Windows WMI Scanning Reference
This guide provides a reference for the Windows Management Instrumentation (WMI) scanner, which discovers and collects detailed information from Windows-based systems.
Overview
The WMI scanner is the primary method for performing deep discovery on Windows computers. It uses WMI, a standard Windows management technology, to query for a vast amount of system information.
For environments with restrictive firewalls, the scanner includes a PAExec fallback mechanism, which allows it to gather the same information using a different communication channel.
Network Requirements
The required network ports depend on the method used:
Primary Method (WMI over RPC)
- Port: TCP 135 (RPC Endpoint Mapper)
- Ports: TCP 49152-65535 (Dynamic RPC Range for Windows Vista and newer)
- This range must be open from the Tripl-i Scanner Agent to the target Windows systems.
Fallback Method (PAExec over SMB)
If the RPC ports are blocked, the scanner will automatically attempt to use the PAExec fallback method.
- Port: TCP 445 (SMB/CIFS)
Authentication and Privilege Requirements
- Required Privileges: The scanner requires an account with local administrator privileges on the target Windows machine to perform a successful scan.
- Recommended Account: For scanning multiple machines in a domain, using a Domain Administrator account or a dedicated service account that is a member of the local administrators group on all targets is recommended.
- Supported Credential Formats:
DOMAIN\username(Recommended for domain accounts)username@DOMAIN.COMusername(For local accounts on non-domain machines)
Data Collected Summary
The WMI scanner gathers a comprehensive inventory of the target system. The same data is collected whether using the primary WMI method or the PAExec fallback.
| Category | Examples |
|---|---|
| System | Hostname, Domain, Manufacturer, Model, Serial Number |
| Operating System | OS Name (e.g., Windows Server 2019), Version, Build Number, Service Pack, Install Date, Last Boot Time |
| Hardware | BIOS Version & Manufacturer, Processor Model & Cores, Physical Memory Modules (RAM), Physical Disk Drives |
| Storage | Logical Disks (e.g., C:), File System, Total Size, Free Space |
| Network | Network Adapters, IP Addresses, MAC Addresses, Default Gateways, DNS Servers, DHCP Status |
| Active Connections | All active TCP connections, including local/remote addresses and ports, state, and the associated Process ID. |
| Software | A full list of installed applications, queried directly from the Windows Registry for performance and accuracy. |
| User Accounts | Local user accounts, including their status (enabled/disabled) and description. |
| Display | Display adapters, resolution, and other monitor configuration details. |