Notifications

18 views

Description

Windows process detection fails with error:

Put file on Windows host <ip_address> failed. filePath: 64/msvcp100.dll error: Unable to execute command. None of the command implementations was successful.
Command NeebulaWMI.PutFileUsingAdminShare failed. System.Exception: Failed to create connection. Unable to connect to \\<ip_address>\c$. Error=53

Release or Environment

All currently supported releases.

Cause

The process detection in windows discovery, depending on settings, will use the WMI collector. The WMI collector will attempt to collect the results from either the C$ or via sending the result file back to the MID server via HTTP.

Resolution

If WinRM is available on the target, set the following MID Server properties:

  • mid.sa.use_powershell = true
  • mid.sa.prefer_powershell = true
  • mid.sa.prefer_powershell_fallback = true


If both mid.sa.use_powershell and mid.sa.prefer_powershell are true, WMIProvider will try Powershell first. If powershell command returns nothing it will try to fall back to WMI Collector, if mid.sa.prefer_powershell_fallback is true. When it tries Powershell it will check if WinRM is available on the target and run the command via Powershell remoting. If WinRM is not availble, it will try WMI and will still need the admin share to copy the script to run on the target. Thus, WinRM needs to be setup in order to use Powershell without the admin share.

Additional Information

Article Information

Last Updated:2019-11-19 14:32:33
Published:2019-11-19