Windows WMI Scanning Reference
This guide provides a reference for the Windows Management Instrumentation (WMI) scanner, which discovers and collects detailed information from Windows-based systems.
Overview
The WMI scanner is the primary method for performing deep discovery on Windows computers. It uses WMI, a standard Windows management technology, to query for a vast amount of system information.
For environments with restrictive firewalls, the scanner includes a PAExec fallback mechanism, which allows it to gather the same information using a different communication channel.
Network Requirements
The required network ports depend on the method used:
Primary Method (WMI over RPC)
- Port: TCP 135 (RPC Endpoint Mapper)
- Ports: TCP 49152-65535 (Dynamic RPC Range for Windows Vista and newer)
- This range must be open from the NopeSight Scanner Agent to the target Windows systems.
Fallback Method (PAExec over SMB)
If the RPC ports are blocked, the scanner will automatically attempt to use the PAExec fallback method.
- Port: TCP 445 (SMB/CIFS)
Authentication and Privilege Requirements
- Required Privileges: The scanner requires an account with local administrator privileges on the target Windows machine to perform a successful scan.
- Recommended Account: For scanning multiple machines in a domain, using a Domain Administrator account or a dedicated service account that is a member of the local administrators group on all targets is recommended.
- Supported Credential Formats:
DOMAIN\username(Recommended for domain accounts)username@DOMAIN.COMusername(For local accounts on non-domain machines)
Data Collected Summary
The WMI scanner gathers a comprehensive inventory of the target system. The same data is collected whether using the primary WMI method or the PAExec fallback.
| Category | Examples |
|---|---|
| System | Hostname, Domain, Manufacturer, Model, Serial Number |
| Operating System | OS Name (e.g., Windows Server 2019), Version, Build Number, Service Pack, Install Date, Last Boot Time |
| Hardware | BIOS Version & Manufacturer, Processor Model & Cores, Physical Memory Modules (RAM), Physical Disk Drives |
| Storage | Logical Disks (e.g., C:), File System, Total Size, Free Space |
| Network | Network Adapters, IP Addresses, MAC Addresses, Default Gateways, DNS Servers, DHCP Status |
| Active Connections | All active TCP connections, including local/remote addresses and ports, state, and the associated Process ID. |
| Software | A full list of installed applications, queried directly from the Windows Registry for performance and accuracy. |
| User Accounts | Local user accounts, including their status (enabled/disabled) and description. |
| Display | Display adapters, resolution, and other monitor configuration details. |