WMI

Overview

The WMI infrastructure is a Microsoft Windows operating system component known as the WMI service (winmgmt). The ability to obtain management data from remote computers is what makes WMI useful. Remote WMI connections are made through DCOM.

In this mode first the powershell script is copied from the windows agent server to the configured device machine. Powershell script is executed in a configured device with use of WMI command.
User Account Control (UAC) affects the WMI data that is returned from a command-line tool, remote access, and how scripts must run. For more details refer to User Account Control and WMI - Win32 apps | Microsoft Learn.
In WMI mode, AppViewX generates PowerShell scripts that are executed on the target machine. This process necessitates special access to the drive of the end machine in order to execute the scripts effectively.
The WMI command used to execute the script itself necessitates admin privileges.

*Allow logon locally is required if different accounts are being used in windows agent and target machine.The account used in target machine needs allow logon locally right to be assigned

Recommended Usage

This mode is relatively older and slower when compared with Powershell mode.
This mode is generally chosen only when remote execution privileges (Powershell remoting permissions are disabled) are not given to the user account in the target machine.
WMI is enabled by default on many Windows servers.
DCOM remains integrated into the Windows OS and is used by the Windows services to communicate, such as Microsoft Management Console certificate store.
Organizations that prefer not to use PowerShell remoting or WinRM can use DCOM (WMI) as a communication method.
It is commonly used in older Windows servers, such as Windows Server 2012 or 2008 R2.

Standard remote WMI queries use RPC to connect and RPC in turn uses a mess of ports. Initially, the Collector connects to the remote system via TCP port 135. The remote system then selects a high port and instructs the Collector to use this new port for subsequent communications. The high port depends on the OS but the current Windows OS uses ports 49152 to 65535.

PORTS USED: 445, 135 + dynamic port: 49152-65534

To use a static DCOM port for WMI in Windows, instead of numerous high ports, please follow the instructions on the Microsoft site for allocating a static port for WMI communication. Refer to Setting Up a Fixed Port for WMI | Microsoft Learn.

Permissions and Port Requirements

The table below summarizes the different permissions and port requirements in WMI:


Requirement	AppViewX Windows Gateway	Target Server
User account type	Service account with local admin	Service account with local admin
Services	WMI Service certutil.exe command availability	WMI Service certutil.exe command availability
Ports	8999 (Customisable) 445 - SMB 135 RPC Port 49152-65535 - Dynamic Ports	445 - SMB 135 RPC Port 49152-65535 - Dynamic Ports