User privileges and information access for Windows operating systems

Windows discovery notes

This section provides some information about discovering Windows hosts.

Local administrator discovery missing command line information using WMI

If you do not get full command line information when you discover a Windows host using WMI as a local administrator, you should check that local administrators are part of the Debug Programs policy. See the Microsoft website for more information on the Debug Programs policy.

Potential user lock out

By default, AD accounts have a limited number of login attempts (for example, three attempts in fifteen minutes). Access Denied errors from WMI, DCOM, and RemQuery are counted as unsuccessful login attempts. Where target hosts are incorrectly configured, this limit can be exceeded and the account locked out.

To avoid this, configure the BMC Atrium Discovery account to accept unlimited login attempts.

Firewalls

Some versions of Windows have a default firewall configuration that does not permit discovery. You should configure the firewall to permit access; otherwise you will be unable to discovery your Windows hosts. See Discovery communications for information on the ports that should be open.

Windows Domain Controllers

In order to get a full set of data from a Windows system, the credential used has to be in the Local Administrator group for the target. Domain Controllers have the equivalent of a local administrator, however the local administrator on a Domain Controller has sufficient permissions to become a domain administrator. The implication of this being that having full local administration rights on the Domain Controller effectively means you have a Domain Admin account.

Windows Server 2008 and later and Windows Vista and later

The account being used to discover the target host must be one of the following:

  • A domain user with Administrator privileges on the target host.
  • A non-domain user with Administrator privileges and with remote UAC disabled on the target host.

Windows 2000 and Windows NT

RemQuery discovery uses AES encryption. This is not supported in Windows 2000 so RemQuery discovery falls back to DES encryption. Windows NT does not support AES or DES so RemQuery discovery is unencrypted. WMI discovery is unaffected.

getServices method requires WMI

In Windows 2000 and Windows NT the sc.exe executable is not provided. The getServices method requires WMI to run successfully.

Windows discovery using IPv6

Windows discovery using IPv6 is not supported for the following versions of Windows for the proxy host or the target host:

  • Windows Server 2003
  • Windows XP
  • Windows 2000

To discover these versions of Windows, you must use IPv4.

Proxy pools can only contain proxies from one of the following groups:

  • proxies running on the "IPv6 unsupported" versions of Windows noted above
  • later versions where IPv6 is supported, such as Windows Server 2008, and Windows 7.

Windows discovery commands

The following table show the commands that are run on Windows platforms. The following methods are used:

  • WMI: Windows proxies use Windows Management Instrumentation (WMI) as the primary means of discovery. Discovery uses both WMI queries and WMI registry access.
  • RemQuery: If WMI does not succeed, the proxies use various command line tools via the RemQuery utility. When it is used, it is copied onto the admin$ share of the scanned host, installed and started as a service. The service is then used to execute the discovery scripts. At the end of the scan, the service is stopped and uninstalled, but the executable is left in the admin$ share. If a copy already exists, and is the same version, it is not copied again. If the copy is of an older version, it is updated.
  • SNMP: SNMP discovery is supported for all devices with an accessible SNMP agent. Discovery supports SNMP v1, v2c and v3. For some older platforms (for example, Netware) the use of SNMP v1 might be required. This is defined on a per-credential basis. Only read (GET, GETNEXT, GETBULK) access is required.

WMI

Method
Notes

WMI Namespace

WMI Query

getDeviceInfo*
Handled by getHostInfo call

getDirectoryListing

root\CIMV2

ASSOCIATORS OF {Win32_Directory='%path%'} WHERE ResultClass = CIM_LogicalFile

getFileSystems

root\CIMV2

SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3 or DriveType = 4

root\CIMV2

SELECT * FROM Win32_LogicalDiskToPartition

root\CIMV2

SELECT * FROM Win32_Share

getHBAInfo

root\WMI

SELECT * FROM MSFC_FCAdapterHBAAttributes

root\WMI

SELECT * FROM MSFC_FibrePortHBAAttributes

getHostInfo*
This query must succeed.

root\CIMV2

SELECT Name, Manufacturer, Model, Domain, SystemType FROM Win32_ComputerSystem

Optional, This query can fail.

root\CIMV2

SELECT Workgroup FROM Win32_ComputerSystem

root\CIMV2

SELECT DNSDomain FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 1

root\CIMV2

SELECT * FROM Win32_OperatingSystem

root\CIMV2

SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System

root\CIMV2

SELECT Capacity FROM Win32_PhysicalMemory

root\CIMV2

SELECT SerialNumber FROM Win32_BIOS

root\CIMV2

SELECT Vendor, IdentifyingNumber, Name, UUID FROM Win32_ComputerSystemProduct

root\CIMV2

SELECT * FROM Win32_Processor

root\CIMV2

SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering

root\default:
StdRegProv

HKLM\HARDWARE\DESCRIPTION\System\ CentralProcessor\0~MHz

getIPAddresses

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getMACAddresses*
This query must succeed.

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getNetworkInterfaces

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

Optional, This query can fail.

root\WMI

SELECT * FROM MSNdis_EnumerateAdapter

Optional, This query can fail.

root\WMI

SELECT * FROM MSNdis_LinkSpeed

getPackageList
See notes below.

