Connecting to WMI on a Remote Computer

WMI can be used to manage and access WMI data on remote computers. Remote connections in WMI are affected by the Windows Firewall and DCOM settings. In Windows Vista and later operating systems, User Account Control (UAC) may also require changes to some settings. For more information, see Connecting to WMI Remotely Starting with Vista.

The following topics are discussed in this section:

Configuring a Computer for a Remote Connection

Windows Firewall is enabled by default and it blocks any data requests from remote computers, as well as callbacks that return from asynchronous calls. The firewall settings must be configured to allow these connections. For more information, see Connecting Through Windows Firewall.

Windows Server 2003:  Windows Firewall is not available. Use Internet Connection Firewall.

The correct DCOM settings must be enabled for a remote connection to work. Changing DCOM settings can allow low rights users access to a computer for a remote connection. For more information, see Securing a Remote WMI Connection.

Connecting to Remote Computers

The most basic remote connection is from Computer A to a namespace on Computer B where:

  • The same username and password credentials identify an account on Computer B. Because of User Account Control the account on Computer B must be a domain account in the Administrators group. For more information, see User Account Control and WMI.

    Windows Server 2003:  The account on Computer B must be in the Administrator group, but a domain account is not required.

  • The password for the account on Computer A is not blank.
  • Starting with Windows Vista, WMI supports connections to computers running IPv6. However, both Computer A and Computer B must be running IPv6. Either computer may be running IPv4 also. For more information, see IPv6 and IPv4 Support in WMI.
Source Computer A connecting to a namespace on Computer B

WMI makes no distinction between local and remote access. If no computer name is specified, a connection to WMI defaults to the local computer. The sections below demonstrate how to specify a computer name for a remote connection. To connect to a remote computer either in script or C++, supply the name of the remote computer in the connection. The difference between a local and a remote connection is that users can specify a user name and password in a remote connection, replacing the current user name and password. With a local connection, users cannot override the current name and password.

For more information about remote WMI connections, see:

Specifying Credentials and an Authentication Level for the Remote Connection

When creating a connection to a remote computer, specify the connection information such as the remote computer name, credentials, and the authentication level for the connection. In script, if you are connecting to a remote computer using the same credentials (domain and user name) you are logged on with, then you can specify the connection information in a moniker.

The following VBScript code example shows setting the authentication level in a moniker string.

Set objWMIService = GetObject("winmgmts:" & _
    "{impersonationLevel=Impersonate}!\\" & _
    Computer_B & "\root\cimv2")

If you connect to a remote computer in a different domain or using a different user name and password, then you must use the SWbemLocator.ConnectServer method in script or the IWbemLocator::ConnectServer method in C++. For more information and a C++ code example, see Creating a Connection to a WMI Namespace. In these methods you specify the credentials, authentication level, and namespace for the remote connection.

You should specify the WMI namespace to connect to on the remote computer because it is possible that the default namespace is not the same on different computers. Specifying the namespace ensures that you connect to the same namespace on all computers.

Some connections require a specific authentication level. For more information, see Connecting Between Different Operating Systems and Setting Client Application Process Security.

Set the authentication level to RPC_C_AUTHN_LEVEL_PKT_PRIVACY or 6 if the namespace to which you are connecting on the remote computer requires an encrypted connection before it will return data. You can also use this authentication level, even if the namespace does not require it. This ensures that data is encrypted as it crosses the network. If you attempt to set a lower authentication level than is allowed, an access denied message will be returned. For more information, see Requiring an Encrypted Connection to a Namespace.

Windows Server 2003:  For computers running Windows Server 2003 with Service Pack 1 (SP1) or earlier operating systems, providers cannot set namespace security to require encryption before returning data.

When using the ConnectServer function for remote connections, set impersonation on the security object obtained by a call to SWbemServices.Security. If your application is in Visual Basic Script, use the enumeration WbemImpersonationLevelEnum to specify impersonation level.

In the following VBScript code example, the impersonation level is 3, which is Impersonate.

strComputer = "atl-dc-01"
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer _
    (strComputer, "root\cimv2", "fabrikam\administrator", "password")
objSWbemServices.Security_.ImpersonationLevel = 3

In C++, the impersonation is set in the call to CoInitializeSecurity. For more information and code examples, see Creating a WMI Application Using C++.

The following VBScript code example connects to a group of remote computers in the same domain by creating an array of remote computer names and then displaying names of the Plug and Play devices—instances of Win32_PnPEntity—on each computer. To run the script below, you must be an administrator on the remote computers. Note that the "\\" required before the remote computer name is added by the script following the impersonation level setting. For more information about WMI paths, see Describing the Location of a WMI Object.


On Error Resume Next 
arrComputers = Array("Computer1","Computer2","Computer3")
For Each strComputer In arrComputers
    WScript.Echo
    WScript.Echo "===================================="
    WScript.Echo "Computer: "& strComputer
    WScript.Echo "===================================="

    Set objWMIService = GetObject("winmgmts:\\" _
        & strComputer& "\root\CIMV2") 
    Set colItems = objWMIService.ExecQuery( _
        "SELECT * FROM Win32_PnPEntity",,48) 
    For Each objItem in colItems 
        Wscript.Echo "-----------------------------------"
        Wscript.Echo "Win32_PnPEntity instance"
        Wscript.Echo "-----------------------------------"
        Wscript.Echo "Name: "& objItem.Name
        Wscript.Echo "Status: "& objItem.Status
    Next
Next

The following VBScript code example enables you to connect to a remote computer using different credentials. For example, a remote computer in a different domain or connecting to a remote computer requiring a different user name and password. In this case, use the SWbemServices.ConnectServer connection.

' Full Computer Name
' can be found by right-clicking My Computer,
' then click Properties, then click the Computer Name tab)
' or use the computer's IP address
strComputer = "FullComputerName" 
strDomain = "DOMAIN" 
Wscript.StdOut.Write "Please enter your user name:"
strUser = Wscript.StdIn.ReadLine 
Set objPassword = CreateObject("ScriptPW.Password")
Wscript.StdOut.Write "Please enter your password:"
strPassword = objPassword.GetPassword()
 
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer, _
    "root\cimv2", _
     strUser, _
     strPassword, _
     "MS_409", _
     "ntlmdomain:" + strDomain)
Set colSwbemObjectSet = _
    objSWbemServices.ExecQuery("Select * From Win32_Process")
For Each objProcess in colSWbemObjectSet
    Wscript.Echo "Process Name: " & objProcess.Name 
Next

Related topics

Connecting Between Different Operating Systems
Securing a Remote WMI Connection
Connecting to a 3rd Computer-Delegation
Connecting Through Windows Firewall
Creating Processes Remotely
Securing C++ Clients and Providers
Securing Scripting Clients
Setting the Default Process Security Level Using VBScript
TechNet ScriptCenter Remote/Multiple Computer Scripting Templates

 

 

Show:
© 2014 Microsoft