User privileges and information access for Windows operating systems

This topic provides details on discovering Microsoft Windows hosts, the potential issues that may arise during the process, and a list of discovery commands that are run on Windows platforms. 

User privileges and information access

This section provides information about discovering Microsoft Windows hosts.

PowerShell

PowerShell remoting is WinRM-based and does not use DCOM. By default, PowerShell remoting requires administrator privileges. However, it is possible to enable PowerShell remoting for non-administrator users on the Windows targets. See this article from 4sysops for further information: https://4sysops.com/archives/powershell-remoting-without-administrator-rights/

Once you have established a remote session the user still needs permission to execute the PowerShell cmdlets. The default PowerShell scripts are similar in operation to existing Windows discovery code, and continue to use commands such as Get-CIMInstance which in turn uses WMI. However, the fact that the user is local should mean that this would be allowed, assuming the local user can access WMI.

WMI privileges 

The following privileges are required to discover Windows hosts, including network connection information:

  • DCOM: Remote access enabled
  • WMI: Root\CIMV2 namespace: Remote Enable, Account Enable
  • WMI: Root\Default namespace: Remote Enable, Account Enable, Execute
  • WMI: Root\WMI namespace: Remote Enable, Account Enable

Local administrator discovery missing command line information using WMI

If you do not get full command line information when you discover a Windows host using WMI as a local administrator, you should check that local administrators are part of the Debug Programs policy. See the Microsoft website for more information on the Debug Programs policy.

Potential user lock out

By default, AD accounts permit a limited number of login attempts (for example, 3 attempts in 15 minutes). Access Denied errors from WMI, DCOM, and RemQuery are counted as unsuccessful login attempts. Where target hosts are incorrectly configured, this limit can be exceeded and the account locked out.

To avoid this issue, configure the BMC Discovery account to accept unlimited login attempts.

Firewalls

Some versions of Windows have a default firewall configuration that does not permit discovery. You should configure the firewall to permit access; otherwise, you will be unable to discovery your Windows hosts. For information about the ports that should be open, see Network ports used for discovery communications.

Windows Domain Controllers

To get a full set of data from a Windows system, the credential used must be in the Local Administrator group for the target. Domain Controllers have the equivalent of a local administrator; however, the local administrator on a Domain Controller has sufficient permissions to become a domain administrator. The implication is that having full local administration rights on the Domain Controller essentially means you have a Domain Admin account.

Windows Server 2008 and later and Windows Vista and later

The account being used to discover the target host must be one of the following types:

  • A domain user with Administrator privileges on the target host.
  • A non-domain user with Administrator privileges and with remote User Account Control (UAC) disabled on the target host. See the Microsoft website for more information on disabling UAC.

Windows 2003 

WMI discovery of Windows 2003 hosts may fail after installing Windows Updates released on November 8, 2022 on Windows domain controllers. This is due to changes in Kerberos authentication. RemQuery discovery of Windows 2003 hosts is unaffected.

Windows 2000 and Windows NT

RemQuery discovery uses AES encryption, which is not supported in Windows 2000, so RemQuery discovery falls back to DES encryption. Windows NT does not support AES or DES, so RemQuery discovery is unencrypted. WMI discovery is unaffected.

Note

In Windows 2000 and Windows NT, the sc.exe executable is not provided. The getServices method requires WMI to run successfully.

Windows discovery using IPv6

Windows discovery using IPv6 is not supported for the following versions of Windows:

  • Windows Server 2003
  • Windows XP
  • Windows 2000

To discover these versions of Windows, you must use IPv4.

Proxy pools can contain only proxies from one of the following groups:

  • Proxies running on the IPv6-unsupported versions of Windows noted in the previous section.
  • Later versions in which IPv6 is supported, such as Windows Server 2008 and Windows 7.

Windows discovery commands

The following tables list the commands that are run on Windows platforms. The following methods are used:

  • PowerShell—BMC Discovery appliances and BMC Discovery Outpost use PowerShell as the primary means of discovery. 

  • WMI—BMC Discovery uses Windows Management Instrumentation (WMI) as the primary means of discovery. Discovery uses both WMI queries and WMI registry access.
  • RemQuery—If WMI does not succeed, BMC Discovery uses various command line tools via the RemQuery utility. When RemQuery is used, it is copied onto the admin$ share of the scanned host, installed, and started as a service. The service is then used to execute the discovery scripts. At the end of the scan, the service is stopped and uninstalled, but the executable is left in the admin$ share. If a copy already exists, it is not copied again.
  • SNMP—SNMP discovery is supported for all devices with an accessible SNMP agent. Discovery supports SNMP v1, v2c, and v3. For some older platforms (for example, Netware), the use of SNMP v1 might be required. This requirement is defined on a per-credential basis. Only read (GET, GETNEXT, GETBULK) access is required.

