Admin$ share permissions for Windows Discovery

Adz1
Mega Guru

Trying to discover a Windows 2016 server from MID Server installed on Windows 2019. 

Target server is hosted in AWS, cloud discovery works fine, IP based discovery works and the CI is created, but the pattern has errors in the log. 

Discovery is running over WMI, using the MID Server Service Account, which is a domain account
The account is in the Administrators group on the target server. 

For all intents and purposes, it should work but something still isn't right. 

The logs indicate issues access the admin shares, so we tried the "Remote Capabilities Test" section of this KB: Windows Discovery Overview - Support and Troubleshooting (servicenow.com)

Running the test-path command returns a failed/false response. 

It's a domain connected machine, so the shares are enabled by default, and Remote UAC is disabled by default. 

Any ideas on where to go next? 

 

2022-08-24 19:25:37  (653) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 Trying to get user temp directory from registry: HEKY_CURRENT_USER</SNC_LOG>
2022-08-24 19:25:37  (653) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 Will get specific registry entries: TMP for HKEY_CURRENT_USER/ENVIRONMENT</SNC_LOG>
2022-08-24 19:25:37  (653) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 Running: fetchAndOutputRegistries -computer [IP-ADDRESS] -cred ;</SNC_LOG>
2022-08-24 19:25:37  (733) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 Could not get user temp dir using registry. Error: Access denied </SNC_LOG>
2022-08-24 19:25:37  (733) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 We got user temp dir: </SNC_LOG>
2022-08-24 19:25:37  (733) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 We cannot use system32 based dir found in User TEMP, will not use ; Trying to get another temp directory from TempDirectory\Win32_BootConfiguration</SNC_LOG>
2022-08-24 19:25:37  (761) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 About to run: Get-CimInstance -CimSession CimSession: [IP-ADDRESS] -Namespace root\cimv2 -Query Select TempDirectory from Win32_BootConfiguration -ErrorAction Stop </SNC_LOG>
2022-08-24 19:25:37  (772) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:25:37 We cannot use system32 based dir found in Win32_BootConfiguration\TempDirectory, will not use ; default to: c:\temp</SNC_LOG>
 
2022-08-24 19:26:04  (637) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Creating folder \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver\bcli_GBSVCMSV01</SNC_LOG>
2022-08-24 19:26:04  (637) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Could not create folder using 'New-Item -Path \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver\bcli_GBSVCMSV01 -ItemType 'directory' -Force -ErrorAction Stop'</SNC_LOG>
2022-08-24 19:26:04  (637) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Failed to create secure temp folder using base path \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver</SNC_LOG>
2022-08-24 19:26:04  (637) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Attempting to create unsecure temp folder \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver</SNC_LOG>
2022-08-24 19:26:04  (637) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stderr DEBUG: STDERR 37c06ef5-9637-4c61-b875-733f397b0424: Test-Path : The network path was not found
2022-08-24 19:26:04  (652) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Creating folder \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver</SNC_LOG>
2022-08-24 19:26:04  (652) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Could not create folder using 'New-Item -Path \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver -ItemType 'directory' -Force -ErrorAction Stop'</SNC_LOG>
2022-08-24 19:26:04  (652) PowerConsole-0d6c5ec197a95590b6bc31e11153af07>stdout DEBUG: STDOUT 37c06ef5-9637-4c61-b875-733f397b0424: <SNC_LOG>2022-08-24 19:26:04 Failed to create unsecured temp folder \\[IP-ADDRESS]\c$\temp\[REDACTED]development\[REDACTED]-nonprod-midserver</SNC_LOG>
2 REPLIES 2

Rahul Priyadars
Giga Sage
Giga Sage

Is this happening for All Windows Servers?

Is it possible to Take RDP of remote Host and using ur Discovery Domain user Manually try to create a Folder in given Path?

Its definitely some local configuration issue .

Regards

RP

MattSN
Mega Sage
Mega Sage

I ran into a similar issue where the Windows service account could not access the temp directory and recieved "Could not get user temp dir using registry. Error: Access denied". 

 

The cause was Defender ATP/Defender XDR.