Q: I have problem connecting to WMI service on host, to use WMI monitors. Are there any preliminary steps I should follow to use WMI monitors?
A: Before you begin using network monitoring tools to gather information from remote host via WMI, make sure that
- WMI services are enabled on the host to monitor
- remote access to WMI services is enabled on the host
Please follow the below steps to ensure both prerequisites are met.
Steps to enable remote WMI monitoring
Prior to allowing access to WMI services, make sure it is enabled. Starting from Windows XP, there’s “Windows Management Instrumentation” service available from Control Panel -> Administrative tasks -> Services. Find the service and make sure it is running and configured to auto-start at startup (startup type: Automatic).
Allow access to corresponding ports
Access to DCOM port (TCP port 135) should be granted for remote access, to allow calling remote WMI services. Use corresponding Windows firewall settings for incoming connections to TCP:135.
To allow connecting to ports used to access WMI objects on Windows XP/Windows Server 2003 perform the following command (from cmd.exe window, run as administrator):
netsh firewall set service remoteadmin enable netsh firewall set service remoteadmin enable subnet netsh firewall set service remoteadmin enable custom <IP>,LocalSubnet
Note: use every next command if current one didn’t work. Use actual computer’s primary IP address instead of <IP>.
Use the below command to perform the same action for Windows Vista and later Windows versions:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
Authorize WMI users and set permissions
Important note: to perform WMI queries on a remote computer, the account with which you are logged on must be a member of the Administrators group of that computer. If computer is a member of domain, the user must be a member of Domain Admins group. Make sure to use proper credentials in IPHost Network Monitor’s Windows credentials for corresponding WMI monitor.
If you need to configure remote WMI access to Windows XP (SP2 or later) and/or Windows Server 2003, please follow these instructions.
If you are performing WMI access management for Vista or later Windows version (i.e., Windows 7, Windows 8/8.1, Windows 10 or Windows Server 2008 or newer versions), follow the steps below.
- Make sure “Remote Registry” service is running .
- Open the WMI Control console: Click Start , click Run , type wmimgmt.msc and then click OK .
- In the console tree, right-click WMI Control , and then click Properties .
- Click the Security tab .
- Select the namespace for which you want to give a user or group access (usually, Root), and then click Security .
In the Security dialog box, click Add
- In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add. Click Check Names to verify your entry and then click OK . You might have to change the location or click the Advanced button to query for objects. See the dialog box Help for more details.
- Add the host that sends remote WMI requests to the list of trusted hosts: run Power Shell as Administrator and issue these commands:
cd wsman:\localhost\client set-item trustedhosts <hostname>
where <hostname> is the host that sends remote WMI requests. Note: add all known host’s DNS names via these commands, if there are more than single hostname.
Test remote WMI access
After the above steps are done, before actually starting corresponding WMI monitor, try executing simple WMI query on the remote computer. Open PowerShell as Administrator and issue command like this:
Get-WmiObject -Namespace "root\cimv2" -Class Win32_LogicalDisk -ComputerName <REMOTE_IP> -Credential <DOMAIN\User>
replacing <REMOTE_IP> with actual IP or full computer name o fthe remote host (for which WMI monitor should be set up) and <DOMAIN\User> with actual domain and user name to authenticate (use computer network name as domain name if logging in as local user).
If everything is set up and credentials are valid, the command will list some information on local disk drives of the remote host.