Occasionally, you will run into issues where Windows remote administration protocols are rejecting connections. WMI is a primary means of transport and execution for Infocyte. (Infocyte will fall back to other remote admin protocols such as SMB, Remote Scheduled Tasks, or Powershell Remoting if those ports are open and available.
If enumeration or scanning fails, check the target groups "Issues" section for reasons why, or the enumeration task itself.
The two most common errors will be "Permission Denied" and "RPC Service Unavailable".
You can test remote access and authentication permissions outside of Infocyte by performing a few queries using Powershell.
As an Administrator open a Powershell console and follow the actions below:
To test WMI access to target machines, execute the following commands in PowerShell:
First:
PS C:\> $creds = Get-Credential
A credentials window will pop up; enter the credentials you are attempting to use to access the remote machine.
Next:
PS C:\> Get-WMIObject -Class win32_process -Credential $creds -ComputerName < REMOTEIP >
Replace with the relevant remote system DNS or IP address you are testing against.
- If the command executes successfully, the running processes on the machine will be printed to the console.
- If there is a red error thrown stating that “Access is denied”, then your credentials do not have access to the system.
- Any other error may indicate the WMI service is not running or the connection is blocked.
REFERENCE: https://www.microsoft.com/en-us/download/details.aspx?id=7684
Additional Troubleshooting:
If other problems are encountered other than "Access is denied", there are many dependencies that could be involved. The most common problem is found when the host or windows firewall is blocking the needed WMI ports (135 or the upper dynamic ranges 49152+). The Windows Management Instrumentation firewall rules can be set easily using local or global GPOs if this is the issue.
The next step is to ensure WMI services and RPC services are running on the remote system.
Go to Start/Run and type services.msc and press enter. In the Services window, scroll down to Remote Procedure Call (RPC) and double click it. Make sure the Startup type is set to Automatic and that the Service is Started. You may need to start the DCOM Server Process and the RPC Endpoint Mapper as well.
Dell has a good article about the issues here: http://www.dell.com/support/article/us/en/4/SLN283117
If all of these steps fail, download and run the WMI Diagnostic Tool from Microsoft on one of the local systems that is having issues: https://www.microsoft.com/en-us/download/details.aspx?id=7684
Grab the output logs from this test and send them to support@infocyte.com and we can help troubleshoot WMI issues.
Comments
0 comments
Article is closed for comments.