Download - WMI Troubleshooting Guide

7/30/2019 WMI Troubleshooting Guide

1/8

WMI Troubleshooting Guide

When trying creating a WMI monitor, timeout error occurred.

The error "The RPC server is unavailable" occurred when I tried to create WMI monitors.

Is there a way of using a NON administrator account for WMI remote monitoring?

Q. When trying creating a WMI monitor, timeout error occurred.A.

It may be because one of the following:

The remote computer is not online. The service "Windows Management Instrumentation Driver Extensions"

(or other WMI-related service, like RPC) has been disabled on theremote computer.

Windows NT, Windows 95, and Windows 98 does not support WMI.Please download (about 3 Mb) and install WMI Core on such

computers:Download WMI Core for Windows 95, 98

Download WMI Core for Windows NT

You do not have local Administrator rights on the remote computer.By default Windows will only allow members of the Administrators or

Domain Admins group to read information from the WMI class. A firewall is blocking access to the remote computer.

The remote computer's firewall should allow DCOM protocol (RPC -

Remote Procedure Call) and remote computer management. Sharing and security model is set to "Guest only" (Windows XP, 2003).

On a Windows XP Pro or Windows 2003 Server computer, make surethat remote logons are not being coerced to the GUEST account (aka

"ForceGuest", which is enabled by default on computers that are notattached to a domain). To do this, open the Local Security Policy editor(e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand

the "Local Policies" node and select "Security Options". Now scrolldown to the setting titled "Network access: Sharing and security modelfor local accounts". If this is set to "Guest only", change it to "Classic"

and restart the computer.

You are using blank password (Windows XP).On XP Professional, accounts with blank passwords can no longer beused to log on to the computer remotely over the network.

Some connections between operating system versions are notsupported:

o You cannot connect to a computer that is running Windows XPHome Edition.

o A computer running Windows NT cannot connect to an operatingsystem later than Windows 2000, such as Windows XP or

Windows Server 2003.

o Accessing a Windows Server 2003 computer from Windows 98 or

Windows 95 is not supported.
http://www.ireasoning.com/wmi_troubleshooting.php#q1http://www.ireasoning.com/wmi_troubleshooting.php#q1http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q10http://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=enhttp://www.ireasoning.com/wmi_troubleshooting.php#q10http://www.ireasoning.com/wmi_troubleshooting.php#q5http://www.ireasoning.com/wmi_troubleshooting.php#q1


2/8

o Windows 2000 computers must have Service Pack 2 installed tobe able to connect to Windows XP and later operation systems.

Q. The error "The RPC server is unavailable" occurred when I tried tocreate WMI monitors.

A. first ensure that the File and Printer Sharing is enabled on the WindowsFirewall Exceptions list for the following ports:

135 (RPC) 445 (TCP)

103x (mostly 1037) 441 (RPC)

For more information about the Windows Firewall Exceptions list, refer toMicrosoft Windows XP documentation. If the issue remains unresolved even

after enabling the File and Printer Sharing on the Windows FirewallExceptions list, enable the "Allow remote administration exception" group

policy entry.

1. Click Start, click Run, type gpedit.msc, and then click OK

2. Under Console Root, expand Computer Configuration, expandAdministrative Templates, expand Network, expand Network Connections,

expand Windows Firewall, and then click Domain Profile.

3. Right-click Windows Firewall: Allow remote administration exception, and

then click Properties.

4. Click Enabled, and then click OK.

Q. Is there a way of using a NON administrator account for WMIremote monitoring?

A. By default Windows will only allow members of the Administrators orDomain Admins group to read information from the WMI class.

For Windows 2000

1. Click Start, click Run, type wmimgmt.msc in the Open box, andthen click OK.

2. Right-click WMI Control, and then click Properties.3. Click the Security tab.

4. Expand the Root folder, select the CIMV2 folder, and then clickSecurity.

5. Click Add. Type the user name you wish to use, click Check Namesto verify your entry or entries, and then click OK.

6. In the Permissions for User list, click the Allow check box next tothe following permissions:

Execute Methods

Enable Account


3/8

Remote EnableRead Security

7. Click Advanced. In the Permission entries list, select the useryou added in step 5, and then click Edit.

8. In the Apply onto box, click This namespace and

subnamespaces.9. Click OK three times.

10. Quit the WMI Control snap-in.

For Windows XP / Windows 2003

1. Click Start, click Run, type wmimgmt.msc in the Open box, andthen click OK.

2. Right-click WMI Control, and then click Properties.

3. Click the Security tab.4. Expand the Root folder, select the CIMV2 folder, and then click

Security.5. Click Add. Type the user name you wish to use in the Enter the

object names to select box, click Check Names to verify your entryor entries, and then click OK.

6. In the Permissions for User list, click the Allow check box next tothe following permissions:

Execute MethodsEnable Account

Remote EnableRead Security

7. Click Advanced. In the Permission entries list, select the useryou added in step 5, and then click Edit.

8. In the Apply onto box, click This namespace andsubnamespaces.

9. Click OK three times.

10. Quit the WMI Control snap-in.11. Click Start, click Run, type dcomcnfg.exe in the Open box, and

then click OK.12. Select Component Services and then expand it. Then expand

Computers. Right-click My Computer and select Properties.13. Select the COM Security tab.

14. In the Access Permissions section, click Edit Limits....15. Click Add. Type the user name you wish to use in the Enter the


16. In the Permissions for User list, click the Allow check box nextto the following permissions:

Local AccessRemote Access

Click OK.17. In the Launch and Activation Permissions section, click Edit

Limits....18. Click Add. Type the user name you wish to use in the Enter the


4/8


19. In the Permissions for User list, click the Allow check box nextto the following permissions:

Local Launch

Remote LaunchLocal Activation

Remote ActivationClick OK twice.

20. Expand My Computer and expand DCOM Config.

21. Right-click Windows Management and Instrumentation andclick Properties.

22. Click the Security tab.23. In the Access Permissions section, click Edit....

24. Click Add. Type the user name you wish to use in the Enter theobject names to select box, click Check Names to verify your entry

or entries, and then click OK.25. In the Permissions for User list, click the Allow check box next

to the following permissions:

Local AccessRemote Access

Click OK twice.26. Quit the Component Services snap-in.

27. Restart the target computer.

Note: Windows 2003 SP1 systems will not allow a user who is

not a member of the Administrators or Domain Admins group toview the Win32_Service class. Consequently, you must use anaccount in one of these groups to perform polling of NT Service

monitors. The above information will not work.

RPC Server Not Available solutionPosts 2 | Created 9/17/2008 2:49 PM bydscudder|

dscudder

Hello all,

Just thought I'd throw this out there. I had been having trouble performing WMI scans on a relatively

new installation for quite some time. One message I got with about 80 computers' last_scan_status

was "the rpc server not available". I had checked WMI security and opened port 135 TCP on my

clients. I resolved that error by also opening port 445 TCP. gpedit can accomplish this by doing the

following that I found on TechNet (allow Remote Administration Exception, plus include the ITSM

server's subnet):
http://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudderhttp://frsconnect.frontrange.com/profile_view.aspx?customerid=dscudder


5/8

1. On the Windows desktop, click Start, and then click Run.

2. In the Run dialog box, type gpedit.msc and then click OK.

3. In Local Group Policy Editor, under Console Root, expand Computer Configuration, expand

Administrative Templates, expand Network, expand Network Connections, expand Windows

Firewall, and then click Domain Profile.

4. In the Domain Profile pane, right-click Windows Firewall: Allow remote administration exception,

and then click Properties.


Posted 9/17/2008 2:49 PM |

disco2008

Here is a checklist that we published a while back, should help you out.

Remote WMI Scan Configuration Checklist

Client Side Testing/Configuration

-----------------------------------------------------

I. Test local WMI

1. Run wbemtest.exe

2. Click Connect

3. Type in root\cimv2 as the namespace and click Connect

If the IWbemServices appear and you can click on them, then we have successfully connected to

the local WMI namespace. If Wbemtest returns an error, click More Information and check the

Description property for information about this error.

