Skip to main content

Windows WMI Scanner Reference

This document provides a comprehensive technical reference for the Windows WMI scanner used in NopeSight v3 network discovery. The WMI scanner performs deep system analysis of Windows computers using Windows Management Instrumentation (WMI) and includes PAExec fallback for firewall-restricted environments.

Overview

The Windows WMI scanner (wmi_scanner.py) is the primary method for collecting comprehensive system information from Windows computers. It uses WMI queries to gather hardware specifications, software inventory, network configurations, and system details for IT infrastructure management and security analysis.

Network Ports and Protocols

Primary WMI Communication

  • Port 135 (TCP) - RPC Endpoint Mapper (required)
  • Dynamic RPC Ports - Windows Vista+: 49152-65535, Earlier versions: 1024-65535
  • Protocol - Distributed COM (DCOM) over RPC

PAExec Fallback Communication

  • Port 445 (TCP) - SMB/CIFS (required for PAExec)
  • Port 139 (TCP) - NetBIOS Session Service (legacy, optional)

Optional Protocols

  • Port 5985 (TCP) - WinRM HTTP (future enhancement)
  • Port 5986 (TCP) - WinRM HTTPS (future enhancement)

Authentication Methods

Credential Formats

The scanner automatically tries multiple authentication formats:

# Format 1: Domain\Username (most common)
DOMAIN\username

# Format 2: Username@Domain (modern format)
username@DOMAIN.COM

# Format 3: Local account (no domain)
username

Authentication Flow

  1. Credential Retrieval - Gets stored credentials from secure Windows DPAPI storage
  2. Format Testing - Tries each credential format until successful
  3. Connection Establishment - Creates WMI connection with successful credentials
  4. Fallback Handling - Switches to PAExec if WMI fails due to firewall/RPC issues

WMI Classes and Data Collection

System Information Classes

Win32_ComputerSystem

Purpose: Basic system identification and configuration

SELECT * FROM Win32_ComputerSystem

Data Collected:

  • System name (hostname)
  • Manufacturer (Dell, HP, Lenovo, etc.)
  • Model (PowerEdge R740, ThinkPad T14, etc.)
  • Domain membership
  • Total physical memory
  • Number of processors

Win32_ComputerSystemProduct

Purpose: Enhanced system model information

SELECT * FROM Win32_ComputerSystemProduct

Data Collected:

  • Product version (friendly model names)
  • UUID/GUID
  • Part numbers
  • Vendor-specific identifiers

Win32_BIOS

Purpose: BIOS/UEFI firmware information

SELECT * FROM Win32_BIOS

Data Collected:

  • BIOS manufacturer
  • BIOS version
  • System serial number
  • SMBIOS version
  • Release date

Win32_OperatingSystem

Purpose: Operating system details and configuration

SELECT * FROM Win32_OperatingSystem

Data Collected:

  • OS name and version (Windows 10, Windows Server 2019, etc.)
  • Build number
  • Architecture (x64, x86)
  • Service pack level
  • Product ID
  • Installation date
  • Last boot time

Hardware Information Classes

Win32_Processor

Purpose: CPU specifications and capabilities

SELECT * FROM Win32_Processor

Data Collected:

  • Processor name (Intel Core i7-10700K, AMD EPYC 7742, etc.)
  • Manufacturer
  • Number of cores
  • Number of logical processors (threads)
  • Maximum clock speed
  • Socket designation
  • L2/L3 cache sizes

Win32_PhysicalMemory

Purpose: Physical RAM module details

SELECT * FROM Win32_PhysicalMemory

Data Collected:

  • Memory capacity (GB)
  • Manufacturer (Samsung, Crucial, etc.)
  • Speed (MHz)
  • Part number
  • Device locator (DIMM slot)
  • Bank label
  • Memory type (DDR4, DDR3, etc.)

Win32_DiskDrive

Purpose: Physical disk drive information

SELECT * FROM Win32_DiskDrive

Data Collected:

  • Drive model
  • Manufacturer
  • Size (bytes)
  • Interface type (SATA, NVMe, SCSI)
  • Serial number
  • Firmware revision

Win32_LogicalDisk

Purpose: Logical drive/partition information

SELECT * FROM Win32_LogicalDisk

Data Collected:

  • Drive letter (C:, D:, etc.)
  • File system (NTFS, FAT32)
  • Total size
  • Free space
  • Volume label

Network Information Classes

Win32_NetworkAdapter

Purpose: Network interface hardware information

SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionID IS NOT NULL

Data Collected:

  • Adapter name
  • Connection name
  • MAC address
  • Speed
  • Adapter type (physical/virtual)
  • Manufacturer

Win32_NetworkAdapterConfiguration

Purpose: Network interface IP configuration

SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index=[AdapterIndex]