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayName

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\QuietDisplayName

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\HiddenDisplayName

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayVersion

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\Publisher

getPatchList

Handled by getHostInfo call, specifically:
SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering

getProcessList
Calls getOwner() on each WMI object returned.

root\CIMV2

SELECT * FROM Win32_Process

getRegistryListing
Registry keys are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getRegistryValue
Registry values are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getServices

root\CIMV2

SELECT * FROM Win32_Service

*indicates methods that must succeed for a Host to be created

getPackageList

Package information is obtained by walking these registry keys described in the previous table rather than using Win32_Product, as it provides more reliable data.

In order to speed this process, a temporary WMI class is created on the remote computer to query the registry locally. This temporary class is given a unique name and is removed once the registry data has been retrieved.

On 64 bit Windows systems, the Wow6432Node (32 bit application data) is also examined.

getHBAInfo

WMI support for gathering HBA information uses the following queries to populate the HBA information if it is safe to do so:

SELECT * FROM MSFC_FCAdapterHBAAttributes
SELECT * FROM MSFC_FibrePortHBAAttributes

The OS version and patch list is checked to see whether HBA queries are safe. On Microsoft Windows Server 2003, Vista, and Server 2008 the HBAAPI.DLL module used by WMI leaks handles unless patched with KB957052. If this patch is not installed, no WMI requests are made.

By inspection, no current version of Windows 2003 (5.2.x) or Windows 2008 (6.0.x) has this patch included (current versions including service packs) but Windows 2008 R2 (6.1.x) has. It is not clear whether the problem exists on Windows 2000, though there is no patch available.

We make the following assumptions:

  • Windows 2000 HBA queries are safe via WMI.
  • Newer versions of Windows do not have the bug.
  • This check is unnecessary when running FCINFO.EXE. This does use HBAAPI.DLL and could experience the same handle leak, but is a short lived process and they are cleared on exit.

The Microsoft FCINFO.EXE command line tool is also used by RemQuery. This is used where WMI is deemed unsafe (or has failed for some reason). This provides equivalent information about HBAs since it uses the same API as the WMI provider.

RemQuery

Method

Script

Notes

getDeviceInfo

Handled by getHostInfo call.

getDirectoryListing

REMQUERY DIR /-C /TW /4 %path%

getFileContent

Handled by getFileInfo call.

getFileInfo

REMQUERY CMD /C DIR /-C /TW /4 %path%

REMQUERY CMD /C TYPE %path%

getFileMetadata

REMQUERY CMD /C DIR /-C /TW /4 %path%

getHBAInfo

REMQUERY FCINFO /DETAILS

Requires Microsoft FCINFO.EXE to be installed on the target system.

REMQUERY HBACMD LISTHBAS

Requires Emulex HBAnywhere to be installed on the target system.

REMQUERY HBACMD HBAATTRIB %wwpn%

Requires Emulex HBAnywhere to be installed on the target system.

REMQUERY LPUTIL LISTHBAS

Requires Emulex LPUTIL.EXE to be installed on the target system.

REMQUERY LPUTIL COUNT

Requires Emulex LPUTIL.EXE to be installed on the target system.

REMQUERY LPUTIL FWLIST %board_id%

Requires Emulex LPUTIL.EXE to be installed on the target system.

getHostInfo*

REMQUERY WMIC BIOS GET SERIALNUMBER

REMQUERY WMIC CSPRODUCT GET UUID

REMQUERY SYSTEMINFO /fo csv /nh

REMQUERY "HOSTNAME && VER"

getIPAddresses

REMQUERY

Uses Windows API to query IP addresses.

REMQUERY IPCONFIG /ALL

getMACAddresses*

REMQUERY

Uses Windows API to query MAC addresses.

REMQUERY IPCONFIG /ALL

getNetworkConnectionList

REMQUERY NETSTAT -ano

REMQUERY NETSTAT -an

getNetworkInterfaces

REMQUERY

Uses Windows API to query interface details.

REMQUERY IPCONFIG /ALL

getPackageList

REMQUERY

Uses Windows API to request same registry keys as WMI Queries.

getPatchList

Handled by getHostInfo call.

getProcessList

REMQUERY

Uses Windows API to query process information.

REMQUERY TASKLIST /fo /csv /nh /v

getProcessToConnectionMapping

REMQUERY TCPVCON -ano

Requires TCPVCON.EXE to be installed on the target system.

REMQUERY OPENPORTS -netstat

Optional, must be enabled in the Proxy configuration.
Requires OPENPORTS.EXE to be installed on the target system.

getRegistryListing

REMQUERY REG QUERY %hive%%key%

getRegistryValue

REMQUERY REG QUERY %hive%%key% /v %value%

getServices

REMQUERY

Uses Windows API to query process information.

REMQUERY SC QUERYEX state= all


* Indicates methods that must succeed for a Host to be created.

