Scanning Microsoft Windows assets

Technology

Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web-Based Enterprise Management (WBEM) standard for Windows operating systems.

Using WMI technology, TNI obtains software and hardware information, as well as computer registry data.

WMI service is pre-installed on Windows 2000 and higher. For Windows NT, Windows 95 and Windows 98 it is available for download from the Microsoft website or from other resources such as CNET.

There are three methods for scanning Windows-based computers.

Manual scanning is the only way to collect information from computers running Windows XP Home Edition. This OS cannot be accessed remotely due to its limitations. Any connection attempt will result in the Access denied error.

Remote scanning via the SMB protocol

How it works

  1. Executable tniwinagent.exe (an agent) is uploaded to the administrator’s shared folder admin$ on the remote computer.
  2. TNI’s main unit connects to the Service manager on the target PC, installs the agent as a service and starts it.
  3. The agent collects information and saves it into a compressed file. Then it stops.
  4. The main unit imports the resulting file into the storage.
  5. The agent service is uninstalled, and the executable is deleted.

No traces of scanning will remain on the target PC after the scan is complete.

Requirements for the target machine

Remote scanning via the RPC protocol

How it works

TNI’s main unit connects directly to the WMI service on the target PC via the RPC protocol and collects information remotely.

Disadvantages

  1. Significant traffic is generated.
  2. The scanning speed depends on the connection quality.
  3. All data processing is performed by the main unit. This considerably increases the consumption of system resources when scanning large networks.

Object Parameters
CPU
500 MHz
RAM
64 MB
HDD space
10 MB
TCP ports
445, 139
Services
Server
Windows Management Instrumentation (WMI)
Remote Procedure Call (RPC)
Remote Registry
Resources
ipc$
admin$
Protocols
SMB
NetBIOS (for Windows NT4)
TCP/IP
Windows versions
XP Pro, Vista, 7, 8, 8.1, 10, 11, Server 2003/2008/2012 (incl R2)/2016/2019

This method has no advantage over the scanning via SMB. It is recommended for use only when, for whatever reason, the SMB protocol can’t be used.

Requirements for the target machine

Object Parameters
CPU
500 MHz
RAM
64 MB
HDD space
10 MB
TCP ports
135, 445 and random ports above 1024
Services
Windows Management Instrumentation (WMI)
Remote procedure call (RPC)
Protocols
RPC
TCP/IP
Windows version
XP Pro, Vista, 7, 8, 8.1, 10, 11, Server 2003/2008/2012 (incl R2)/2016/2019

Manual scanning

How it works

  1. Executable tniwinagent.exe (an agent) is manually copied to the target computer and launched.
  2. When the scanning is complete, the agent creates a file containing the collected information.
  3. The resulting file must be moved to the TNI storage.

Additionally

The agent can be run by a domain logon script, by the task scheduler or on Windows startup.

Command line parameters of the agent tniwinagent.exe:

  • /path:"\\server\share" allows to set a path to a folder where the data file will be placed;
  • /delay:XX specifies the gap in seconds between the agent’s launch time and the start of a scan;
  • /overwrite overwrites the data file in case the target folder already contains its older version.

See the Manual scan section for details.

Requirements for the target machine

Object Parameters
CPU
500 MHz
RAM
64 MB
HDD space
10 MB
Services
Windows Management Instrumentation (WMI)
Protocols
RPC
TCP/IP
Windows version
XP Pro, Vista, 7, 8, 8.1, 10, 11, Server 2003/2008/2012 (inclR2)/2016/2019

Scanning overhead

All scanning methods require CPU time and execution of a variety of disk operations, which is why an insignificant loss of efficiency may occur while scanning a computer. Scanning usually takes 1-2 minutes.

Online scanning methods (on demand) generate network traffic:

Numbers in the table represent average values including service data size (i.e. packet headers, etc.).

High traffic during RPC scanning is a result of WMI’s collection of data from the registry, and it depends on the number of applications and services installed on the remote computer.

Method To remote computer (upload) From remote computer (download)
SMB
6,3 MB
0,05-0,1 MB
RPC
10 MB
18 MB

When scanning using the SMB protocol, you can optionally save the agent file on the remote computer (for subsequent scanning) in order to reduce and save traffic.

Low-level hardware scan

In the manual scan mode, as well as during remote scanning via the SMB protocol, TNI installs a third-party driver to collect low level hardware details, such as memory SPD data, HDD S.M.A.R.T. data, etc. In the normal mode, the driver is installed and uninstalled each time the scan is run, which only takes a fraction of a second.

There’s a known issue with the Intel storage driver (iastor.sys). A bug in this driver causes a BSOD during low-level disk subsystem scanning. A workaround has been implemented for this: TNI skips low-level disk scanning when the driver is detected. This behaviour can be changed in the program settings or using command-line switches in the standalone agent.

Contents