Data Collected:

  • IP addresses (IPv4/IPv6)
  • Subnet masks
  • Default gateways
  • DNS servers
  • DHCP configuration
  • DHCP server address

MSFT_NetTCPConnection (Windows 8+)

Purpose: Active TCP network connections

SELECT * FROM MSFT_NetTCPConnection

Data Collected:

  • Local IP address and port
  • Remote IP address and port
  • Connection state
  • Process ID
  • Creation time

Win32_Process

Purpose: Process information for connection mapping

SELECT ProcessId, Name, ExecutablePath FROM Win32_Process

Used For:

  • Mapping network connections to processes
  • Software discovery
  • Service identification

User Account Classes

Win32_UserAccount

Purpose: Local user account information

SELECT * FROM Win32_UserAccount WHERE LocalAccount=True

Data Collected:

  • Username
  • Full name
  • Account description
  • Account status (enabled/disabled)
  • Password required
  • Last logon

Note: Limited to 50 users on domain controllers to prevent performance issues.

Display Hardware Classes

Win32_DisplayConfiguration

Purpose: Display adapter information

SELECT * FROM Win32_DisplayConfiguration

Data Collected:

  • Display adapter details
  • Resolution settings
  • Color depth
  • Refresh rate

Software Inventory Methods

Registry-Based Software Discovery

The scanner uses registry queries instead of Win32_Product for performance reasons:

Registry Path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*

Registry Values Retrieved

  • DisplayName - Software name
  • Publisher - Software vendor
  • DisplayVersion - Version number
  • InstallDate - Installation date
  • InstallLocation - Installation path
  • UninstallString - Uninstall command
  • EstimatedSize - Disk space usage

Why Registry Over WMI?

  • Performance - Registry queries are 100x faster than Win32_Product
  • Completeness - Registry contains more software entries
  • Resource Usage - Win32_Product causes high CPU usage and system slowdown
  • Reliability - Registry method is more stable

PAExec Fallback Mechanism

When PAExec is Triggered

PAExec fallback activates when WMI fails with specific error indicators:

Error Codes That Trigger Fallback

  • 0x800706ba - RPC server unavailable
  • 0x800706be - Remote procedure call failed
  • 0x800706d9 - Windows Firewall is blocking
  • 0x80070721 - Credential conflict
  • 0x80070005 - Access denied
  • -2147023174 - RPC_S_SERVER_UNAVAILABLE
  • -2147023447 - EPT_S_NOT_REGISTERED

Error Keywords That Trigger Fallback

  • "rpc server is unavailable"
  • "endpoint"
  • "firewall"
  • "access is denied"

PAExec Implementation Details

Service Creation

PAExec creates a temporary Windows service on the target system:

Service Name: PAExec-[Random-ID]
Binary Path: %SYSTEM32%\cmd.exe

Command Execution

PAExec executes WMIC commands remotely via the service:

# System Information
wmic computersystem get Name,Manufacturer,Model,Domain,TotalPhysicalMemory /format:csv

# BIOS Information  
wmic bios get Manufacturer,Version,SerialNumber /format:csv

# Operating System
wmic os get Caption,Version,BuildNumber,OSArchitecture /format:csv

# Processor Information
wmic cpu get Name,Manufacturer,NumberOfCores,MaxClockSpeed /format:csv

# Memory Information
wmic memorychip get Capacity,Manufacturer,Speed,PartNumber /format:csv

# Network Adapters
wmic nic where "NetConnectionID is not null" get Name,MACAddress,Speed /format:csv

# Installed Software (Registry)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName

Data Processing

  1. CSV Parsing - Processes WMIC CSV output
  2. Data Standardization - Converts to same format as WMI data
  3. Error Handling - Handles partial data collection gracefully
  4. Service Cleanup - Removes temporary service after completion

PAExec Advantages

  • Firewall Friendly - Only requires SMB port 445
  • Authentication - Uses same credentials as WMI
  • Comprehensive - Collects same data as WMI method
  • Reliable - Works when RPC ports are blocked

Network Connection Analysis

Connection State Mapping

The scanner maps network connection states to numeric values:

State NameNumeric ValueDescription
CLOSED1Connection closed
LISTENING2Listening for connections
SYN_SENT3Connection request sent
SYN_RECEIVED4Connection request received
ESTABLISHED5Connection established
FIN_WAIT_16Connection terminating
FIN_WAIT_27Connection terminating
CLOSE_WAIT8Waiting for close
CLOSING9Connection closing
LAST_ACK10Last acknowledgment
TIME_WAIT11Waiting for timeout
DELETE_TCB12Deleting connection

