This documentation refers to a previously released version of BMC Discovery.
See the information on this topic for the latest version (11.1) or version 10.2.

User privileges and information access for Windows operating systems

This section provides information about discovering Microsoft Windows hosts.

Local administrator discovery missing command line information using WMI

If you do not get full command line information when you discover a Windows host using WMI as a local administrator, you should check that local administrators are part of the Debug Programs policy. See the Microsoft website for more information on the Debug Programs policy.

Potential user lock out

By default, AD accounts permit a limited number of login attempts (for example, 3 attempts in 15 minutes). Access Denied errors from WMI, DCOM, and RemQuery are counted as unsuccessful login attempts. Where target hosts are incorrectly configured, this limit can be exceeded and the account locked out.

To avoid this issue, configure the BMC Discovery account to accept unlimited login attempts.

Firewalls

Some versions of Windows have a default firewall configuration that does not permit discovery. You should configure the firewall to permit access; otherwise, you will be unable to discovery your Windows hosts. For information about the ports that should be open, see Discovery communications.

Windows Domain Controllers

To get a full set of data from a Windows system, the credential used must be in the Local Administrator group for the target. Domain Controllers have the equivalent of a local administrator; however, the local administrator on a Domain Controller has sufficient permissions to become a domain administrator. The implication is that having full local administration rights on the Domain Controller essentially means you have a Domain Admin account.

Windows Server 2008 and later and Windows Vista and later

The account being used to discover the target host must be one of the following types:

  • A domain user with Administrator privileges on the target host.
  • A nondomain user with Administrator privileges and with remote UAC disabled on the target host.

Windows 2000 and Windows NT

RemQuery discovery uses AES encryption, which is not supported in Windows 2000, so RemQuery discovery falls back to DES encryption. Windows NT does not support AES or DES, so RemQuery discovery is unencrypted. WMI discovery is unaffected.

getServices method requires WMI

In Windows 2000 and Windows NT, the sc.exe executable is not provided. The getServices method requires WMI to run successfully.

Windows discovery using IPv6

Windows discovery using IPv6 is not supported for the following versions of Windows, for the proxy host or the target host:

  • Windows Server 2003
  • Windows XP
  • Windows 2000

To discover these versions of Windows, you must use IPv4.

Proxy pools can contain only proxies from one of the following groups:

  • Proxies running on the IPv6-unsupported versions of Windows noted in the previous section.
  • Later versions in which IPv6 is supported, such as Windows Server 2008 and Windows 7.

Windows discovery commands

The following tables list the commands that are run on Windows platforms. The following methods are used:

  • WMI—Windows proxies use Windows Management Instrumentation (WMI) as the primary means of discovery. Discovery uses both WMI queries and WMI registry access.
  • RemQuery—If WMI does not succeed, the proxies use various command line tools via the RemQuery utility. When RemQuery is used, it is copied onto the admin$ share of the scanned host, installed, and started as a service. The service is then used to execute the discovery scripts. At the end of the scan, the service is stopped and uninstalled, but the executable is left in the admin$ share. If a copy already exists, it is not copied again.
  • SNMP—SNMP discovery is supported for all devices with an accessible SNMP agent. Discovery supports SNMP v1, v2c, and v3. For some older platforms (for example, Netware), the use of SNMP v1 might be required. This requirement is defined on a per-credential basis. Only read (GET, GETNEXT, GETBULK) access is required.

WMI

Method
notes

WMI namespace

WMI query

getDeviceInfo*
Handled by getHostInfo call

 

 

getDirectoryListing

root\CIMV2

ASSOCIATORS OF {Win32_Directory='%path%'} WHERE ResultClass = CIM_LogicalFile

getFileSystems

root\CIMV2

SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3 or DriveType = 4

 

root\CIMV2

SELECT * FROM Win32_LogicalDiskToPartition

 

root\CIMV2

SELECT * FROM Win32_Share

getHBAInfo

See notes mentioned in the following section for more information.

root\WMI

SELECT * FROM MSFC_FCAdapterHBAAttributes

 

root\WMI

SELECT * FROM MSFC_FibrePortHBAAttributes

getHostInfo*
This query must succeed.

