[Discovery] Unable to get software information of windows machine

Makoto Uchiyam1
Tera Contributor

‎12-16-2022 03:02 AM

Hi,

 

We tried to run Discovery on a windows device, but the "Installed Software" Probe failed with a timeout.

I'm sure that's why, "Software Installed", "Running Process" and "TCP Connections" weren't populated.

The CI itself was constructed.

 

[Target Windows device]

Windows 2016 Standard

Virtual machine on VMware virtual Platform

 

[Condition of Reproduction]

* Same Instance and Same MID Server can reproduce anytime.

 - Cannot be tried from another MID server with operational reason.

* Not reproduced on another Windows device.

 

[Log]

The Discovery log showed the following message.

"Command [snc-decode-command JiB7I...(omitted)...fKSB9 | invoke-expression] timed out after PT15M"

 

Has anyone else encountered a similar situation?

Support told me it was due to machine load, but machine load was not high. And it reproduces anytime.

Please indicate any other information needed to investigate the cause.

 

 

0 Helpfuls
  • 1,134 Views
6 REPLIES 6

Robin J_
Tera Guru
In response to Makoto Uchiyam1

‎12-21-2022 12:43 AM

Hey Makoto,
I have a theory here. Also this post made me curious. Looks like it is not using WMI at all, which probably explains why it does not work. Is my guess at least 🙂

RobinJ__0-1671611989333.png

It's checking the registry. 
Checked on my own laptop and it will crawl through the registry for installed Software, for example here is Crowdstrike found which is installed on my laptop:

RobinJ__1-1671612045052.png

It is installed with "system" (S-1-5-18).

The theory I have is that "remote registry" is not working from the mid-server towards the endpoint. Maybe due to restrictions on the endpoint or firewall. So can you do a check and try to do "remote registry" towards the endpoint from the mid-server?

I am not 100% sure, but if you have an endpoint where it works and where it does not work, then you can probably do some testing from mid-server and find out that something is restricted our not open in firewall?

Maybe this helps: https://www.lifewire.com/how-to-connect-to-a-remote-registry-2625147

Kind regards,
Robin


Makoto Uchiyam1
Tera Contributor
In response to Robin J_

‎12-22-2022 08:17 PM

Hi Robin,

 

Thanks for your reply.

I thought your theory was very reasonable, but "Remote Registry" does not seem to have anything to do with it.

 

I checked the "Remote Registry" of another Windows device that can successfully retrieve Software information, but its "Remote Registry" was disabled. From this, it's possible that "Remote Registry" is not used to obtain registry information. Would trying a WMI command to retrieve the registry information be the next step?

C:\Windows\system32>sc query RemoteRegistry
SERVICE_NAME: RemoteRegistry
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Regards,

 

0 Helpfuls