sstoyanovich
asked on
Cannot connect to WMI on remote machines
I've written a VB utility that allows me to check registry entries on remote machines. My code uses WMI to access the remote registry. On 95% of the machines (Windows XP Pro) this works.
However, on a few machines, remote WMI access seems to be disabled. Here are the symptoms:
- My WMI call {Set oReg = GetObject("winmgmts:{imper
- the machine can be ping-ed by name
- I can run up Computer Management console, and remotely connect to the machine. Within Computer Management, I can:
- view the event log
- view shared folders and everything under it
- manage users and groups
- start and stop services
I cannot right-click on WMI Controls and Properties. It comes back with "failed to connect to \\name because 'Win32: The RPC server is unavailable'"
- the Remote Procedure Call (RPC) service is automatic and started, as is the Remote Registry service
- All attempts to connect to WMI on the remote fail, whether it's the registry provider, or \root\cimv2 or default. Anything. I've checked the permissions on the WMI hierarchy and Administrators have all rights. Domain Admins are a member of local Administrators, and I am a member of Domain Admins.
- I am able to explore to \\name\c$
- Internet Connection Firewall is not enabled on the Lan Connection
- IP filtering is not enabled
So I give up. What do I have to enable on these machines to be able to connect to WMI!?
Thank you,
Sandra
However, on a few machines, remote WMI access seems to be disabled. Here are the symptoms:
- My WMI call {Set oReg = GetObject("winmgmts:{imper
- the machine can be ping-ed by name
- I can run up Computer Management console, and remotely connect to the machine. Within Computer Management, I can:
- view the event log
- view shared folders and everything under it
- manage users and groups
- start and stop services
I cannot right-click on WMI Controls and Properties. It comes back with "failed to connect to \\name because 'Win32: The RPC server is unavailable'"
- the Remote Procedure Call (RPC) service is automatic and started, as is the Remote Registry service
- All attempts to connect to WMI on the remote fail, whether it's the registry provider, or \root\cimv2 or default. Anything. I've checked the permissions on the WMI hierarchy and Administrators have all rights. Domain Admins are a member of local Administrators, and I am a member of Domain Admins.
- I am able to explore to \\name\c$
- Internet Connection Firewall is not enabled on the Lan Connection
- IP filtering is not enabled
So I give up. What do I have to enable on these machines to be able to connect to WMI!?
Thank you,
Sandra
Sorry didn't read your post close enough
You should check for the blaster worm on those 5%
removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
There is plenty of other documentation regarding this vulnerability if you would like more let me know
You should check for the blaster worm on those 5%
removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
There is plenty of other documentation regarding this vulnerability if you would like more let me know
Here is a link to another post where EE member CrazyOne
gives all the information needed:
https://www.experts-exchange.com/questions/20707807/RPC-problem.html
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
gives all the information needed:
https://www.experts-exchange.com/questions/20707807/RPC-problem.html
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
ASKER
Ok. Thank you for all your suggestions.
Windows Management Instrumentation service is running. Its partner Windows Management Instrumentation Driver Extensions is Manual and not started, but that's the case on every computer I've looked at, so that seems to be normal.
The names of the machines are quite short, actually. ESI-586 and ESI-630 are two of them.
These are domain machines. They all run Norton Anti-Virus Corporate Edition. Virusdefs are up to date. I'm doing a full scan for this virus now, and will report back if something is found.
I have also scanned the machine with the removal tool you mentioned, and it did not show as vulnerable.
We deploy patches to all machines regularly. MS03-026 has been applied to this machine. I don't see msblast.exe in the Run key in the registry, and I don't see a process called msblast.exe.
So, I don't think it's the virus. Plus, this problem has been plaquing me for months now. I just haven't had an opportunity to have one of the offending machines on my desk to play with until now. :) I've tried everything I can think of on it, and still can't make WMI work.
This machine is a laptop. So is ESI-630. Actually, it's possible that the ones in New York are laptops too. Does this help? The one here is an IBM Thinkpad. Not ghosted - straight as it came plus we installed our apps on it. They're all Windows XP Professional with SP1.
Please help. Thanks!
Windows Management Instrumentation service is running. Its partner Windows Management Instrumentation Driver Extensions is Manual and not started, but that's the case on every computer I've looked at, so that seems to be normal.
The names of the machines are quite short, actually. ESI-586 and ESI-630 are two of them.
These are domain machines. They all run Norton Anti-Virus Corporate Edition. Virusdefs are up to date. I'm doing a full scan for this virus now, and will report back if something is found.
I have also scanned the machine with the removal tool you mentioned, and it did not show as vulnerable.
We deploy patches to all machines regularly. MS03-026 has been applied to this machine. I don't see msblast.exe in the Run key in the registry, and I don't see a process called msblast.exe.
So, I don't think it's the virus. Plus, this problem has been plaquing me for months now. I just haven't had an opportunity to have one of the offending machines on my desk to play with until now. :) I've tried everything I can think of on it, and still can't make WMI work.
This machine is a laptop. So is ESI-630. Actually, it's possible that the ones in New York are laptops too. Does this help? The one here is an IBM Thinkpad. Not ghosted - straight as it came plus we installed our apps on it. They're all Windows XP Professional with SP1.
Please help. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sandra,
Have a look at this article in the MSKB, I think it will sort it out for you.
http://support.microsoft.com/default.aspx?kbid=269330
Dennis
Have a look at this article in the MSKB, I think it will sort it out for you.
http://support.microsoft.com/default.aspx?kbid=269330
Dennis
ASKER
Reply to mdiglio:
1) access this computer from the network is not defined as per RSoP
2) I am able to access WMI on other machines in the same OU as the offending machines. I have also tried moving the offending machine into a different OU - where other good machines reside - but still the same problem.
3) When I run my app locally on the machine, it all works fine.
4) No additional eventlog messages appeared
I've also tried it by ip address, but still same problem.
I also just ran windows update and applied everything.
Hey! I solved it! It was CheckPoint SecuRemote VPN client. Grrrrr. I was disabling it, but that wasn't enough. It had to be *uninstalled*!! For Pete's sake. A lot of laptop users use it to VPN into the office from home.
Thanks!
Sandra
1) access this computer from the network is not defined as per RSoP
2) I am able to access WMI on other machines in the same OU as the offending machines. I have also tried moving the offending machine into a different OU - where other good machines reside - but still the same problem.
3) When I run my app locally on the machine, it all works fine.
4) No additional eventlog messages appeared
I've also tried it by ip address, but still same problem.
I also just ran windows update and applied everything.
Hey! I solved it! It was CheckPoint SecuRemote VPN client. Grrrrr. I was disabling it, but that wasn't enough. It had to be *uninstalled*!! For Pete's sake. A lot of laptop users use it to VPN into the office from home.
Thanks!
Sandra
ASKER
I gave the points to mdiglio although in the end I solved the problem myself. Along the way, you gave me a lot of good things to check, and these will likely help me troubleshoot similar problems in the future.
2 things to try
1) on the 5% that do not work
right click my computer >> manage >> expand services and applications >> services >> verify
that the Windows Management Instrumentation is running
2) do these 5% have longer names than the rest?
different naming convention?
Dim strComp as string
strComp = txtMachine.Text
{Set oReg = GetObject("winmgmts:{imper