none
WMI query returns null for executable path as normal user RRS feed

  • Question

  • I was setting up monitoring of few windows 2012 R2 servers from our existing monitoring tool which is <g class="gr_ gr_32 gr-alert gr_gramm gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="32" id="32">check_wmi_plus</g> plugin for monitoring various parameters and it works pretty well for most of the checks. WMI client is installed on Linux to communicate with windows servers running WMI.

    I have this annoying issue for <g class="gr_ gr_52 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="52" id="52">checkprocess</g>  feature of the plugin,
    The command below is supposed to return executable path of "C:/Windows/system32/svchost" but it did not find any process with such executable path but if I specify the process <g class="gr_ gr_64 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="64" id="64">svchost</g> directly it find many instances of that process.

    /usr/lib64/nagios/plugins/check_wmi_plus/check_wmi_plus.pl -H 10.96.1.62 -u wmiagent -p 12345 -m checkprocess -a C:/Windows/system32/svchost OK - Found 0 Instance(s) of "C:/Windows/system32/svchost" running (0 excluded). |'Process Count'=0; 'Excluded Process Count'=0;

    [root@elekpmon01 ~]# /usr/lib64/nagios/plugins/check_wmi_plus/check_wmi_plus.pl -m checkprocess -H 10.96.1.62 -u wmiagent -p 12345 -a "svchost" 
    OK - Found 11 Instance(s) of "svchost" running (0 excluded).  (List is on next line)|'Process Count'=11; 'Excluded Process Count'=0; 



    On further debugging, I found that the query inside the check is returning <g class="gr_ gr_77 gr-alert gr_gramm gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="77" id="77">null</g> value for executable path and command line, but it finds process name and PID though, I really need the full path as there are instances with <g class="gr_ gr_85 gr-alert gr_gramm gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="85" id="85">same</g> name for <g class="gr_ gr_92 gr-alert gr_gramm gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="92" id="92">different</g> purpose. eg; java.exe

    This is the wmi querry which returns  null value for executablepath
    [root@elekpmon01 ~]# /usr/bin/wmic '-U' 'wmiagent%12345' '--namespace' 'root/cimv2' '//10.96.1.62' 'select Name,CommandLine,executablepath from Win32_Process'
    CLASS: Win32_Process
    CommandLine|ExecutablePath|Handle|Name
    (null)|(null)|0|System Idle Process
    (null)|(null)|4|System
    (null)|(null)|288|smss.exe
    (null)|(null)|396|csrss.exe
    (null)|(null)|448|wininit.exe
    (null)|(null)|668|svchost.exe
    (null)|(null)|748|LogonUI.exe
    (null)|(null)|756|dwm.exe
    (null)|(null)|800|svchost.exe
    (null)|(null)|828|svchost.exe
    (null)|(null)|872|svchost.exe
    (null)|(null)|1380|svchost.exe
    (null)|(null)|1396|VGAuthService.exe
    (null)|(null)|1500|vmtoolsd.exe
    (null)|(null)|1288|WmiPrvSE.exe
    (null)|(null)|7700|GoogleUpdate.exe
    (null)|(null)|5500|wrapper.exe
    (null)|(null)|1752|conhost.exe
    (null)|(null)|5204|java.exe
    The result is same when <g class="gr_ gr_79 gr-alert gr_gramm gr_run_anim Grammar multiReplace" data-gr-id="79" id="79">run</g> from windows command line as well.
    C:\Users\wmiagent>wmic process get description,executablepath
    Description          ExecutablePath
    
    System Idle Process
    System
    smss.exe
    csrss.exe
    wininit.exe
    csrss.exe
    winlogon.exe
    services.exe


    Note: I get the executable path when running as <g class="gr_ gr_177 gr-alert gr_gramm gr_run_anim Grammar multiReplace" data-gr-id="177" id="177">an <g class="gr_ gr_178 gr-alert gr_spell gr_run_anim ContextualSpelling" data-gr-id="178" id="178">builtin</g></g> <g class="gr_ gr_228 gr-alert gr_gramm gr_run_anim Punctuation only-del replaceWithoutSep" data-gr-id="228" id="228">administrator,</g> but as a normal admin user. So I need to know what permission is required for a user to perform such action.
    Thanks in advance.



    Monday, March 13, 2017 10:57 AM

Answers

All replies

  • You post is filled with junk characters and is very difficult to read (take a look at it). Please correct or re-post.

    -- Bill Stewart [Bill_Stewart]

    Monday, March 13, 2017 2:10 PM
    Moderator
  • It seems (even though the actual question is unreadable) that you are using a custom third party tool.  You will need to post in the vendors forum for help with this.

    WMI is NOT script but is a management subsystem used by many tools to access information.


    \_(ツ)_/

    Monday, March 13, 2017 3:10 PM
  • I don't know why I get junk characters always. I tried editing it many times, now its tagged as spam :(
    Monday, March 13, 2017 3:11 PM
  • Your question is still unreadable. Unfortunately we cannot answer unreadable questions. Also, as jrv pointed out, this is not a support forum for third-party software, if that is what you are asking about.

    -- Bill Stewart [Bill_Stewart]

    Monday, March 13, 2017 3:18 PM
    Moderator
  • <style type="text/css">@page { margin: 2cm } p { margin-bottom: 0.25cm; line-height: 120% } </style>

    Hi JRV and Bill,

    I always see junk characters when I post in this forum and I know my question is unreadable and confusing, but here's the actual point:

    If I run the following in cmd, I get only executable paths for processes owned by the same user but if I run it as a built-in administrator, then I get the full path for all processes.

    "process get description"

    Please let me know, what permission should I set for a normal user to get executable path for all running processes.


    Monday, March 13, 2017 3:36 PM
  • (I was able to read your post before you edited it, which inserted all kinds of junk characters, again.)

    The following suggest that the behavior you describe is by design:

    http://serverfault.com/questions/193858/

    http://serverfault.com/questions/608206/

    (Hint: I found these by searching for "wmi win32_process executablepath" in a search engine.)


    -- Bill Stewart [Bill_Stewart]


    Monday, March 13, 2017 3:44 PM
    Moderator