV, the ACME server will now be shut down
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:33.60 %%%%%%%%%%%
Message from user INTERnet on VMS084
INTERnet ACP Deactivate FTP Server
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:33.69 %%%%%%%%%%%
Message from user SYSTEM on VMS084
%ACME-I-SERVEREXIT, ACME_SERVER exiting
%SHUTDOWN-I-STOPAUDIT, the security auditing subsystem will now be shut down
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:35.68 %%%%%%%%%%%
Message from user AUDIT$SERVER on VMS084
Security alarm (SECURITY) and security audit (SECURITY) on VMS084, system id: 11
08
Auditable event: Audit server shutting down
Event time: 26-MAR-2020 15:48:35.68
PID: 00000129
Username: SYSTEM
%SHUTDOWN-I-STOPSECSRV, the security server will now be shut down
%SHUTDOWN-I-REMOVE, all installed images will now be removed
%SHUTDOWN-I-DISMOUNT, all volumes will now be dismounted
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:35.97 %%%%%%%%%%%
Message from user SYSTEM on VMS084
, VMS084 shutdown was requested by the operator.
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:36.24 %%%%%%%%%%%
Message from user SYSTEM on VMS084
%SECSRV-I-CIASHUTDOWN, breakin detection and evasion processing is shutting down
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:36.24 %%%%%%%%%%%
Message from user SYSTEM on VMS084
%SECSRV-I-PROXYSHUTDOWN, proxy processing is shutting down
%%%%%%%%%%% OPCOM 26-MAR-2020 15:48:36.66 %%%%%%%%%%%
Message from user SYSTEM on VMS084
%SECSRV-I-SERVERSHUTDOWN, security server shutting down
SYSTEM SHUTDOWN COMPLETE
halted CPU 0
halt code = 5
HALT instruction executed
PC = ffffffff8008fa84
P00>>>