Click here to Skip to main content
Click here to Skip to main content

Fast WMI Network Probing

, 13 Aug 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Scans network PCs and remotely start notepad.exe, plus an interactive command shell via PSEXEC.

Introduction

This article will explain how to scan your network for open shares and start remote processes using WMI - Windows Management Instrumentation. The script will attempt to create remote processes: notepad.exe and an interactive command shell on ComputerName using PSEXEC.

Background

I've been looking for code to scan a network for open shares such as C$\Admin$ etc.,... and didn't have much luck. So, I decided to write this simple VBScript code to probe a PC to see if execute/write permissions are available.

Using the code

Create a file called wmi.vbs:

strComputer=Wscript.Arguments(0)
sleep=3
Wscript.Echo strComputer
Set filesys = CreateObject("Scripting.FileSystemObject")
Set objSWbemServices = GetObject ("WinMgmts:Root\Cimv2")
Set colProcess = objSWbemServices.ExecQuery ("Select * From Win32_Process")
For Each objProcess In colProcess
  If InStr (objProcess.CommandLine, WScript.ScriptName) <> 0 Then
    pid=objProcess.ProcessId
  End If
Next
On Error Resume Next
Err.Clear
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "cmd /c ping -n " & sleep & " 127.0.0.1>nul & _
             taskkill /PID " & pid & " /F" ,0,false
Set objWMIService = GetObject("winmgmts:" & _
                    "{impersonationLevel=impersonate}!\\" & _
                    strComputer & "\root\cimv2")
if  Err.Number <> 0  then
    Wscript.Echo Err.Description
else
    Wscript.Echo "ok"
    Set objWMIService = GetObject("winmgmts:\\" & _
                        strComputer & "\root\cimv2:Win32_Process")
    objWMIService.Create "notepad.exe", null, null, intProcessID
    WshShell.Run "psexec \\" & strComputer &" cmd"
End If
WshShell.Run "taskkill /IM ping.exe /T",0,true

Then, launch it by passing your computer name:

cscript.exe wmi.vbs ComputerName

Points of interest

One problem with using WMI is that it "hangs" from seconds to minutes on a GetObject - which is detrimentally slow if there are 1000s of PCs to scan.

To overcome the WMI hang, the script will sneakily terminate itself via a TASKKILL after a number of specified seconds (sleep=3) have elapsed. The end result is that scans are fast, and doesn't create threads or involve writing complex code. But most importantly, the "hangs" have been greatly reduced!

To test the script, open a command prompt and type:

net view /domain

This will return a list of domains on the network. To get a list of PCs for a specific domain, type:

net view /domain:yourdomain

At this point, save the output results and create a batch file called wmi.bat:

cscript.exe C:\wmi.vbs COMPUTER1
cscript.exe C:\wmi.vbs COMPUTER2
cscript.exe C:\wmi.vbs COMPUTER3
...
cscript.exe C:\wmi.vbs COMPUTERN

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

cyber_flash

United States United States
No Biography provided

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141220.1 | Last Updated 13 Aug 2009
Article Copyright 2009 by cyber_flash
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid