www.softinventive.com

Technology

Windows Management Instrumentation (WMI) is Microsoft's implementation of Web-Based Enterprise Management (WBEM) standard for Windows operating systems.

Using WMI technology, TNI 3 obtains software and hardware information, as well as computer registry data.

WMI service is pre-installed on Windows 2000 and higher. For Windows NT, Windows 95 and Windows 98 it is available for download from the Microsoft website.

There are three methods for scanning Windows-based computers.

Manual scanning is the only way to collect information from computers running Windows XP Home Edition. This OS cannot be accessed remotely due to its limitations. Any connection attempt will result in the Access denied error.

Remote scanning via the SMB protocol

How it works

  1. Executable tniwinagent.exe (an agent) is uploaded to the administrator's shared folder admin$ on a remote computer.
  2. TNI's main unit connects to the Service manager on the target PC, installs the agent as a service and starts it.
  3. The agent collects information and saves it into a compressed file. Then it stops.
  4. The main unit imports the resulting file into the storage.
  5. The agent service is uninstalled, and the executable is deleted.

No traces of scanning will remain on the target PC after the scan is complete.

Requirements for the target machine:

CPU 500 MHz
RAM 64 MB
HDD space 10 MB
TCP ports 139, 445
Services Server
Windows Management Instrumentation (WMI)
Remote Procedure Call (RPC)
Remote Registry
Resources ipc$
admin$
Protocols SMB
NetBIOS (for Windows NT4)
TCP/IP
Windows versions
2000, XP Pro, Vista, 7, 8, 8.1, 10, Server 2000/2003/2008/2012 (R2)

Remote scanning via the RPC protocol

How it works

TNI's main unit connects directly to the WMI service on the target PC via the RPC protocol and collects information remotely.

Disadvantages

  1. Significant traffic is generated.
  2. The scanning speed depends on the connection quality.
  3. All data processing is performed by the main unit. This considerably increases the consumption of system resources when scanning large networks.

This method has no advantage over the scanning via SMB. It is recommended for use only when, for whatever reason, the SMB protocol can't be used.

Requirements for the target machine:

CPU 500 MHz
RAM 64  MB
HDD space 10  MB
TCP ports 139 and random ports above 1024
Services Windows Management Instrumentation (WMI)
Remote procedure call (RPC)
Protocols RPC
TCP/IP
Windows version
2000, XP Pro, Vista, 7, 8, 8.1, 10, Server 2000/2003/2008/2012 (R2)

Manual scanning

How it works

  1. Executable tniwinagent.exe (an agent) is copied to the target PC manually and run. Upon completion of its work, the agent creates a file containing the collected information.
  2. The resulting data file is manually moved to the TNI 3 storage.

Additionally

The agent can be run by a domain logon script, by the task scheduler or on Windows startup.

Command line parameters of the agent tniwinagent.exe:

  • /path:"\\server\share" allows to set a path to a folder where the data file will be placed;
  • /delay:XX specifies the gap in seconds between the agent's launch time and the start of a scan;
  • /overwrite overwrites the data file in case the target folder already contains its older version.

Requirements for the target machine

CPU 500 MHz
RAM 64 MB
HDD space 10 MB
Services Windows Management Instrumentation (WMI)
Windows version 2000, XP Home/Pro, Vista, 7, 8, 8.1, 10, Server 2000/2003/2008/2012 (R2)

Scanning overhead

All scanning methods require CPU time and execution of a variety of disk operations, which is why an insignificant loss of efficiency may occur while scanning a computer. Scanning usually takes 1-2 minutes.

Online scanning methods (on demand) generate network traffic:

Method To remote computer
(upload)
From remote computer
(download)
SMB 1.8 MB 0.05-0.1 MB
RPC 10 MB 18 MB

Numbers in the table represent average values including service data size (i.e. packet headers, etc.).

High traffic during RPC scanning is a result of WMI's collection of data from the registry, and it depends on the number of applications and services installed on the remote computer.

Low-level hardware scan

In the manual scan mode, as well as during remote scanning via the SMB protocol, TNI installs a third-party driver to collect low level hardware details, such as memory SPD data, HDD S.M.A.R.T. data, etc. In the normal mode, the driver is installed and uninstalled each time the scan is run, which only takes a fraction of a second.

There's a known issue with the Intel storage driver (iastor.sys). A bug in this driver causes a BSOD during low-level disk subsystem scanning. A workaround has been implemented for this: TNI skips low-level disk scanning when the driver is detected. This behaviour can be changed in the program settings or using command-line switches in the standalone agent.

Page last modified 12:03, 22 Nov 2015 by Armo

Tags:

Files (0)