Ping a Specific Port

Question

Scott Chamberlain

Asked: 2012-06-23 10:25:10 +0800 CST2012-06-23 10:25:10 +0800 CST 2012-06-23 10:25:10 +0800 CST

WMI Error in event log every boot: EventID 5605

772

I have a few servers that I keep getting the EventID error 5605

The root\cimv2\TerminalServices namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

The issue is I have no clue where this script is being run from so I can't update the script to solve the issue like every other post I have found on Event 5605. I checked the GPO for startup scripts, I checked all of my domain's SYSVOL share for a VBScript or Powershell script. I can't find this script anywhere. How can I track down this script and fix it so it stops throwing this error?

2 Answers

Voted

Malcolm McCaffery · Answer 1 · 2017-08-04T03:25:53+08:00

Use WMI Event Tracing in the Event Viewer, this will allow you to link WMI queries to a specific process.

Open Event Viewer.
On the View menu, click Show Analytic and Debug Logs.
Locate the Trace channel log for WMI under Applications and Service Logs | Microsoft | Windows | WMI Activity.
Right-click the Trace log and select Log Properties.
Click the Enable Logging check box to start the WMI event tracing.

WMI events appear in the event window for WMI-Activity.

This event log is sometimes painful to use, so you can use a script like this to start tracing and view events, with process name attached to the WMI queries:

$wmiLog = "Microsoft-Windows-WMI-Activity/Trace"
echo y | Wevtutil.exe sl $wmiLog /e:true
Read-Host -Prompt "Tracing WMI Started. Press [ENTER] to stop"
echo y | Wevtutil.exe sl $wmiLog /e:false
$events = Get-WinEvent -LogName $wmiLog -Oldest | Where-Object {$_.message.Contains("Operation = Start") -or $_.message.Contains("Operation = Provider") }

if ($events -eq $null)
{
    Write-Host "No WMI events in trace!"
    return
}

$table = New-Object System.Data.DataTable
[void]$table.Columns.Add("Computer")
[void]$table.Columns.Add("Namespace")
[void]$table.Columns.Add("Type")
[void]$table.Columns.Add("Query")
[void]$table.Columns.Add("UserName")
[void]$table.Columns.Add("Process")

ForEach ($event in $events)
{
    switch ($event.Properties.Count)
    {
        6 {
            $typeStart = $event.Properties[1].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[1].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[1].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[1].Value.Substring($event.Properties[1].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[2].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[2].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }      

            [void]$table.Rows.Add(`
                $env:COMPUTERNAME,`
                "\\.\root\cimv2",`
                $type,`
                $query,`
                "N/A",
                $process)
        }
        8 {
            $typeStart = $event.Properties[3].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[3].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[3].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[3].Value.Substring($event.Properties[3].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[6].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[6].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }

            [void]$table.Rows.Add(`
                $event.Properties[4].Value,`
                $event.Properties[7].Value,`
                $type,`
                $query,`
                $event.Properties[5].Value,
                $process)
        }
        default
        {
            Write-Error "Unexpected number of event properties."
            Write-Host $event
            Write-Host $event.Properties
        }
    }
}

$table | Out-GridView

Tracelog.exe and tracefmt.exe from Windows Driver Kit (WDK) can also be used for WMI tracing.

Mariyan Ivanov · Answer 2 · 2015-07-24T05:33:28+08:00

Mariyan Ivanov

2015-07-24T05:33:28+08:002015-07-24T05:33:28+08:00

As this is WMI it often reflects a remote call. For example Lansweeper scanners trigger this error but for different namespace: root\cimv2\Security\MicrosoftTPM. You might need to monitor the network traffic coming to the affected server so that you identify the source of the WMI query if it's not anything local.

0

WMI Error in event log every boot: EventID 5605

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?