How to Test the WMI Service Using WMIC

WMIC is a line command tool and thus must be executed via Command Prompt.

 

1.    Open Command Prompt or enter “cmd” in the search bar in the Windows Start menu in the target machine.

2.    In Command Prompt, type: wmic /NODE:"HOST IP" /USER:"USERNAME" /PASSWORD:"PASSWORD" SHARE. Press the Enter key (see figure below).

 

Note: The text within quotes should be replaced for the corresponding information related to the target machine in which the WMI service is being tested.

 

 

If this command returns the list of shares available on the host, it will then be possible to connect to the WMI service. Otherwise, the administrator should start the service so that the collection will be possible.

If the command returns an error message, a failure occurred in the connection and the collection will not run on the machine. Below are solutions to the most common errors.

 

    “Access is denied.”

Possible Reason

Solutions

Group Policy

Group Policy Configuration

Registry

Registry Value

User does not exist.

User is not part of the Administrators group.

Network security: LAN Manager authentication level

Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level

Send LM & NTLM - use NTLMv2 session security if negotiated

HKLM\System\CurrentControlSet\Control\
Lsa\LmCompatibilityLevel

dword:1

Network access: Sharing and security model for local accounts

Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts

Classic - local users authenticate as themselves

HKLM\System\CurrentControlSet\Control\
Lsa\ForceGuest

dword:0

LocalAccountTokenFilterPolicy (Only when the UAC is enabled)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System\LocalAccountTokenFilterPolicy

dword:1

Restrictions for Unauthenticated RPC clients

Administrative Templates\System\Remote Procedure Call

Disabled or Not Configured

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
Rpc\RestrictRemoteClients

Delete this value or dword:0

 

    “The RPC server is unavailable.”

Possible Reason

Solution

The Remote Procedure Call service is disabled.

Enable the RPC service.

There is a firewall blocking the WMI connections to the firewall.

Free the 135/TCP and 445/TCP ports in the firewall.

 

    The service cannot be started.

Possible Reason

Solution

The Windows Management Instrumentation (WMI) service is disabled.

Enable the Windows Management Instrumentation (WMI) service.