WMI Basics & Troubleshooting with WMI…

  • Article

I have seen the pain when it comes to troubleshoot WMI issues and thought to share some important aspects which i hope could be helpful…

Let me start with the basic concept of WMI and then we will take one step at a time..

WMI is an implementation of Web-Based Enterprise Management standard (WBEM).

So what is WBEM ?:

WBEM is a set of management and Internet standard technologies developed to unify the management of distributed computing environments, facilitating the exchange of data across otherwise disparate technologies and platforms.

 

WMI provides a uniform access mechanism to a vast collection of Windows management data and methods. 
WMI offers access to this information via script, C++ programming interfaces, dot net classes (system.management), and a command line tool (WMIC). Other WMI capabilities also include eventing, remoting, query, views etc.

 

COMPONENTS OF WMI:

a) Management Application.

b) WMI Infrastructure.

c) Providers.

d) Managed Objects.

 

image

 

  • Management Application:- A management application can run query enumerate data, run provider methods or subscribe to events. WMI management Application includes tools such as Exchange, System Center Manager.
  • WMI Infrastructure:- This comprises of :
    • WMI Service (winmgmt) including WMI Core: This acts as an intermediary between the providers, management applications, and the WMI repository.
    • WMI Repository: This uses Namespace / Sub Namespace to organize Objects.A management application must connect to a namespace to access Object information.

root\default , root\cimv2 and root\subscription  are created at System Start-up.

  • Providers: - These are COM Objects which monitors managed objects (logical or physical component such as HDD ,NIC Card, OS or Service) for WMI. It provides with the data from an object and handles messages from WMI to the Object. A WMI Provider consists of a DLL and a Managed Object Format (MOF) file that defines the classes for the provider.

Features provided by a Provider:

 

Class

Can supply, modify, delete, and enumerate a provider-specific class.  Can also support query processing.  Active Directory is a rare example of a service that is a class provider.
Instance Can supply, modify, delete, and enumerate instances of system and provider-specific classes. An instance represents a managed object. Can also support query processing.
Property Can supply and Modify individual Object property values.
Methods: Supplies methods for a provider-specific class.
Event: Generates event notifications.
Event Consumer: Maps a physical consumer to a logical consumer to support event notification.

 

Example:-

A) Scripts that returns Computer Name and RAM

strComputer = "."

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colSettings = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem")

For Each objComputer in colSettings

Wscript.Echo "System Name: " & objComputer.Name

Wscript.Echo "Total Physical Memory: " & objComputer.TotalPhysicalMemory

Next

B) Script to test WMI Core Settings, including a listing of all the MOF Files, the Build Version, the location of the WMI Repository and other settings:

set WMI = GetObject("WinMgmts:/root/cimv2")
set obj = WMI.Get("Win32_WMISetting=@")
WScript.Echo obj.GetObjectText_(0)

Different Type of WMI Issues :-

  • Configuration Issues
    • DCOM Security
    • Firewall Configuration
    • WMI Namespace security
  • Infrastructure Issues
    • WMI Service Startup
    • DCOM Configuration Issues
    • Missing WMI Classes
    • WMI Repository
    • Improper Provider Registration
    • Missing System Files
    • Deleted WMI Repository
    • Security Requirements
    • Not running Services or application, De-Installed Application
    • External Dependencies

 

Troubleshooting WMI :-

When accessing WMI local or remote data in an application or script, you may encounter errors ranging from missing classes to access denied.  The first step in most WMI-related cases is to test the ability to connect to the service on the local computer.

  1. WMI Diagnosis Utility:- The utility can do everything from verify the validity of all your WMI namespaces to check for possible corruption of the WMI repository. This tool produces a report that can usually isolate the source of the problem and provide instructions on how to fix it.

https://www.microsoft.com/technet/scriptcenter/topics/help/wmidiag.mspx

Steps:-

  1. Download the Utility
  2. Extract the files to C:\WMIDiag
  3. Run WMIDiag.vbs (By default it would write the Log file to Users temp directory) we can use the following command to Customize the same.

cscript c:\wmidiag\wmidiag.vbs LOGFILEPATH=c:\wmidiag .

