5

Myself new to wmic and keep trying for a long time with default agent query approach.

wmic is linux based WMI tool to talk to windows WMI agent. While trying to fetch data with wmic from nt(win7 with WMI service running), it's showing access denied in all the cases.

The question is what could be the possible reason, is it Firewall ports, WMI group, file or user permission or something else ? Any kind of hints will be very much helpful.

[root@rhel6 wmic]# wmic -U nt-login-name% //nt-primary-ip "select caption, name, parentprocessid, processid from win32_process"

[librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.

NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
HBruijn
  • 72,524
  • 21
  • 127
  • 192
mav_2k
  • 141
  • 1
  • 3
  • 8

3 Answers3

1

Did you use your full credentials with the -U switch and appending the password with a %?

wmic -U [domain/]adminuser%password//host "select caption, name, parentprocessid, processid from win32_process""

A query that works for me is this one:

wmic -U NTDOMAIN/administrator%password //192.168.0.73 "select username from Win32_Computersystem"
HBruijn
  • 72,524
  • 21
  • 127
  • 192
user236693
  • 11
  • 1
  • Thank you posting, but including the full usage instructions is bit too much and not quite relevant. I have edited your question accordingly, but please revise if you don't agree. – HBruijn Aug 08 '14 at 09:27
1

I just spent hours debugging the same problem and found the security setting Network security: LAN Manager authentication level to be the crux of the problem, which, on the problematic server was set to Send NTLMv2 response only\refuse LM & NTLM. Changing this to Send LM & NTLM - use NTLMv2 session security if negotiated fixes the problem and allows wmic to connect.

Adrian Frühwirth
  • 356
  • 5
  • 16
  • Where did you set this parameter? – Troublemaker-DV Jan 16 '17 at 02:05
  • 1
    It's a group policy setting somewhere under "Security Settings" @Troublemaker-DV – Adrian Frühwirth Jan 16 '17 at 08:26
  • It hasn't fixed the issue for me yet but the setting is located in `GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options` Source - https://technet.microsoft.com/en-us/library/jj852207(v=ws.11).aspx – red_shift Apr 18 '17 at 20:48
  • FWIW I just tried changing this setting and I still get "NT_STATUS_ACCESS_DENIED" when trying wmic with a username and password I know is valid. What makes this even more annoying is that another user with identical group permissions works fine, even when I use his credentials. – pzkpfw Sep 19 '18 at 07:31
0

I didn't have the reputation to comment yet but after running into this myself, I found the problem was indeed that the linux WMIC agent was sending LM authentication requests instead of the GPO-required NTLMv2 as Adrian Frühwirth mentions. Instead of making the security policy less restrictive, I took the approach of adding the following to the WMIC command line:

--option="client ntlmv2 auth"=Yes.

This resolved the issue for me and didn't force the server to accept the less-secure auth exchanges supported by LM.

Potentially Helpful Reference: https://support.nagios.com/forum/viewtopic.php?t=5029&p=22405

tags
  • 1