How to / Is it possible to monitor remote WMI scripting???

Question

Hello everybody,

do u know perhaps a way (via script or program) to find out if e.g. a WMI script runs from a remote PC1 and performs some tasks in another PC2 when I am seating in a third PC: PC3

Assume that all PC belong to the same network and domain and have windows xp installed.

The reason for this that I administer a small network and I think that one student shuts down the PC where another student works, via WMI scripting.

Is there a way to monitor (via script or program) such a thing, without disabling wmi remote access.

Thanks everybody

Answer 1

You can get the credentials used to perform the shutdown by looking at verbose WMI logs.

1) Enable verbose WMI logging

• Run 'Wmimgmt.msc' (also available under My Computer > 'Manage' > 'Services and Applications' > 'WMI Control')
• Select 'WMI Control (Local)', right click --> select 'Properties'
• Select 'Logging' Tab, set 'Logging level' to Verbose

2) Look at the WMI log files (Default location: %WINDIR%\system32\wbemLogs) to see record of remote access and actions taken. Specifically, look at wbemcore.log

Example: When I logged in remotely I saw the following entry [<domain> and <username> here were the real ones used for the remote connection]:

(Thu Aug 13 <time>) : DCOM connection from <domain>\<username> 
at authentiction level Packet, AuthnSvc = 9, AuthzSvc = 1, Capabilities = 0

Then, to execute the WMI method the student would need to GetObject Win32_OperatingSystem, which showed up like this:

(Thu Aug 13 <time>): CALL CWbemNamespace::GetObject
   BSTR ObjectPath = win32_operatingsystem
   long lFlags = 0

And finally you'd look for executing the Win32Shutdown method, which should log something like this:

(Thu Aug 13 <time>) : CALL CWbemNamespace::ExecMethodAsync
   BSTR ObjectPath = Win32_OperatingSystem
   BSTR MethodName = Win32Shutdown