Some Command Line Parameter we can use while working with WMIDIAG:

  • To create an entry Event Log containing the WMI State (Success, Warning, or Error) in Windows NT Event Log

C:\>WMIDiag LogWMIState

  • To Deploy WMI Diag across several computers and preventing any popup from interfering

C:\>WMIDiag Silent

  • To Deploy with SMS (or Microsoft Operations Manager via a Management Pack)

C:\>WMIDiag SMS (Note that the Silent and NoEcho Parameter is on)

  • To Delete Log and CSV oldewr than 10 days

C:\>WMIDiag OldestLogHistory=10

  • To Send WMI Diag report to a SMTP Server

C:\>WMIDiag SMTPServer=MyIntranetSMTP.MyDOmain.COM

[Source and Target SMTP address is preset to WMIDiag@microsoft.com]

  • MOF Issues

C:\> WMIDiag ShowMOFErrors

  • CIM Repository consistency

C:\>WMIDiag CheckConsistency

2.

We can perform some very simple troubleshooting steps to determine if the WMI Service is functioning.

Testing the Local WMI services

  1. Click Start, click Run, type wmimgmt.msc, and then click OK.
  2. Right-click WMI Control (Local), and then click Properties.

If the WMI service is configured correctly, the WMI Control will connect to WMI and display the Properties dialog box.  On the General tab, you should see information about the operating system and the version of WMI.

NB:- Starting with Microsoft Windows XP, the version of WMI should match the build version of the operating system. For example, in Windows XP, the WMI version is "2600.0000," and in Microsoft Windows Server 2003, the WMI version is "3790.000." The version of WMI in Microsoft Windows 2000 is "1085.0005." In versions of Windows earlier than Windows 2000, WMI was an installable component. The two most common distributions were v1.1 (build 698) and v1.5 (build 1085).

 

Testing the WMI Service on a Remote Machine

  1. Click Start, click Run, type wmimgmt.msc, and then click OK. 
  2. Right-click WMI Control (Local), and then click Connect to another computer. 
  3. Click Another computer, and then enter the name of the remote computer. 
  4. If you have to provide user credentials, click Change. 
  5. Click OK. 
  6. Right-click WMI Control (remote system name), and then click Properties.

 

What if I cannot connect to WMI on a Remote Computer???

If you cannot connect to WMI on a remote computer, the first thing to do is test the WMI service locally on both of the computers(local and remote). If WMI Service looks good locally on both the boxes, the issue could be to do with COM permissions.

Check COM Security

The first thing we're going to look at is ensuring that the COM Security settings are configured correctly. Oftentimes the default COM permissions may have been modified by application installations or GPO settings.

 

Windows 2000

Windows XP, Windows 2003
  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Click the Default Security tab (shown below):
  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Expand the Component Services node
  3. Expand the Computers node
  4. Right-click the My Computer node and then click Properties
  5. Click the COM Security tab (shown below:)

clip_image001

clip_image002

Under the Default Launch Permissions you need to make sure that the following users / groups have the Allow Launch permission:  INTERACTIVE, SYSTEM and Administrators.  Under the Default Access Permissions ensure only the following accounts are listed:

OS Account
Windows 2000 None
Windows XP RTM & SP1 SYSTEM
Windows XP SP2 & Windows Server 2003 SELF SYSTEM

 

If these Access Permissions settings have been modified, then you need to ensure that the following users / groups have been explicitly granted Access Permission: INTERACTIVE, SYSTEM and Administrators. and then delete the key & reboot, so that you restore the original default values:  HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission.  On Windows XP and Windows Server 2003, you can also export the following keys (again, so you have backups) and then delete the key & reboot so that the original default limits are restored: HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction & HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction.

 

In addition, the WMI DCOM settings should also be checked - again, using the DCOMCNFG utility as before:

 

Windows 2000

Windows XP, Windows 2003
  1. Within DCOMCNFG, click the Applications tab. 
  2. Double-click the Windows Management Instrumentation tab (shown below):
  1. Within DCOMCNFG, expand the Computers node
  2. Expand the My Computer node
  3. Expand the DCOM Config node
  4. Right-click the Windows Management and Instrumentation object, and select Properties (shown below:)

clip_image001[4]

clip_image002[4]

 

Verify the settings below against what is configured on the system:

Setting

Windows 2000

Windows XP / Windows Server 2003

Authentication Level

Default

Default

Launch Permissions

Use Default

Everyone

Access Permissions

Use Default

Use Default

 

3.

Additionally you can use the following link to perform the WBEM Test..

https://msdn.microsoft.com/en-us/library/ms179546.aspx 

 

I hope this post helps during troubleshooting WMI , we encounter this specially when we try installation of various applications.

Comments