Versions Compared

Old Version 6

changes.mady.by.user Mark Unwin

Saved on

compared with

New Version 7

changes.mady.by.user Mark Unwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note - All commands below should be entered into an elevated command prompt. To do this click Start -> All Programs -> Accessories -> Command Prompt, right click then "Run as administrator".

 

User Credentials Requirements

To audit a machine, you must have credentials and administrator level access.

  • To audit a remote machine that is not on a domain, you must use the Administrator account (not "an" admin account, "the" Administrator account) on the target PC. **
  • To audit a remote machine on an Active Directory domain, your supplied user (or if none provided, the user running the script) must be a member of the target machines Administrators group (or subgroup).
  • To audit localhost, any supplied credentials are disregarded and connection is made using the details of the user running the script.
  • The account must have a password; WMI does not allow blank passwords.

** NOTE - To enable a remote machine (Vista or above) to be audited that is not on a domain, by an account in the Administrators group, other than the actual Administrator account see the below section on UAC.

DCOM

Run the DCOM utility and verify (or set) the below attributes. Start -> Run, Enter DCOMCNFG and press OK. This will open the DCOMCNFG window.

...

Note that Windows 8 and Server 2012 do not have a way to completely disable UAC (adjusting the slider in the GUI just disables notifications). You'll need to use the registry key method.

...

Code Block
languagevb
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Reference - https://support.microsoft.com/kb/942817

The above change will require a reboot to take effect.

 

Local Security Policies

Run one of the following three Microsoft Management Console (MMC) snap-ins:

...

The above changes will require a reboot to take effect.

 

WMI

Windows WMI (Windows Management Interface) is use by the audit script for most of it's information retrieval. WMI can (at times) become corrupted. Microsoft have released a tool to enable you to check for this corruption.

...

Using the tool is detailed here - http://blogs.technet.com/b/askperf/archive/2012/02/03/wmidiag-2-1-is-here.aspx

 

AntiVirus

Some antivirus programs have been known to disable DCOM and remote WMI. You might check the settings of your antivirus program and disable them for testing.

 

Windows Firewall

To enable remote PCs to be audited, either the local (on the target machines) firewall (likely the Windows Firewall) must be disabled or access allowed for the WMI service.

...