- 2021-09-16 at 6:34 PM #539
I’m using check_wmi_plus since some time, without any problem.
However, I recently applied the last Patch Tuesday – on several Windows Server 2016, and I get a message in system log (DistributedCOM 10036) for all of them, about authentication level policy to activate DCOM. The message tells to rise authentication level to at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on client.
I supposed it was a wmic problem, and indeed as soon as I request wmi via wmic – the error pops in system log.
I discover the recent problem with wmic and Windows 10 build 2004 in your blog, so i build the new wmic version from your site. Unfortunately, even with the new build, the issue persists.
Does anyone around have seen the same issue in his environment ?
Anyone having any idea on what to do to correct it ? I googled a bit without any luck for the moment.
Thanks in advance for your answer.
Baptiste.2021-09-16 at 7:36 PM #540adminKeymaster
I also noticed the error messages today. It appears that the wmic calls still work though
The error message is
The server-side authentication level policy does not allow the user DOMAIN\USER SID (S-SIDDETAILS) from address a.b.c.d to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
This seems to be related to
I don’t yet know if something will stop working at some point because of this.
Whilst the error message does say “raise the activation authentication level … in client application” this would need someone to poke around in the wmic source to fix this.2021-09-16 at 10:02 PM #541
Thanks for your answer.
I can confirm it still works even though it fill up the system log.
However, I found the same article than you, and according to these and my understanding, it seems a later update (early 2022) will block connections with a level lower than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY – which seems to be a real problem for us.
Hope someone will catch our call with wmic source code.2021-09-23 at 11:17 PM #545meni2029Participant
We have the same concern.
As described here, we have manually set the registry key of RequireIntegrityActivationAuthenticationLevel = 1 on target server and the check_wmi_plus (or wmic) returns:
[wmi/wmic.c:196:main()] ERROR: Login to remote object. NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
It seems to be a real problem for us too!
– check_wmi_plus version 1.64
– wmic package Version 4.0.0tp4-SVN-build-UNKNOWN
Cheers2021-10-05 at 4:45 PM #549maik.guendelParticipant
we have the same problem, our checks are spamming the windows syslogs with this message which results in faster logrotation. Customers are complaining. Is there any wmic version or a replacement which can do the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY?
Maik2021-10-05 at 6:23 PM #550
Based on my research, wmic seems to be a dead binary – without any planned evolution.
I love the idea of agent less monitoring – especially the bonus of check_wmi (like sql monitoring, event log) … but I’m starting to look as NSClient++, coz I can’t stay without the last security patch much longer.
however, I’m still searching for a replacement. Any idea will be greatly appreciated.2021-10-31 at 6:17 PM #559adminKeymaster
We are going to keep having problems with wmic unless it is fixed properly.
- You must be logged in to reply to this topic.