PowerShell


Method

Script

Enabled

initialise

init

Always

getDeviceInfo *

getDeviceInfo

Yes

getDirectoryListing

getDirectoryListing

Yes

getFileContent

getFileContent

Yes

getFileInfo

Handled by the getFileMetadata and getFileContent scripts


getFileMetadata

getFileMetadata

Yes

getFileSystems

getFileSystems

Yes

getHBAInfo

getHBAList

Yes

getHostInfo *

getHostInfo

Yes

getIPAddresses

getIPAddresses

Yes

getMACAddresses *

getMACAddresses

Yes

getNetworkConnectionList

getNetworkConnections

Yes

getNetworkInterfaces

getNetworkInterfaces

Yes

getPackageList

getPackageList

Yes

getPatchList

getPatchList

Yes

getProcessList

getProcessList

Yes

getRegistryListing

getRegistryListing

Yes

getRegistryValue

getRegistryValue

Yes

getServices

getServices

Yes

runWMIQuery

runWMIQuery

Yes


WMI


Method
notes

WMI namespace

WMI query

getDeviceInfo*
Handled by getHostInfo call



getDirectoryListing

root\CIMV2

ASSOCIATORS OF {Win32_Directory='%path%'} WHERE ResultClass = CIM_LogicalFile

getFileSystems

root\CIMV2

SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3 or DriveType = 4


root\CIMV2

SELECT * FROM Win32_LogicalDiskToPartition


root\CIMV2

SELECT * FROM Win32_Share

getHBAInfo

See notes mentioned in the following section for more information.

root\WMI

SELECT * FROM MSFC_FCAdapterHBAAttributes


root\WMI

SELECT * FROM MSFC_FibrePortHBAAttributes

getHostInfo*
This query must succeed.

root\CIMV2

SELECT Name, Manufacturer, Model, Domain, SystemType FROM Win32_ComputerSystem

Optional; this query can fail.

root\CIMV2

SELECT Workgroup FROM Win32_ComputerSystem


root\CIMV2

SELECT DNSDomain FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 1


root\CIMV2

SELECT * FROM Win32_OperatingSystem


root\CIMV2

SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System


root\CIMV2

SELECT Capacity FROM Win32_PhysicalMemory


root\CIMV2

SELECT SerialNumber FROM Win32_BIOS


root\CIMV2

SELECT Vendor, IdentifyingNumber, Name, UUID FROM Win32_ComputerSystemProduct


root\CIMV2

SELECT * FROM Win32_Processor


root\CIMV2

SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering


root\default:
StdRegProv

HKLM\HARDWARE\DESCRIPTION\System\ CentralProcessor\0~MHz

getIPAddresses

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration


root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getMACAddresses*
This query must succeed.

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration


root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getNetworkInterfaces

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration


root\CIMV2

SELECT * FROM Win32_NetworkAdapter

Optional; this query can fail.

root\WMI

SELECT * FROM MSNdis_EnumerateAdapter

Optional; this query can fail.

root\WMI

SELECT * FROM MSNdis_LinkSpeed

getPackageList
See notes mentioned in the following section for specific methods.

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayName


root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\QuietDisplayName


root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\HiddenDisplayName


root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayVersion


root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\Publisher

getPatchList


Handled by getHostInfo call; specifically:
SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering

getProcessList
Calls getOwner() on each WMI object returned.

root\CIMV2

SELECT * FROM Win32_Process

getRegistryListing
Registry keys are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getRegistryValue
Registry values are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getServices

root\CIMV2

SELECT * FROM Win32_Service


Notes

An asterisk (*) after a method name indicates that the method must succeed for a host to be created.

getPackageList

Package information is obtained by walking the registry keys described in the preceding table rather than using Win32_Product, as it provides more reliable data.

To speed this process, a temporary WMI class is created on the remote computer to query the registry locally. This temporary class is given a unique name and is removed after the registry data has been retrieved.

On 64-bit Windows systems, the Wow6432Node (32-bit application data) is also examined.

getHBAInfo

WMI support for gathering HBA information uses the following queries to populate the HBA information if it is safe to do so:

SELECT * FROM MSFC_FCAdapterHBAAttributes
SELECT * FROM MSFC_FibrePortHBAAttributes

The OS version and patch list is checked to see whether HBA queries are safe. On Microsoft Windows Server 2003, Vista, and Server 2008, the HBAAPI.DLL module used by WMI leaks handles unless patched with KB957052. If this patch is not installed, no WMI requests are made.

