Cannot connect to WMI on remote machines

sstoyanovich
sstoyanovich used Ask the Experts™
on
I've written a VB utility that allows me to check registry entries on remote machines.  My code uses WMI to access the remote registry.  On 95% of the machines (Windows XP Pro) this works.

However, on a few machines, remote WMI access seems to be disabled.  Here are the symptoms:

- My WMI call {Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & txtMachine.Text & "\root\default:StdRegProv")} returns error 462 = The remote server machine does not exist or is unavailable.

- the machine can be ping-ed by name

- I can run up Computer Management console, and remotely connect to the machine.  Within Computer Management, I can:
    - view the event log
    - view shared folders and everything under it
    - manage users and groups
    - start and stop services
I cannot right-click on WMI Controls and Properties.  It comes back with "failed to connect to \\name because 'Win32: The RPC server is unavailable'"

- the Remote Procedure Call (RPC) service is automatic and started, as is the Remote Registry service

- All attempts to connect to WMI on the remote fail, whether it's the registry provider, or \root\cimv2 or default.  Anything.  I've checked the permissions on the WMI hierarchy and Administrators have all rights.  Domain Admins are a member of local Administrators, and I am a member of Domain Admins.

- I am able to explore to \\name\c$

- Internet Connection Firewall is not enabled on the Lan Connection

- IP filtering is not enabled


So I give up.  What do I have to enable on these machines to be able to connect to WMI!?

Thank you,
Sandra
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hello,

2 things to try

1) on the 5% that do not work
right click my computer >> manage >> expand services and applications >>  services >> verify
that the Windows Management Instrumentation is running

2) do these 5% have longer names than the rest?
different naming convention?

Dim strComp as string
strComp =  txtMachine.Text

{Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\default:StdRegProv")}

Commented:
Sorry didn't read your post close enough

You should check for the blaster worm on those 5%

removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

patch
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

There is plenty of other documentation regarding this vulnerability if you would like more let me know

Commented:
Here is a link to another post where EE member CrazyOne
gives all the information needed:

http://www.experts-exchange.com/Miscellaneous/Q_20707807.html

http://www3.ca.com/virusinfo/virus.aspx?ID=36265
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
Ok.  Thank you for all your suggestions.

Windows Management Instrumentation service is running.  Its partner Windows Management Instrumentation Driver Extensions is Manual and not started, but that's the case on every computer I've looked at, so that seems to be normal.

The names of the machines are quite short, actually.  ESI-586 and ESI-630 are two of them.

These are domain machines.  They all run Norton Anti-Virus Corporate Edition.  Virusdefs are up to date.  I'm doing a full scan for this virus now, and will report back if something is found.

I have also scanned the machine with the removal tool you mentioned, and it did not show as vulnerable.

We deploy patches to all machines regularly.  MS03-026 has been applied to this machine.  I don't see msblast.exe in the Run key in the registry, and I don't see a process called msblast.exe.

So, I don't think it's the virus.  Plus, this problem has been plaquing me for months now.  I just haven't had an opportunity to have one of the offending machines on my desk to play with until now.  :)  I've tried everything I can think of on it, and still can't make WMI work.  

This machine is a laptop.  So is ESI-630.  Actually, it's possible that the ones in New York are laptops too.  Does this help?  The one here is an IBM Thinkpad.  Not ghosted - straight as it came plus we installed our apps on it.  They're all Windows XP Professional with SP1.

Please help.  Thanks!
Commented:
Hello,

Some other things to check (or to guess):
1) on xp machines run the resultant set of policy mmc snap-in,
perhaps "access this computer from network" is set under user rights assignments

2) one sure way to test if it is somehow a group policy issue would be to
put a computer that doesn't error out into the OU of one that does
then run gpupdate /force from the command line.

3) on the machines that don't work, run the program on the machine itself using
the "." instead of txtMachine.text.

4) audit logon events and check the logs to see if anything is getting denied access.
This might also give us a better idea of how it is suppose to connect
Sandra,

Have a look at this article in the MSKB, I think it will sort it out for you.

http://support.microsoft.com/default.aspx?kbid=269330

Dennis

Author

Commented:
Reply to mdiglio:

1) access this computer from the network is not defined as per RSoP

2) I am able to access WMI on other machines in the same OU as the offending machines.  I have also tried moving the offending machine into a different OU - where other good machines reside - but still the same problem.

3) When I run my app locally on the machine, it all works fine.

4) No additional eventlog messages appeared

I've also tried it by ip address, but still same problem.

I also just ran windows update and applied everything.

Hey!  I solved it!  It was CheckPoint SecuRemote VPN client.  Grrrrr.  I was disabling it, but that wasn't enough.  It had to be *uninstalled*!!  For Pete's sake.  A lot of laptop users use it to VPN into the office from home.

Thanks!
Sandra

Author

Commented:
I gave the points to mdiglio although in the end I solved the problem myself.  Along the way, you gave me a lot of good things to check, and these will likely help me troubleshoot similar problems in the future.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial