How to / Is it possible to monitor remote WMI scripting? -
Did you know that an example (via script or program) knows what the example is from a WMI script Remote PC 1 And when I am sitting in a third PC then some works in some other PC 2: PC 3
Assume that all PCs are from the same network and domain and Windows XP is installed is.
The reason for this is that I operate a small network and I think that a student closes the PC where other students work, through WMI scripting .
Without such a wmi remote access, such a script (via script or program) is such a thing.
Thank you to everyone
You can shutdown by viewing Verbose WMI logs Can get the credentials used.
1) Enable Verbose WMI logging
- 'Wmimgmt.msc' (Also available under 'My Computer' 'Manage' ' Select 'Logging' tab, set 'Logging level' to Verbose, and select 'WMI Control'), select 'WMI Control', then select 'Logging' tab. > Select 'WMI Control' Right click -> select 'Properties' Ul>
2) View WMI log files (Default Location:% WINDIR% \ system32 \ wbemLogs) to see the records of remote access and actions carried out. Specifically, see wbemcore.log
Example: When I logged in remotely, I saw the following entry [ & lt; Domain & gt;
and & lt; Username & gt;
Here were the real people used for remote connections):
(13 August 13; time>): & lt; Domain & gt; \ & Lt; Username & gt; At the authentication level, the packet at AuthnSvc = 9, AuthzSvc = 1, capabilities = 0
Then, to complete the WMI method, the student will need the GetObject Win32_OperatingSystem, which showed: < / P>
(Thursday Aug 13 & lt; time & gt;): Call CWbemNamespace :: GetObject BSTR ObjectPath = win32_operatingsystem long lFlags = 0
and finally you The Win32Shutdown method, which should be logged in to something like this:
(Thursday, August 13th, & lt; time & gt;): Call CWbemNamespace :: ExecMethodAsync BSTR ObjectPath = Win32_Operat IngSystem BSTR methodName = Win32Shutdown
Comments
Post a Comment