SNMP

Method

MIB Values

OID

getDeviceInfo *

SNMPv2-MIB::sysDescr.0

1.3.6.1.2.1.1.1.0

SNMPv2-MIB::sysName.0

1.3.6.1.2.1.1.5.0

LanMgr-Mib-II-MIB::domPrimaryDomain.0

1.3.6.1.4.1.77.1.4.1.0

getHostInfo *

HOST-RESOURCES-MIB::hrSystemUptime.0

1.3.6.1.2.1.25.1.1.0

HOST-RESOURCES-MIB::hrMemorySize.0

1.3.6.1.2.1.25.2.2.0

getIPAddresses

IF-MIB::ifEntry
[ ifDescr, ifType, ifOperStatus ]
IP-MIB::ipAddressEntry
[ ipAddressAddr, ipAddressIfIndex, ipAddressType, ipAddressPrefix ]

1.3.6.1.2.1.2.2.1
[ .2, .3, .8 ]
1.3.6.1.2.1.4.34.1
[ .2, .3, .4, .5 ]

IP-MIB::ipAddrEntry
[ ipAdEntAddr, ipAdEntIfIndex, ipAdEntNetMask ]
IPV6-MIB::ipv6AddrEntry
[ ipv6AddrAddress, ipv6AddrPfxLength ]

1.3.6.1.2.1.4.20.1
[ .1, .2, .3 ]
1.3.6.1.2.1.55.1.8.1
[ .1, .2 ]

getMACAddresses*

IF-MIB::ifEntry
[ ifDescr, ifType, ifPhysAddress, ifOperStatus ]

1.3.6.1.2.1.4.20.1
[ .2, .3, .6, .8 ]

IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]

1.3.6.1.2.1.4.35.1
[ .4, .6 ]

IP-MIB::ipNetToMediaEntry
[ ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.4.22.1
[ .2, .4 ]

getNetworkConnectionList

TCP-MIB::tcpConnectionEntry
[ tcpConnectionLocalAddress, tcpConnectionLocalPort, tcpConnectionRemAddress, tcpConnectionRemPort, tcpConnectionState, tcpConnectionProcess ]
TCP-MIB::tcpListenerEntry
[ tcpListenerLocalAddress, tcpListenerLocalPort, tcpListenerProcess ]
UDP-MIB::udpEndpointEntry
[ udpEndpointLocalAddress, udpEndpointLocalPort, udpEndpointProcess ]

1.3.6.1.2.1.6.19.1
[ .2, .3, .5, .6, .7, .8 ]
1.3.6.1.2.1.6.20.1
[ .2, .3, .4 ]
1.3.6.1.2.1.7.7.1
[ .2, .3, .8 ]

TCP-MIB::tcpConnEntry
[ tcpConnState, tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort ]
IPV6-TCP-MIB::ipv6TcpConnEntry
[ ipv6TcpConnLocalAddress, ipv6TcpConnLocalPort, ipv6TcpConnRemAddress, ipv6TcpConnRemPort, ipv6TcpConnState ]
UDP-MIB::udpConnEntry
[ udpLocalAddress, udpLocalPort ]
IPV6-UDP-MIB::ipv6UdpEntry
[ ipv6UdpLocalAddress, ipv6UdpLocalPort ]

1.3.6.1.2.1.6.13.1
[ .1, .2, .3, .4, .5 ]
1.3.6.1.2.1.6.16.1
[ .1, .2, .3, .4, .6 ]
1.3.6.1.2.1.7.5.1
[ .1, .2 ]
1.3.6.1.2.1.7.6.1
[ .1, .2 ]

getNetworkInterfaces

IF-MIB::ifEntry
[ ifIndex, ifDescr, ifType, ifSpeed, ifPhysAddress, ifOperStatus ]
IF-MIB::ifXEntry
[ ifAlias, ifName, ifHighSpeed ]
MAU-MIB::ifMauEntry
[ ifMauIfIndex, ifMauType, ifMauAutoNegSupported ]
EtherLike-MIB::dot3StatsEntry
[ dot3StatsDuplexStatus ]
IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalIfIndex, ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]
IP-MIB::ipNetToMediaEntry
[ ipNetToMediaIfIndex, ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.2.2.1
[ .1, .2, .3, .5, .6, .8 ]
1.3.6.1.2.1.31.1.1.1
[ .1, .15, .18 ]
1.3.6.1.2.1.26.2.1.1
[ .1, .3, .12 ]
1.3.6.1.2.1.10.7.2.1
[ .19 ]
1.3.6.1.2.1.4.35.1
[ .1, .4, .6 ]
1.3.6.1.2.1.4.22.1
[ .1, .2, .4 ]

getPackageList

HOST-RESOURCES-MIB::hrSWInstalledTable

1.3.6.1.2.1.25.6.3.1

[hrSWInstalledName]

[.2]

getProcessList

HOST-RESOURCES-MIB::hrSWRunTable

1.3.6.1.2.1.25.4.2.1

[hrSWRunIndex, hrSWRunName, hrSWRunPath, hrSWRunParameters]

[.1, .2, .4, .5]

*indicates methods that must succeed for a Host to be created.

Was this page helpful? Yes No Submitting... Thank you

Comments