root\CIMV2

SELECT Name, Manufacturer, Model, Domain, SystemType FROM Win32_ComputerSystem

Optional; this query can fail.

root\CIMV2

SELECT Workgroup FROM Win32_ComputerSystem

 

root\CIMV2

SELECT DNSDomain FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 1

 

root\CIMV2

SELECT * FROM Win32_OperatingSystem

 

root\CIMV2

SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System

 

root\CIMV2

SELECT Capacity FROM Win32_PhysicalMemory

 

root\CIMV2

SELECT SerialNumber FROM Win32_BIOS

 

root\CIMV2

SELECT Vendor, IdentifyingNumber, Name, UUID FROM Win32_ComputerSystemProduct

 

root\CIMV2

SELECT * FROM Win32_Processor

 

root\CIMV2

SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering

 

root\default:
StdRegProv

HKLM\HARDWARE\DESCRIPTION\System\ CentralProcessor\0~MHz

getIPAddresses

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

 

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getMACAddresses*
This query must succeed.

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

 

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

getNetworkInterfaces

root\CIMV2

SELECT * FROM Win32_NetworkAdapterConfiguration

 

root\CIMV2

SELECT * FROM Win32_NetworkAdapter

Optional; this query can fail.

root\WMI

SELECT * FROM MSNdis_EnumerateAdapter

Optional; this query can fail.

root\WMI

SELECT * FROM MSNdis_LinkSpeed

getPackageList
See notes mentioned in the following section for specific methods.

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayName

 

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\QuietDisplayName

 

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\HiddenDisplayName

 

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\DisplayVersion

 

root\default:
StdRegProv

HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall*\Publisher

getPatchList

 

Handled by getHostInfo call; specifically:
SELECT HotFixID, ServicePackInEffect FROM Win32_QuickFixEngineering

getProcessList
Calls getOwner() on each WMI object returned.

root\CIMV2

SELECT * FROM Win32_Process

getRegistryListing
Registry keys are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getRegistryValue
Registry values are passed directly to the standard registry provider.

root\default:
StdRegProv

%key%

getServices

root\CIMV2

SELECT * FROM Win32_Service

Notes

An asterisk (*) after a method name indicates that the method must succeed for a host to be created.

getPackageList

Package information is obtained by walking the registry keys described in the preceding table rather than using Win32_Product, as it provides more reliable data.

To speed this process, a temporary WMI class is created on the remote computer to query the registry locally. This temporary class is given a unique name and is removed after the registry data has been retrieved.

On 64-bit Windows systems, the Wow6432Node (32-bit application data) is also examined.

getHBAInfo

WMI support for gathering HBA information uses the following queries to populate the HBA information if it is safe to do so:

SELECT * FROM MSFC_FCAdapterHBAAttributes
SELECT * FROM MSFC_FibrePortHBAAttributes

The OS version and patch list is checked to see whether HBA queries are safe. On Microsoft Windows Server 2003, Vista, and Server 2008, the HBAAPI.DLL module used by WMI leaks handles unless patched with KB957052. If this patch is not installed, no WMI requests are made.

By inspection, no current version of Windows 2003 (5.2.x) or Windows 2008 (6.0.x) includes this patch (current versions including service packs), but Windows 2008 R2 (6.1.x) does include it. It is unclear whether the problem exists on Windows 2000, but there is no patch available.

We make the following assumptions:

  • Windows 2000 HBA queries are safe via WMI.
  • Newer versions of Windows do not have the bug.
  • This check is unnecessary when running FCINFO.EXE. This does use HBAAPI.DLL and could experience the same handle leak, but is a short-lived process, and they are cleared on exit.

The Microsoft FCINFO.EXE command line tool is also used by RemQuery. This is used where WMI is deemed unsafe or has failed for some reason. This provides equivalent information about HBAs, because it uses the same API as the WMI provider.

RemQuery

Method

Script

Notes

getDeviceInfo

Handled by getHostInfo call.

