Test WMI connection
The easiest way to check if WMI is running on your machine is to use the built-in WMI tester. To test your WMI connection:
- Open the Run window on OC Scanner machine.
- Enter wbemtest and select OK.
- In the Windows Manager Instrumentation Tester window, select Connect in the top-right corner.
- In the Connect window, enter the connection parameters towards the target machine and select Connect.
- If no error message is displayed, the WMI connection is configured properly towards the target machine.
Access is denied
- Check the correct WMI related network ports are open on the scanned Windows servers (as well as on any firewalls in front of the given servers): TCP 135, TCP 445, TCP 49152-65535 (RPC Dynamic TCP port range)
- Ensure that DNS records are correct for the given server – including both A, and PTR (reverse DNS) records. Bad DNS records can cause WMI failure. For AD environments, check that only a single IP address is connected to the A / PTR records for the given server, depending on what is the primary DNS name of the given server in the AD Domain.
- Ensure the WMI service is running correctly. Restart the WMI service to ensure the service is starting correctly.
- Check that the user account running the scan has the right to access WMI on the given servers. By default AD Domain Administrators have WMI access (by AD Domain Admins being a part of the Local Administrators group on the Windows servers), and Local Administrators group has access to WMI. Additional users/groups can be added on Windows server WMI security, by modifying the WMI security permissions. WMI security can be checked in the following manner:
- Open the Computer Management Console.
- Navigate to Services and Applications > WMI Control.
- Right-click WMI Control > Properties.
- Navigate to Security > Click on 'Root' > Security.
- Check that the appropriate users/groups on the local server have WMI access permissions.
- Check that the username/password is valid for the given server environment. The username should be entered in the short AD Domain name format (also known as Legacy/Netbios format) – if scanning AD environments (EXAMPLE\administrator), or in the COMPUTERNAME\username format if scanning standalone servers (non AD Domain joined). Check for username/password typos.
- If scanning Standalone (Workgroup) servers, we can use the Local Administrator account to access WMI (such as the built-in account named Administrator, or a separate Local Administrator account that is part of the Local Administrators group).
If you are using a non-built-in Local Administrator account, an additional UAC policy change needs to be made so Windows will allow us to access WMI, using a non-built-in Local Administrator account:
- Open Regedit.
- Navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System].
- Change the LocalAccountTokenFilterPolicy DWORD value to 1.
If scanning AD Domain environments, make sure that the time on the AD Domain members is in sync with the AD Domain controllers, so Kerberos authentication can work.
No such interface supported / Class is not valid
- Restart the WMI service.
- For AD environments, check that only a single IP address is connected to the A / PTR records for the given server, depending on what is the primary DNS name of the given server in the AD Domain.
- Verify the WMI repository state:
- Execute cmd.exe (Run as Administrator)
- Execute winmgmt.exe /verifyrepository
- Recompile WMI MOF File for required WMI classes (if the above steps do not fix the issue):
- mofcomp c:\windows\system32\wbem\cimwin32.mof
- Restart the WMI service after running the above command.