www.softinventive.com

Scanning Microsoft Windows assets

Technology

Windows Management Instrumentation (WMI) is Microsoft's implementation of Web-Based Enterprise Management (WBEM) standard for Windows operating systems. TNI 2 gathers data on hardware and software through the WMI interfaces.

Using WMI technology TNI 2 gathers software and hardware data as well as computer registry data.

WMI service is pre-installed on Windows 2000 and higher. For Windows NT, Windows 95 and Windows 98 it is available for download from the Microsoft website.

There are three methods for scanning Windows-based computers.

Manual scanning is the only way to gather information from computers running Windows XP Home Edition. This OS cannot be accessed remotely due to it's limitations. Any connection attempt will result in Access denied error.

Remote scanning via SMB protocol

How it works

  1. Executable tniwinagent.exe (agent) is uploaded to the administrator share admin$ on the remote computer.
  2. TNI main unit connects to the Service manager on the target PC, installs the agent as a service and starts it.
  3. The agent gathers data and saves it into a compressed file. Then it stops.
  4. Main unit imports the resulting file into the storage.
  5. Agent service is uninstalled, executable is deleted.

No trace of scanning is found on the target PC after the scan is finished.

Requirements for the target machine:

CPU 500 MHz
RAM 64 MB
HDD space 0.5 MB
TCP ports 139, 445
Services Server
Windows Management Instrumentation (WMI)
Remote Procedure Call (RPC)
Remote Registry
Resources ipc$
admin$
Protocols SMB
NetBIOS (for Windows NT4)
TCP/IP
Windows version
NT4 / 2000 / XP Pro / Vista / 2000 Server / 2003 Server / 2008 Server / 7

Remote scanning via RPC protocol

How it works

TNI main unit connects directly to WMI service on the target PC via RPC protocol and gathers data remotely.

Disadvantages

  1. Significant traffic is generated.
  2. Scanning speed depends on connection quality.
  3. All the data processing is performed by the main unit. This considerably increases the consumption of system resources when scanning large networks.

This method has no advantage over the scanning via SMB. It is recommended for use only when for some reasons the SMB protocol can't be used.

Requirements for the target machine:

CPU 500 MHz
RAM 64  MB
HDD space 0.5  MB
TCP ports 139 and random ports above 1024
Services Windows Management Instrumentation (WMI)
Remote procedure call (RPC)
Protocols RPC
TCP/IP
Windows version
95 / 98 / NT4 / 2000 / XP Pro / Vista / 2000 Server / 2003 Server / 2008 Server / 7

Manual scanning

How it works

  1. Executable tniwinagent.exe (agent) is copied to the target PC manually and run. Upon completion of it's work the agent creates a file with the gathered data.
  2. The resulting data file is manually moved to TNI 2 storage.

Additionally

The agent can be run by domain logon script, task scheduler or startup.

Agent tniwinagent.exe command line parameters:

  • /path:"\\server\share" — allows setting path to folder, where data file will be placed;
  • /delay:XX — specifies the number of seconds to wait before starting actual scan.
  • /overwrite — overwrites the data file in case target folder already contains an older version of it.

Requirements for the target machine

CPU 500 MHz
RAM 64 MB
HDD space 0,5 MB
Services Windows Management Instrumentation (WMI)
Windows version NT4 / 2000 / XP / Vista / 2000 Server / 2003 Server / 2008 Server / 7

 

Scanning overhead

All scanning methods require CPU time and a variety of disk operations execution that is why an insignificant loss of efficiency may occur while scanning a computer. Scanning usually takes 1-2 minutes.

Online scanning methods (on demand) generate network traffic:

Method To remote computer
(upload)
From remote computer
(download)
SMB 0.31 MB 0.06 MB
RPC 10 MB 18 MB

Numbers in the table are overall average including service data size (packet headers, etc.).

High traffic during RPC scanning is a result of gathering data from registry by WMI, and it depends on the number of applications and services installed on the remote computer.

Page last modified 08:27, 11 Aug 2011 by Zak

Tags:

Files (0)