wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
- This topic has 8 replies, 5 voices, and was last updated 1 year, 1 month ago by
.
- Posts
Hello,
I’m using check_wmi_plus since some time, without any problem.
However, I recently applied the last Patch Tuesday – on several Windows Server 2016, and I get a message in system log (DistributedCOM 10036) for all of them, about authentication level policy to activate DCOM. The message tells to rise authentication level to at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on client.I supposed it was a wmic problem, and indeed as soon as I request wmi via wmic – the error pops in system log.
I discover the recent problem with wmic and Windows 10 build 2004 in your blog, so i build the new wmic version from your site. Unfortunately, even with the new build, the issue persists.Does anyone around have seen the same issue in his environment ?
Anyone having any idea on what to do to correct it ? I googled a bit without any luck for the moment.Thanks in advance for your answer.
Regards,
Baptiste.I also noticed the error messages today. It appears that the wmic calls still work though
The error message is
The server-side authentication level policy does not allow the user DOMAIN\USER SID (S-SIDDETAILS) from address a.b.c.d to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.This seems to be related to
https://www.csoonline.com/article/3622168/how-to-test-the-impact-of-new-windows-dcom-server-authentication.html
and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769cI don’t yet know if something will stop working at some point because of this.
Whilst the error message does say “raise the activation authentication level … in client application” this would need someone to poke around in the wmic source to fix this.
Hello
Thanks for your answer.
I can confirm it still works even though it fill up the system log.However, I found the same article than you, and according to these and my understanding, it seems a later update (early 2022) will block connections with a level lower than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY – which seems to be a real problem for us.
Hope someone will catch our call with wmic source code.
Hello,
We have the same concern.
As described here, we have manually set the registry key of RequireIntegrityActivationAuthenticationLevel = 1 on target server and the check_wmi_plus (or wmic) returns:
[wmi/wmic.c:196:main()] ERROR: Login to remote object. NTSTATUS: NT_STATUS_ACCESS_DENIED - Access deniedIt seems to be a real problem for us too!
We’re using:
– check_wmi_plus version 1.64
– wmic package Version 4.0.0tp4-SVN-build-UNKNOWNCheers
Hi,
we have the same problem, our checks are spamming the windows syslogs with this message which results in faster logrotation. Customers are complaining. Is there any wmic version or a replacement which can do the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY?
Greetings
MaikBased on my research, wmic seems to be a dead binary – without any planned evolution.
I love the idea of agent less monitoring – especially the bonus of check_wmi (like sql monitoring, event log) … but I’m starting to look as NSClient++, coz I can’t stay without the last security patch much longer.
however, I’m still searching for a replacement. Any idea will be greatly appreciated.We are going to keep having problems with wmic unless it is fixed properly.
Please see this post https://edcint.co.nz/checkwmiplus/long-term-fix-for-wmic-keeping-check-wmi-plus-alive/
As we stumbled upon this wmic issue today, we tried to find an easy solution, so that the existing check_wmi_plus checks still work. Please let me know, if this helps!
https://github.com/simply42/check_wmi_plus_wmic_dropin
Feedback and pull requests are welcome!
Cheers
AndreasThis new version of Check WMI Plus will fix all your issues
- You must be logged in to reply to this topic.