Solved

WMIC process call create ReturnValue = 3 problem

Posted on 2014-09-17
16
1,301 Views
Last Modified: 2014-10-07
When using WMIC to remotely query two windows 2003 domain controllers, I cannot use proccess call create "name.exe". I can list processes and terminate them with out issue.

The results of using process call create shown below:

C:\Windows>wmic /node:"dc1"  /user:Administrator /password:password123 process call create "calc.exe"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 3;
};

I have been my Google searches have not turned up anything useful so far.

Anyone have any suggestions as to how I might troubleshoot this problem?
0
Comment
Question by:spencerturbine
  • 9
  • 7
16 Comments
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40329242
Any chance that "name.exe" is not on the path? "Calc.exe" is so that will start.

Can you try adding the full path to "name.exe"?
0
 

Author Comment

by:spencerturbine
ID: 40329249
I have tried calc.exe and c:\windows\system32\calc.exe and I get the same results.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40329291
calc is working, but you want name.exe to work, right?
0
 

Author Comment

by:spencerturbine
ID: 40329297
No calc returns error 3
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40329299
Then I misunderstood this part:

"Method execution successful."
0
 

Author Comment

by:spencerturbine
ID: 40329302
Well the call was successful, but the command executed as a result of the call reported an error.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40329306
C:\Users\me>wmic /node:mypc process call create calc.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 1744;
        ReturnValue = 0;
};

Open in new window


I got a calc.exe that opened just fine.
0
 

Author Comment

by:spencerturbine
ID: 40329312
Yes I can do this on my  own machine as well as many domain workstations. But I cannot successfully run the command on the two domain controllers.

Which is the intended purpose. (Not to run calc.exe, but to execute another command I have ready. Calc.exe is being used to simplyfly troubleshooting)
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40329822
I don't have a domain server to test with so my contribution ends here...
0
 

Author Comment

by:spencerturbine
ID: 40330103
OK Thanks!
0
 

Accepted Solution

by:
spencerturbine earned 0 total points
ID: 40331109
I may have discovered the reason I cannot complete this command.

The Default Domain Controller Policy does not have the LOCAL or SYSTEM accounts listed in the "Replace a process level token" user right.

I will have to determine if this setting in the "default domain controller policy" is a "default" setting, or if it was changed for a reason.
0
 

Author Comment

by:spencerturbine
ID: 40331247
I really thought I had it there but no joy. I still get the error code 3 for insufficient privileges!
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40332275
Did you try with domain admin credentials, like this:

/user:your_domain\your_domain_admin /password:your_domain_admin_password
0
 

Author Comment

by:spencerturbine
ID: 40343897
Yes I did try the /user:DOMAIN\Administrator

The only way I got this to work was to add the Administrators group to the "Replace a process level token" user right.

I am hoping someone could shed some light on this so I don't have to set up a test 2003 domain just to see what the default user rights are because I have never seen anyone explain the potential for this command to fail because the "Replace a process level token" user right did not contain the Administrators group.
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40346594
>> so I don't have to set up a test 2003 domain
Can help you there I'm afraid.
0
 

Author Closing Comment

by:spencerturbine
ID: 40365504
Ultimately this was the reason why I was not able to complete the command.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now