Windows proxy permissions

This document describes the user permissions required by the Windows proxy to obtain information from target Windows hosts for each discovery method available to the Windows proxy. The discovery methods are:

  • RemQuery
  • WMI

RemQuery access and discovery behavior

The RemQuery utility cannot be run as a non-administrator user. You can only create a service as an administrator, which RemQuery needs to do after copying its service to the ADMIN$ share on the remote machine.

If you cannot provide administrator level credentials then you cannot use RemQuery and cannot:

  • Get network connection information from basic discovery
  • Get files from patterns
  • Run commands from patterns

WMI Access and discovery behavior



Admin user











Not available



Not available



No manufacturer






No arguments
No command path
No user name









Not available after Windows 2003 SP1


WMI access permission definitions

Permission Set



DCOM: Remote access enabled
WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
WMI: Root\WMI namespace: Remote Enable, Account Enable

Admin user

Access as a member of the Administrators group, for example, to scan a Domain Controller, use Domain Controller credentials.


  • getNetworkConnectionList is not available using WMI.
  • The NIC manufacturer cannot be retrieved by a non-administrator because the Plug and Play Manager is queried and there is no way to grant a non-administrator access to this.
  • An error is written in the Windows proxy's log when discovering a Windows 2003 machine as non-administrator. For example:

    ERROR: Query [performanceData] failed: Invalid query [SELECT SystemUpTime FROM
    Win32_PerfFormattedData_PerfOS_System] on []: [-2147217405:Access denied ]

    This does not lead to any missing information because a different method is then used to retrieve the system's uptime. If the error is a problem, the user can be assigned to the "Performance Monitor Users" group, which allows this WMI query to succeed.

Granting permissions

The following sections list possible ways to grant the various permissions required to a non-administrator user. This should be seen as a guide only.

Setting DCOM permissions

This section describes three methods to grant remote DCOM permission to a user. This is only required for discovery targets running XP SP2 or later or 2003 SP1 or later.

Method 1

Add the user to the Distributed COM Users group. This group was made available in Windows 2003 SP1.

Method 2

Use Group Policy Objects in an Active Directory environment to grant the permission. Using Group Policy Objects is described in this Microsoft article.

Method 3

Use the following steps to configure DCOM permissions on a machine:

  1. Select Start => Run, enter dcomcnfg and click OK - this launches the Component Services configuration GUI.
  2. Expand Console Root => Component Services => Computers => My Computer.
  3. Right-click My Computer and select Properties.
  4. Go to the COM Security tab.
  5. In the Launch and Activation Permissions section, click Edit Limits....
  6. Click Add.
  7. Enter your domain user name or group name in the text entry field and click Check Names.
  8. Click OK.
  9. Set the permissions for the user to Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  10. Click OK to close the permissions dialog, then OK again on My Computer Properties. The user should now be able to remotely access DCOM applications including WMI.

Setting WMI permissions

This method enables you to manually configure WMI permissions on a machine. You cannot configure WMI security with Group Policy Objects.

Use the following steps to configure WMI permissions on a machine:

  1. Select Start => Run, enter wmimgmt.msc and click OK - this launches the WMI management tool.
  2. Right-Click WMI Control (Local) and select Properties.
  3. Select the Security tab in the WMI Control Properties dialog.
  4. Expand the Root object.
  5. Select the namespace (Root\CIMV2, Root\Default, and Root\WMI in turn) and click Security.
  6. Click Advanced.
  7. Click Add...
  8. Enter your domain user name or group name in the text entry field and click Check Names.
  9. Click OK.
  10. Set Apply onto to This namespace only.
  11. Select Allow for the desired permissions (for example, Remote Enable, Account Enable, and Execute Methods).
  12. Click OK three times to get back to the WMI Control Properties Security page.

Setting remote registry permissions

The following article from Microsoft describes how to set remote registry permissions:

The user or group must be given read access to the registry key described in this article.
Alternatively, the user could be added to the Backup Operators group. However this group has a high level of access to the whole system.

Granting user rights

User rights can be granted either from gpedit.msc for local configuration, or using the Group Policy Management Console.

Was this page helpful? Yes No Submitting... Thank you