 

getDirectoryListing

REMQUERY DIR /-C /TW /4 %path%

 

getFileContent

 

Handled by getFileInfo call.

getFileInfo

REMQUERY CMD /C DIR /-C /TW /4 %path%

 

 

REMQUERY CMD /C TYPE %path%

 

getFileMetadata

REMQUERY CMD /C DIR /-C /TW /4 %path%

 

getHBAInfo

REMQUERY FCINFO /DETAILS

Requires Microsoft FCINFO.EXE to be installed on the target system.

 

REMQUERY HBACMD LISTHBAS

Requires Emulex HBAnywhere to be installed on the target system.

 

REMQUERY HBACMD HBAATTRIB %wwpn%

Requires Emulex HBAnywhere to be installed on the target system.

 

REMQUERY LPUTIL LISTHBAS

Requires Emulex LPUTIL.EXE to be installed on the target system.

 

REMQUERY LPUTIL COUNT

Requires Emulex LPUTIL.EXE to be installed on the target system.

 

REMQUERY LPUTIL FWLIST %board_id%

Requires Emulex LPUTIL.EXE to be installed on the target system.

getHostInfo*

REMQUERY WMIC BIOS GET SERIALNUMBER

 

 

REMQUERY WMIC CSPRODUCT GET UUID

 

 

REMQUERY SYSTEMINFO /fo csv /nh

 

 

REMQUERY "HOSTNAME && VER"

 

getIPAddresses

REMQUERY

Uses Windows API to query IP addresses.

 

REMQUERY IPCONFIG /ALL

 

getMACAddresses*

REMQUERY

Uses Windows API to query MAC addresses.

 

REMQUERY IPCONFIG /ALL

 

getNetworkConnectionList

REMQUERY NETSTAT -ano

 

 

REMQUERY NETSTAT -an

 

getNetworkInterfaces

REMQUERY

Uses Windows API to query interface details.

 

REMQUERY IPCONFIG /ALL

 

getPackageList

REMQUERY

Uses Windows API to request same registry keys as WMI queries.

getPatchList

 

Handled by getHostInfo call.

getProcessList

REMQUERY

Uses Windows API to query process information.

 

REMQUERY TASKLIST /fo /csv /nh /v

 

getProcessToConnectionMapping

REMQUERY TCPVCON -ano

Requires TCPVCON.EXE to be installed on the target system.

 

REMQUERY OPENPORTS -netstat

Optional; must be enabled in the Proxy configuration.
Requires OPENPORTS.EXE to be installed on the target system.

getRegistryListing

REMQUERY REG QUERY %hive%%key%

 

getRegistryValue

REMQUERY REG QUERY %hive%%key% /v %value%

 

getServices

REMQUERY

Uses Windows API to query process information.

 

REMQUERY SC QUERYEX state= all

 

An asterisk (*) after a method name indicates that the method must succeed for a host to be created.

SNMP

Method

MIB Values

OID

getDeviceInfo *

SNMPv2-MIB::sysDescr.0

1.3.6.1.2.1.1.1.0

 

SNMPv2-MIB::sysName.0

1.3.6.1.2.1.1.5.0

 

LanMgr-Mib-II-MIB::domPrimaryDomain.0

1.3.6.1.4.1.77.1.4.1.0

getHostInfo *

HOST-RESOURCES-MIB::hrSystemUptime.0

1.3.6.1.2.1.25.1.1.0

 

HOST-RESOURCES-MIB::hrMemorySize.0

1.3.6.1.2.1.25.2.2.0

getIPAddresses

IF-MIB::ifEntry
[ ifDescr, ifType, ifOperStatus ]
IP-MIB::ipAddressEntry
[ ipAddressAddr, ipAddressIfIndex, ipAddressType, ipAddressPrefix ]

1.3.6.1.2.1.2.2.1
[ .2, .3, .8 ]
1.3.6.1.2.1.4.34.1
[ .2, .3, .4, .5 ]

 

IP-MIB::ipAddrEntry
[ ipAdEntAddr, ipAdEntIfIndex, ipAdEntNetMask ]
IPV6-MIB::ipv6AddrEntry
[ ipv6AddrAddress, ipv6AddrPfxLength ]

1.3.6.1.2.1.4.20.1
[ .1, .2, .3 ]
1.3.6.1.2.1.55.1.8.1
[ .1, .2 ]

getMACAddresses*

IF-MIB::ifEntry
[ ifDescr, ifType, ifPhysAddress, ifOperStatus ]

