Q: I have problem connecting to WMI service on host, to use WMI monitors. Are there any preliminary steps I should follow to use WMI monitors?
A: Before you begin using network monitoring tools to gather information from remote host via WMI, make sure that
- WMI services are enabled on the host to monitor
- remote access to WMI services is enabled on the host
Please follow the below steps to ensure both prerequisites are met.
1. Steps to enable remote WMI monitoring
Prior to allowing access to WMI services, make sure it is enabled. Starting from Windows XP, there’s “Windows Management Instrumentation” service available from Control Panel -> Administrative tasks -> Services. Find the service and make sure it is running and configured to auto-start at startup (startup type: Automatic).
1.1. Allow access to corresponding ports
Access to DCOM port (TCP port 135) should be granted for remote access, to allow calling remote WMI services. Use corresponding Windows firewall settings for incoming connections to TCP:135.
1.1.1. Windows XP/Windows Server 2003
To allow connecting to ports used to access WMI objects on Windows XP/Windows Server 2003 perform the following command (from cmd.exe window, run as administrator):
netsh firewall set service remoteadmin enable netsh firewall set service remoteadmin enable subnet netsh firewall set service remoteadmin enable custom <IP>,LocalSubnet
Note: use every next command if current one didn’t work. Use actual computer’s primary IP address instead of <IP>.
1.1.2. Windows Vista and later Windows versions
Use the below command to perform the same action for Windows Vista and later Windows versions:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
1.2. Authorize WMI users and set permissions
Important note: to perform WMI queries on a remote computer, the account with which you are logged on must be a member of
- local “Administrators” group or “Domain Admins” group (if computer is a member of domain)
- local “Distributed COM Users” group
If you need to configure remote WMI access to Windows XP (SP2 or later) and/or Windows Server 2003, please follow these instructions.
If you are performing WMI access management for Vista or later Windows version (i.e., Windows 7, Windows 8/8.1, Windows 10 or Windows Server 2008 or newer versions), follow the steps below (note they should be performed on the remote system – the one you need to monitor via WMI).
- Make sure “Remote Registry” service is running.
- Open the WMI Control console: Click Start, click Run, type wmimgmt.msc and then click OK.
- In the console tree, right-click WMI Control , and then click Properties.
- Click the Security tab.
- Select the namespace for which you want to give a user or group access (usually, Root), and then click Security.
In the Security dialog box, click Add
- In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add. Click Check Names to verify your entry and then click OK. You might have to change the location or click the Advanced button to query for objects. See the dialog box Help for more details. Click “Advanced” button to make sure the permissions are applied correctly:
You need at least “Remote Enable” and read access assigned; you can start with granting all access types and revoking unnecessary ones later (use the command-line check mentioned in section 2 below).
- Ensure the “Applies to” option is set to “This namespace and subnamespaces”:
Use “Edit” control to change that if necessary.
- Allow incoming traffic to RPC ports (TCP range 6001-6032); corresponding incoming rule in Windows firewall should allow the ports as shown below:
- Add the host that sends remote WMI requests to the list of trusted hosts: run Power Shell as Administrator and issue these commands:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <hostname>
where <hostname> is the host that sends remote WMI requests. Note: add all known host’s DNS names via these commands, if there are more than single hostname.
2. Test remote WMI access
After the above steps are done, before actually starting corresponding WMI monitor, try executing simple WMI query to the remote computer. On local system (where IPHost is installed), open PowerShell as Administrator and issue command like this:
Get-WmiObject -Namespace "root\cimv2" -Class Win32_LogicalDisk -ComputerName REMOTE_HOST -Credential DOMAIN\User
replacing REMOTE_HOST with actual DNS name or IP address of the remote host (for which WMI monitor should be set up) and DOMAIN\User with actual domain and user names to authenticate (use computer network name as domain name if logging in as local user).
If everything is set up and credentials are valid, the command will list some information on local disk drives of the remote host.
If an error is reported instead, please check the above mentioned steps to make sure all the actions has been performed.
Important: you can only use a single set of credentials to access a given remote Windows system. If you attempt to connect to the same remote system with different set of credentials, the connection will fail (that’s a Windows restriction).