Connection Filtering Logic

Server Systems

# Collect all connections for servers
all_connections = query_all_network_connections()

Workstation Systems

# Filter out local connections for workstations
filtered_connections = [conn for conn in all_connections 
                       if conn.local_address != conn.remote_address]

Process-to-Connection Mapping

  1. Process Query - Get all running processes with Win32_Process
  2. Connection Query - Get all TCP connections with MSFT_NetTCPConnection
  3. PID Matching - Match connections to processes by ProcessId
  4. Path Resolution - Resolve process executable paths
  5. Service Detection - Identify Windows services

Security Considerations

Required Permissions

WMI Access

  • Local Security Policy - "Log on as a service"
  • WMI Permissions - Read access to WMI namespaces
  • Registry Access - Read access to software registry keys
  • Process Access - Query process information

Domain Authentication

  • Domain Account - Account must exist in target domain
  • Local Rights - "Log on as a service" on target systems
  • Group Membership - Consider adding to "Performance Monitor Users"

Credential Security

  • Storage - Credentials encrypted with Windows DPAPI
  • Transmission - Credentials sent over encrypted RPC
  • Logging - Passwords never logged in plain text
  • Cleanup - Credentials cleared from memory after use

Firewall Configuration

Windows Firewall Rules Required

# Enable WMI through Windows Firewall
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

# Enable specific ports
netsh advfirewall firewall add rule name="WMI-In" dir=in action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name="RPC-Dynamic" dir=in action=allow protocol=TCP localport=49152-65535

# For PAExec fallback
netsh advfirewall firewall add rule name="SMB-In" dir=in action=allow protocol=TCP localport=445

Corporate Firewall Considerations

  • Port 135 - Must be open between scanner and targets
  • Dynamic RPC - Must allow dynamic port range or configure static ports
  • Port 445 - Required for PAExec fallback functionality

Error Handling and Troubleshooting

Common Error Codes

RPC Errors

  • 0x800706ba - RPC server unavailable

    • Cause - WMI service not running or RPC blocked
    • Solution - Start WMI service, open port 135

  • 0x800706be - Remote procedure call failed

    • Cause - Dynamic RPC ports blocked
    • Solution - Configure static RPC ports or open dynamic range

Authentication Errors

  • 0x80070005 - Access denied

    • Cause - Insufficient permissions or wrong credentials
    • Solution - Verify credentials and WMI permissions

  • 0x80070721 - Credential conflict

    • Cause - Conflicting cached credentials
    • Solution - Clear cached credentials with cmdkey /delete

Firewall Errors

  • 0x800706d9 - Windows Firewall is blocking
    • Cause - WMI blocked by Windows Firewall
    • Solution - Enable WMI firewall rules

Diagnostic Commands

Test WMI Connectivity

# Test basic WMI access
wmic /node:"target-ip" /user:"domain\username" /password:"password" computersystem get name

# Test WMI service
sc \\target-ip query winmgmt

# Test RPC connectivity  
rpcping -a connect -t ncacn_ip_tcp -s target-ip -e 135

Test SMB Access (for PAExec)

# Test SMB connectivity
net use \\target-ip\ipc$ /user:domain\username password

# Test administrative share access
dir \\target-ip\admin$

Performance Optimization

Scan Performance Metrics

  • Typical Scan Time - 30-90 seconds per system
  • Network Bandwidth - 1-5 MB per scan
  • Memory Usage - 50-100 MB per concurrent scan
  • CPU Usage - 5-15% during active scanning

Optimization Techniques

  • Connection Pooling - Reuse WMI connections when possible
  • Registry Method - Use registry instead of Win32_Product for software
  • Selective Queries - Query only required WMI classes
  • Timeout Management - Set appropriate timeouts for network operations
  • Concurrent Limits - Limit simultaneous scans to prevent overload

Best Practices

  • Scan Scheduling - Schedule during off-peak hours
  • Batch Processing - Group scans by network segment
  • Error Recovery - Implement retry logic with exponential backoff
  • Resource Monitoring - Monitor scanner system resources
  • Network Impact - Consider bandwidth impact on production networks

Integration with NopeSight Platform

Data Upload Format

All collected data is standardized and uploaded to the NopeSight platform via:

POST /api/discovery/scan-data
Authorization: Bearer [discovery-token]
Content-Type: application/json

Data Processing Pipeline

  1. WMI Scan - Collect raw system data
  2. Data Formatting - Convert to standardized JSON format
  3. Upload - Send to NopeSight platform
  4. Backend Processing - Process through scan processors
  5. CI Creation - Create Configuration Items in CMDB
  6. Relationship Mapping - Establish relationships between CIs

This comprehensive reference provides the technical details needed to understand, implement, and troubleshoot Windows WMI scanning in enterprise environments.