1.3.6.1.2.1.4.20.1
[ .2, .3, .6, .8 ]

 

IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]

1.3.6.1.2.1.4.35.1
[ .4, .6 ]

 

IP-MIB::ipNetToMediaEntry
[ ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.4.22.1
[ .2, .4 ]

getNetworkConnectionList

TCP-MIB::tcpConnectionEntry
[ tcpConnectionLocalAddress, tcpConnectionLocalPort, tcpConnectionRemAddress, tcpConnectionRemPort, tcpConnectionState, tcpConnectionProcess ]
TCP-MIB::tcpListenerEntry
[ tcpListenerLocalAddress, tcpListenerLocalPort, tcpListenerProcess ]
UDP-MIB::udpEndpointEntry
[ udpEndpointLocalAddress, udpEndpointLocalPort, udpEndpointProcess ]

1.3.6.1.2.1.6.19.1
[ .2, .3, .5, .6, .7, .8 ]
1.3.6.1.2.1.6.20.1
[ .2, .3, .4 ]
1.3.6.1.2.1.7.7.1
[ .2, .3, .8 ]

 

TCP-MIB::tcpConnEntry
[ tcpConnState, tcpConnLocalAddress, tcpConnLocalPort, tcpConnRemAddress, tcpConnRemPort ]
IPV6-TCP-MIB::ipv6TcpConnEntry
[ ipv6TcpConnLocalAddress, ipv6TcpConnLocalPort, ipv6TcpConnRemAddress, ipv6TcpConnRemPort, ipv6TcpConnState ]
UDP-MIB::udpConnEntry
[ udpLocalAddress, udpLocalPort ]
IPV6-UDP-MIB::ipv6UdpEntry
[ ipv6UdpLocalAddress, ipv6UdpLocalPort ]

1.3.6.1.2.1.6.13.1
[ .1, .2, .3, .4, .5 ]
1.3.6.1.2.1.6.16.1
[ .1, .2, .3, .4, .6 ]
1.3.6.1.2.1.7.5.1
[ .1, .2 ]
1.3.6.1.2.1.7.6.1
[ .1, .2 ]

getNetworkInterfaces

IF-MIB::ifEntry
[ ifIndex, ifDescr, ifType, ifSpeed, ifPhysAddress, ifOperStatus ]
IF-MIB::ifXEntry
[ ifAlias, ifName, ifHighSpeed ]
MAU-MIB::ifMauEntry
[ ifMauIfIndex, ifMauType, ifMauAutoNegSupported ]
EtherLike-MIB::dot3StatsEntry
[ dot3StatsDuplexStatus ]
IP-MIB::ipNetToPhysicalEntry
[ ipNetToPhysicalIfIndex, ipNetToPhysicalPhysAddress, ipNetToPhysicalType ]
IP-MIB::ipNetToMediaEntry
[ ipNetToMediaIfIndex, ipNetToMediaPhysAddress, ipNetToMediaType ]

1.3.6.1.2.1.2.2.1
[ .1, .2, .3, .5, .6, .8 ]
1.3.6.1.2.1.31.1.1.1
[ .1, .15, .18 ]
1.3.6.1.2.1.26.2.1.1
[ .1, .3, .12 ]
1.3.6.1.2.1.10.7.2.1
[ .19 ]
1.3.6.1.2.1.4.35.1
[ .1, .4, .6 ]
1.3.6.1.2.1.4.22.1
[ .1, .2, .4 ]

getPackageList

HOST-RESOURCES-MIB::hrSWInstalledTable

1.3.6.1.2.1.25.6.3.1

 

[hrSWInstalledName]

[.2]

getProcessList

HOST-RESOURCES-MIB::hrSWRunTable

1.3.6.1.2.1.25.4.2.1

 

[hrSWRunIndex, hrSWRunName, hrSWRunPath, hrSWRunParameters]

[.1, .2, .4, .5]

An asterisk (*) after a method name indicates that the method must succeed for a host to be created.

© Copyright 2003-2017 BMC Software, Inc.
Legal notices