By inspection, no current version of Windows 2003 (5.2.x) or Windows 2008 (6.0.x) includes this patch (current versions including service packs), but Windows 2008 R2 (6.1.x) does include it. It is unclear whether the problem exists on Windows 2000, but there is no patch available.

We make the following assumptions:

  • Windows 2000 HBA queries are safe via WMI.
  • Newer versions of Windows do not have the bug.
  • This check is unnecessary when running FCINFO.EXE. This does use HBAAPI.DLL and could experience the same handle leak, but is a short-lived process, and they are cleared on exit.

The Microsoft FCINFO.EXE command line tool is also used by RemQuery. This is used where WMI is deemed unsafe or has failed for some reason. This provides equivalent information about HBAs, because it uses the same API as the WMI provider.

RemQuery


Method

Script

Notes

getDeviceInfo

Handled by getHostInfo call.


getDirectoryListing

REMQUERY DIR /-C /TW /4 %path%


getFileContent


Handled by getFileInfo call.

getFileInfo

REMQUERY CMD /C DIR /-C /TW /4 %path%



REMQUERY CMD /C TYPE %path%


getFileMetadata

REMQUERY CMD /C DIR /-C /TW /4 %path%


getHBAInfo

REMQUERY FCINFO /DETAILS

Requires Microsoft FCINFO.EXE to be installed on the target system.


REMQUERY HBACMD LISTHBAS

Requires Emulex HBAnywhere to be installed on the target system.


REMQUERY HBACMD HBAATTRIB %wwpn%

Requires Emulex HBAnywhere to be installed on the target system.


REMQUERY LPUTIL LISTHBAS

Requires Emulex LPUTIL.EXE to be installed on the target system.


REMQUERY LPUTIL COUNT

Requires Emulex LPUTIL.EXE to be installed on the target system.


REMQUERY LPUTIL FWLIST %board_id%

Requires Emulex LPUTIL.EXE to be installed on the target system.

getHostInfo*

REMQUERY WMIC BIOS GET SERIALNUMBER



REMQUERY WMIC CSPRODUCT GET UUID



REMQUERY SYSTEMINFO /fo csv /nh



REMQUERY "HOSTNAME && VER"


getIPAddresses

REMQUERY

Uses Windows API to query IP addresses.


REMQUERY IPCONFIG /ALL


getMACAddresses*

REMQUERY

Uses Windows API to query MAC addresses.


REMQUERY IPCONFIG /ALL


getNetworkConnectionList

REMQUERY NETSTAT -ano



REMQUERY NETSTAT -an


getNetworkInterfaces

REMQUERY

Uses Windows API to query interface details.


REMQUERY IPCONFIG /ALL


getPackageList

REMQUERY

Uses Windows API to request same registry keys as WMI queries.

getPatchList


Handled by getHostInfo call.

getProcessList

REMQUERY

Uses Windows API to query process information.


REMQUERY TASKLIST /fo /csv /nh /v


getProcessToConnectionMapping

REMQUERY TCPVCON -ano

Requires TCPVCON.EXE to be installed on the target system.


REMQUERY OPENPORTS -netstat

Requires OPENPORTS.EXE to be installed on the target system.

getRegistryListing

REMQUERY REG QUERY %hive%%key%


getRegistryValue

REMQUERY REG QUERY %hive%%key% /v %value%


getServices

REMQUERY

Uses Windows API to query process information.


REMQUERY SC QUERYEX state= all


An asterisk (*) after a method name indicates that the method must succeed for a host to be created.


SNMP


Method

MIB Values

OID

getDeviceInfo *

SNMPv2-MIB::sysDescr.0

1.3.6.1.2.1.1.1.0


SNMPv2-MIB::sysName.0

1.3.6.1.2.1.1.5.0


LanMgr-Mib-II-MIB::domPrimaryDomain.0

1.3.6.1.4.1.77.1.4.1.0

getHostInfo *

HOST-RESOURCES-MIB::hrSystemUptime.0

1.3.6.1.2.1.25.1.1.0


HOST-RESOURCES-MIB::hrMemorySize.0

1.3.6.1.2.1.25.2.2.0

getIPAddresses

IF-MIB::ifEntry
[ ifDescr, ifType, ifOperStatus ]
IP-MIB::ipAddressEntry
[ ipAddressAddr, ipAddressIfIndex, ipAddressType, ipAddressPrefix ]

