Windows Collection Module

The Windows Collection Module provides data collection for Windows server and workstation systems as part of the RISC Networks engagement process. It uses the Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocols to communicate with in-scope discovered devices to collect identifying inventory data as well as ongoing performance data.

WMI

WMI is a standard component of the Microsoft Windows operating system since its introduction in Windows 2000. See the References section for links to Microsoft documentation on WMI. The Windows Collection Module uses the standard wmic utility to issue read-only WMI Query Language (WQL) queries to the WMI service on Windows devices.


The following WMI providers are queried:

WMI Provider ClassRequired
Win32_ComputerSystemYes
Win32_OperatingSystemYes
Win32_ComputerSystemProductNo
Win32_BiosNo
Win32_SystemEnclosureNo
Win32_ProcessorYes
Win32_DiskDriveYes
Win32_VolumeYes
Win32_LogicalDiskNo
Win32_ShareYes
Win32_NetworkAdapterYes
Win32_NetworkAdapterConfigurationYes
Win32_ServiceNo
Win32_ProcessYes
MSFC_FCAdapterHBAAttributesNo
MSFC_FibrePortHBAAttributesNo
Win32_PerfRawData_PerfOS_ProcessorYes
Win32_PerfRawData_PerfDisk_LogicalDiskYes
Win32_PerfRawData_PerfDisk_PhysicalDiskYes
Win32_PerfRawData_PerfProc_ProcessNo
Win32_PerfRawData_Tcpip_NetworkInterfaceYes
Win32_PerfFormattedData_TermService_TerminalServicesNo
Win32_PerfFormattedData_TermService_TerminalServicesSessionNo
Win32_PerfFormattedData_IMAService_CitrixIMANetworkingNo
Win32_PerfFormattedData_CitrixLicensing_CitrixLicensingNo
Win32_PerfFormattedData_MetaFrameXP_CitrixMetaFramePresentationServerNo
Win32_PerfFormattedData_CitrixICA_ICASessionNo
Win32_NTEventlogFileNo
Win32_NTLogEventNo
MicrosoftDNS_ATypeNo
MicrosoftDNS_CNAMETypeNo


Remote Commands

Some data collected by the Windows Collection Module is not available through WMI. For this data, the Windows Collection Module uses a facility for running commands on Windows hosts through cmd.exe. The wmiexec.py utility from the open source Impacket project is used to provide this facility.

The process uses the SMB and WMI protocols. First, a WMI session is established with the remote Windows system, and an SMB session is established with the ADMIN$ share. The WMI Win32_Process provider is used to invoke a new process through the cmd.exe command interpreter. The output of the command that is invoked is redirected to a file in the ADMIN$ share, and the contents of this file is read using the established SMB connection. Once all of the data has been read from the output file, the file is removed and the SMB and WMI sessions are torn down.

The output file created during this process uses an established naming convention. The name begins with two underscore characters. This is followed by the current epoch time (the number of seconds that have elapsed since January 1st, 1970), a period, and two fractional second digits. For example, __1497992728.46.

The final form of the command as invoked on the remote Windows service, where COMMAND is replaced by the command requested by the Windows Collection Module and FILENAME is replaced by a filename in the format described above:

cmd.exe /Q /c COMMAND 1> \\127.0.0.1\ADMIN$\FILENAME 2>&1

Remote commands support encrypted SMB sessions if the SMB server is configured for encryption. Versions 3, 2, and 1 of the SMB protocol are supported, and the session will use the highest protocol version advertised by the server.

Remote Command Reference

CommandDescription
netstat -anop TCPReports network connections.
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /sReports installed applications.
reg query HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall /sReports installed 32-bit applications on a 64-bit host.
ipconfig /displaydnsReports cached DNS name lookups.
chcp.comReports the console code page, used to determine text encoding format.
powershell Get-Content -Path PATHRetrieves the content of the file at path PATH (see Configuration File Collection below)

Netstat

The netstat command shown above reports the network connections currently active on the remote Windows host. This is used as a critical component in grouping Application Stacks and reporting application dependencies in the environment. This command is executed during the Performance collection process.

The formulation of the command is as follows:

  • -a displays all connections and listening ports
  • -n displays connections numerically, rather than resolving them to hostnames or service names
  • -o displays the process ID (PID) that has bound the socket
  • -p TCP filters the results to the TCP protocol only

Installed Applications Registry Query

The reg query command shown above queries the Windows Registry for information regarding installed software. This is a read-only query. The response data includes a number of key-value pairs describing the installed software, which is filtered down to a subset of keys. This data is used for a variety of purposes, including the Application Matching and Security Module features. This command is executed during the Inventory and Performance collection processes.

Local DNS Cache

The ipconfig /displaydns command shown above is used to collect the contents of the local DNS cache from a Windows system, the DNS names that the system has recently requested. This feature is enabled by default, but may be disabled by accessing the Appliance Settings section within the Assessment page on the RN150 appliance and toggling the Windows DNS Cache Collection feature to the Off position.

CHCP

To better support international customers, the RN150 appliance will automatically run the chcp.com command when first interacting with a Windows system. This allows the RN150 to determine what text encoding is used by that system when interpreting the results of a remote command. The RN150 will only run this command once for a given system and will store the results for future use; however if the RN150 is not able to execute this command, or if data collection is not successful for that system, the command may be run on future attempts to communicate with that system.

Configuration File Collection

The RN150 supports an optional feature, disabled by default, that collects the content of configuration files installed on the system. For Windows devices, this includes IIS configuration files. If the feature is enabled and IIS application services are determined to be running on a Windows device, the content of C:\Windows\System32\inetsrv\config\applicationHost.config is retrieved, along with any app pool configuration files listed as an argument to the running IIS process or loaded from the applicationHost.config  file.

Troubleshooting

For Windows devices we get error messages (NT STATUS codes) to assist in troubleshooting. Those common error messages are listed below:

ErrorReason
NTSTATUS: NT_STATUS_CONNECTION_REFUSED – NT_STATUS_CONNECTION_REFUSEDNon-Windows device, Firewall rule – verify the IP address is a Windows device and there are no access restrictions between the virtual appliance and the end device
NTSTATUS: NT_STATUS_ACCESS_DENIED – Access deniedInvalid username/password, user account is not Domain Administrator or Local Administrator – verify username/password is correct, verify username is either domain administrator or local administrator account
NTSTATUS: NT_STATUS_IO_TIMEOUT – NT_STATUS_IO_TIMEOUTFirewall, host unreachable – verify there are no access restrictions between the virtual appliance and the end device
NTSTATUS: NT_STATUS_HOST_UNREACHABLE – NT_STATUS_HOST_UNREACHABLEThe remote network is not reachable by the transport – verify host is IP reachable
NTSTATUS: NT_STATUS_NETWORK_UNREACHABLE – NT_STATUS_NETWORK_UNREACHABLEThe remote network is not reachable by the transport – verify host is IP reachable

References