II. Remote Registry Service

1. Make sure that the Remote Registry Service is set to automatic and started

2. If it isnt, start this service
http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008http://frsconnect.frontrange.com/profile_view.aspx?customerid=disco2008


6/8

III. Disable the Windows Firewall, or grant Port 135

Allow for remote administration

1. Click Start, click Run, type gpedit.msc, and then click OK.

2. Under Console Root, expand Computer Configuration, expand Administrative Templates, expand

Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

3. Right-click Windows Firewall: Allow remote administration exception, and then click Properties.

4. Click Enabled, and then click OK

Grant DCOM Remote Launch permissions

1. Click Start, click Run, type DCOMCNFG, and then click OK.

2. In the Component Services dialog box, expand Component Services, expand Computers, and

then expand My Computer.

3. On the toolbar, click the Configure My Computer button.

The My Computer dialog box appears.

4. In the My Computer dialog box, click the COM Security tab.

5. Under Launch and Activate Permissions, click Edit Limits.

6. In the Launch Permission dialog box, follow these steps if your name or your group does not

appear in the Groups or user names list:

a. In the Launch Permission dialog box, click Add.

b. In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter

the object names to select box, and then click OK.

7. In the Launch Permission dialog box, select your user and group in the Group or user names box.In the Allow column under Permissions for User, select Remote Launch, and then click OK.

Open the DCOM port

Before you enable ports in Windows Firewall, make sure that the Windows Firewall: Allow local port

exceptions setting in Group Policy is enabled. To do this, follow these steps:




3. Right-click Windows Firewall: Allow local port exceptions, and then click Properties.


Note You can also use the Windows Firewall: Define port exceptions setting to configure local port

exceptions.

The DCOM port is TCP 135. To open the DCOM port, follow these steps:

1. Click Start, and then click Control Panel.

2. Double-click Windows Firewall, and then click the Exceptions tab.

3. Click Add Port.


7/8

4. In the Name box, type DCOM_TCP135, and then type 135 in the Port number box.

5. Click TCP, and then click OK.

6. Click OK.

Note You can also type the following command at a command prompt to open a port:

netsh firewall add portopening [TCP/UDP][Port][Name]

Add a client application to the Windows Firewall Exceptions list

Before you define program exceptions in Windows Firewall, make sure that the Windows Firewall:

Allow local program exceptions setting in Group Policy is enabled:




3. Right-click Windows Firewall: Allow local program exceptions, and then click Properties.


Note You can also use the Windows Firewall: Define program exceptions setting to configure local

program exceptions.

To add a client application to the Windows Firewall Exceptions list, follow these steps:

1. Click Start, and then click Control Panel.

2. Double-click Windows Firewall, and then click the Exceptions tab.

3. Click Add Program.4. Locate the application that you want to add, and then click OK.

5. Click OK.

Note You can also type the following command at a command prompt to add a program to the

Windows Firewall Exception list:

netsh firewall add allowedprogram [\ProgramName] [ENABLE/DISABLE]

IV. Verifying Namespace Security

1. Click Start, and then click Run.

2. In Open, type wmimgmt.msc, and then click OK.

3. Right Click on "WMI Control (Local)"

4. Select Properties

5. Select the "Security" tab

6. Select "Root" namespace

7. Click "Security"

By default, Administrators should be granted all rights. Also click on "Advanced" and make sure that

the rights are applied to "This namespace and subnamespaces".


8/8

Server Side Testing

--------------------------------

I. Test Remote WMI

1. Run wbemtest.exe

2. Click Connect

3. Type in \\clientname\cimv2 as the namespace and click Connect

If you get a The RPC server is unavailable error, then something is blocking the connection i.e.

firewall or remote registry service

II. Check Privileges

1. Make sure that the user you are using to connect to the client has the correct Privileges