1.3.6.1.2.1.2.2.1
[ .2, .3, .8 ]
1.3.6.1.2.1.4.34.1
[ .2, .3, .4, .5 ]


IP-MIB::ipAddrEntry
[ ipAdEntAddr, ipAdEntIfIndex, ipAdEntNetMask ]
IPV6-MIB::ipv6AddrEntry
[ ipv6AddrAddress, ipv6AddrPfxLength ]

1.3.6.1.2.1.4.20.1
[ .1, .2, .3 ]
1.3.6.1.2.1.55.1.8.1
[ .1, .2 ]

getMACAddresses*

IF-MIB::ifEntry
[ ifDescr, ifType, ifPhysAddress, ifOperStatus ]

1.3.6.1.2.1.4.20.1
[ .2, .3, .6, .8 ]


IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]

1.3.6.1.2.1.4.35.1
[ .4, .6 ]


IP-MIB::ipNetToMediaEntry
[ ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.4.22.1
[ .2, .4 ]

getNetworkConnectionList

TCP-MIB::tcpConnectionEntry
[ tcpConnectionLocalAddress, tcpConnectionLocalPort, tcpConnectionRemAddress, tcpConnectionRemPort, tcpConnectionState, tcpConnectionProcess ]
TCP-MIB::tcpListenerEntry
[ tcpListenerLocalAddress, tcpListenerLocalPort, tcpListenerProcess ]
UDP-MIB::udpEndpointEntry
[ udpEndpointLocalAddress, udpEndpointLocalPort, udpEndpointProcess ]

1.3.6.1.2.1.6.19.1
[ .2, .3, .5, .6, .7, .8 ]
1.3.6.1.2.1.6.20.1
[ .2, .3, .4 ]
1.3.6.1.2.1.7.7.1
[ .2, .3, .8 ]


TCP-MIB::tcpConnEntry
[ tcpConnState, tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort ]
IPV6-TCP-MIB::ipv6TcpConnEntry
[ ipv6TcpConnLocalAddress, ipv6TcpConnLocalPort, ipv6TcpConnRemAddress, ipv6TcpConnRemPort, ipv6TcpConnState ]
UDP-MIB::udpConnEntry
[ udpLocalAddress, udpLocalPort ]
IPV6-UDP-MIB::ipv6UdpEntry
[ ipv6UdpLocalAddress, ipv6UdpLocalPort ]

1.3.6.1.2.1.6.13.1
[ .1, .2, .3, .4, .5 ]
1.3.6.1.2.1.6.16.1
[ .1, .2, .3, .4, .6 ]
1.3.6.1.2.1.7.5.1
[ .1, .2 ]
1.3.6.1.2.1.7.6.1
[ .1, .2 ]

getNetworkInterfaces

IF-MIB::ifEntry
[ ifIndex, ifDescr, ifType, ifSpeed, ifPhysAddress, ifOperStatus ]
IF-MIB::ifXEntry
[ ifAlias, ifName, ifHighSpeed ]
MAU-MIB::ifMauEntry
[ ifMauIfIndex, ifMauType, ifMauAutoNegSupported ]
EtherLike-MIB::dot3StatsEntry
[ dot3StatsDuplexStatus ]
IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalIfIndex, ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]
IP-MIB::ipNetToMediaEntry
[ ipNetToMediaIfIndex, ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.2.2.1
[ .1, .2, .3, .5, .6, .8 ]
1.3.6.1.2.1.31.1.1.1
[ .1, .15, .18 ]
1.3.6.1.2.1.26.2.1.1
[ .1, .3, .12 ]
1.3.6.1.2.1.10.7.2.1
[ .19 ]
1.3.6.1.2.1.4.35.1
[ .1, .4, .6 ]
1.3.6.1.2.1.4.22.1
[ .1, .2, .4 ]

getPackageList

HOST-RESOURCES-MIB::hrSWInstalledTable

1.3.6.1.2.1.25.6.3.1


[hrSWInstalledName]

[.2]

getProcessList

HOST-RESOURCES-MIB::hrSWRunTable

1.3.6.1.2.1.25.4.2.1


[hrSWRunIndex, hrSWRunName, hrSWRunPath, hrSWRunParameters]

[.1, .2, .4, .5]

An asterisk (*) after a method name indicates that the method must succeed for a host to be created.



Was this page helpful? Yes No Submitting... Thank you

Comments