WMI Settings on Windows Client

By Leave a Comment

1 Common Settings for all versions of Windows:

1.1 Services:

Following Services must be set to Startup Type Automatic and Status Started:

  • COM+ Event System
  • Remote Procedure Call (RPC)
  • Windows Management Instrumentation
  • DCOM Server Process launcher

1.2 Windows Firewall Exceptions:

Windows Management Instrumentation must be allowed through the Windows Firewall.

1.3 Ports:

Following ports are required to be opened:

  • 135/tcp open msrpc
  • any port > 1024

These ports will automatically be opened once the above two settings are set.

2 Additional Settings for different versions of Windows:

2.1 Windows XP Service Pack 3:

A little tweak in registry is required for Windows XP SP3 in a WORKGROUP setting because all the connections coming from the networks will be authenticated as Guest User. The registry value (ForceGuest) associated with this behavior is set to 1 by default and is needed to be changed to 0. The ForceGuest registry can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

2.2 Windows Vista and Windows 7:

Starting with Windows Vista, under User Account Control (UAC) access-token filtering can affect which operations are allowed in WMI namespaces or what data is returned. In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. So, UAC needs to be disabled for scanning Windows Vista and Windows 7 in a WORKGROUP setting or

(i) Optionally UAC can be disabled for remote administrator only:
Start “regedit.exe”
Go to key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Create new Dword value: LocalAccountTokenFilterPolicy
Set LocalAccountTokenFilterPolicy to “1”

(ii) Set Classic security model:
Start/run “secpol.msc”
Navigate to Local Policies\Security Options
Network Access: Sharing security model for local accounts – Set to Classic
Restart the computer.

3 Settings for Non-admin user:

3.1 WMI Settings:

  • Go to Control Panel-> Adminstrative Tools -> Computer Management -> (In Left Side Bar)
  • Services and Applications -> WMI Control
  • Right Click on WMI Control for properties and Select Security Tab
  • Select Root and the Namespace (in our case CIMV2) and then click on Security
  • Here, Add the non admin user and Allow all the permissions to it
  • Save/OK

3.2 DCOM Settings:

  • Run dcomcnfg.exe
  • From Left Side Bar, choose Component Service -> Computers -> My Computer
  • Right click on My Computer, go to COM Security Tab
  • In both Access Permission and Launch and Activation Permissions Edit Limits and add the non-admin user and Allow all the access to it
  • Apply/OK/Save

B.1 Common Settings for all versions of Windows:
B.1.1 Services:
Following Services must be set to Startup Type Automatic and Status Started:
• COM+ Event System
• Remote Procedure Call (RPC)
• Windows Management Instrumentation
• DCOM Server Process launcher
B.1.2 Windows Firewall Exceptions:
Windows Management Instrumentation must be allowed through the Windows Firewall.
B.1.3 Ports:
Following ports are required to be opened:
• 135/tcp open msrpc
• any port > 1024
These ports will automatically be opened once the above two settings are set.
B.2 Additional Settings for different versions of Windows:
B.2.1 Windows XP Service Pack 3:
A little tweak in registry is required for Windows XP SP3 in a WORKGROUP setting because all the
connections coming from the networks will be authenticated as Guest User. The registry value
(ForceGuest) associated with this behavior is set to 1 by default and is needed to be changed to 0. The
ForceGuest registry can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa.
B.2.2 Windows Vista and Windows 7:
Starting with Windows Vista, under User Account Control (UAC) access-token filtering can affect
which operations are allowed in WMI namespaces or what data is returned. In a workgroup, the
account connecting to the remote computer is a local user on that computer. Even if the account is in
the Administrators group, UAC filtering means that a script runs as a standard user.
So, UAC needs to be disabled for scanning Windows Vista and Windows 7 in a WORKGROUP
setting or

Optionally UAC can be disabled for remote administrator only:
Start “regedit.exe”
Go to key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Create new Dword value: LocalAccountTokenFilterPolicy
Set LocalAccountTokenFilterPolicy to “1”
• Set Classic security model:
Start/run “secpol.msc”
Navigate to Local Policies\Security Options
Network Access: Sharing security model for local accounts – Set to Classic
Restart the computer.
B.3 Settings for Non-admin user:
B.3.1 WMI Settings:

Go to Control Panel-> Adminstrative Tools -> Computer Management -> (In Left Side Bar)
Services and Applications -> WMI Control
• Right Click on WMI Control for properties and Select Security Tab
• Select Root and the Namespace (in our case CIMV2) and then click on Security
• Here, Add the non admin user and Allow all the permissions to it
• Save/OK
B.3.2 DCOM Settings:
• Run dcomcnfg.exe
• From Left Side Bar, choose Component Service -> Computers -> My Computer
• Right click on My Computer, go to COM Security Tab
• In both Access Permission and Launch and Activation Permissions Edit Limits and add the non-
admin user and Allow all the access to it

Apply/OK/Save