Port Scanning Issue - Active, couldn't classify: No WMI connection

Kalpan2 · ‎03-06-2025

I am trying to discover windows server using the credentials and keep encountering "Active, couldn't classify: No WMI connection". I have performed the following steps:

Validate the Credential using RDP
Validate the ServiceNow Discovery WMI ports 135 and port ranges 49152 - 65535 between the MID Server and the Remote Windows host are open

Do I need to open 5985 for "WinRM((HTTP)"?

In addition, I am unable to discover Windows server in the same domain as my MID server (no Firewall) with the same error.

Looking forward to all your valuable suggestions.

Selva Arun · ‎03-06-2025

Hi @Kalpan2

How to Troubleshoot Windows WMI Discovery Failures in ServiceNow

Here's a systematic approach to resolve your WMI connection issues:

Verify Credentials and Permissions

Test WMI access using PowerShell from the MID Server:

powershell

$cred = Get-Credential -UserName "domain\username" -Message "Enter credentials"

Get-WmiObject -Class Win32_OperatingSystem -ComputerName "TARGET_SERVER" -Credential $cred

Ensure the account has local Administrator rights.
Verify membership in required groups (Administrators, Remote Management Users).
Test credentials directly in ServiceNow using the "Test Credential" UI action.

Network Connectivity Checks

Verify required ports are open:

Port 135 (WMI)
Dynamic ports (49152-65535)
Port 5985 (WinRM HTTP) - if using WinRM

Test port connectivity:

powershell

Test-NetConnection -ComputerName "TARGET_SERVER" -Port 135

Test-NetConnection -ComputerName "TARGET_SERVER" -Port 5985

WMI Service Verification

Check WMI service status on the target:

powershell

Get-Service -Name "Winmgmt" | Select-Object Name, Status, StartType

If the service needs a restart:

powershell

Restart-Service -Name "Winmgmt" -Force

Configure WinRM (if needed)

Run the following on the target server:

powershell

winrm quickconfig

DCOM Configuration

Open dcomcnfg.
Navigate to Component Services > Computers > My Computer > DCOM Config.
Check permissions for "Windows Management and Instrumentation."
Enable "Remote Launch" and "Remote Activation."

UAC Remote Restrictions

Create or modify the registry key to disable UAC remote restrictions:

powershell

New-ItemProperty -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force

MID Server Specific Checks

Verify the MID Server status in ServiceNow.
Check MID Server logs for WMI-related errors.
Ensure Windows and WMI capabilities are enabled.

Additional Troubleshooting Steps

If issues persist:

Enable debug logging on the MID Server.
Check Windows Event Logs on the target server.
Review ServiceNow discovery logs.
Test WMI connectivity using the wbemtest utility.

Common Error Resolution

"Active, couldn't classify: No WMI connection"

Verify network connectivity.
Check firewall rules.
Confirm service account permissions.
Validate the WMI service is running.

"RPC server unavailable"

Check port 135 accessibility.
Verify the WMI service status.
Review firewall rules.

Best Practices

Use domain accounts when possible.
Implement least privilege access.
Document successful configurations.
Regularly monitor discovery logs.

If you need further assistance, please provide:

MID Server logs.
Discovery job logs.
Windows Event logs from the target server.
A list of troubleshooting steps already attempted.

This should help resolve your WMI discovery issues. Please share the logs or screenshots to help you further.

If you believe the solution provided has adequately addressed your query, could you please **mark it as 'Helpful'** and **'Accept it as a Solution'**? This will help other community members who might have the same question find the answer more easily.

Thank you for your consideration

Selva Arun

View solution in original post

RK2 · ‎03-06-2025

Hi,

Please try performing network packet capture to see if there is any drop in the packet and also from the MID server try connecting to the remote using WMI explorer and check if the able to access the namespace remotely.

Selva Arun · ‎03-06-2025

Hi @Kalpan2

How to Troubleshoot Windows WMI Discovery Failures in ServiceNow

Here's a systematic approach to resolve your WMI connection issues:

Verify Credentials and Permissions

Test WMI access using PowerShell from the MID Server:

powershell

$cred = Get-Credential -UserName "domain\username" -Message "Enter credentials"

Get-WmiObject -Class Win32_OperatingSystem -ComputerName "TARGET_SERVER" -Credential $cred

Ensure the account has local Administrator rights.
Verify membership in required groups (Administrators, Remote Management Users).
Test credentials directly in ServiceNow using the "Test Credential" UI action.

Network Connectivity Checks

Verify required ports are open:

Port 135 (WMI)
Dynamic ports (49152-65535)
Port 5985 (WinRM HTTP) - if using WinRM

Test port connectivity:

powershell

Test-NetConnection -ComputerName "TARGET_SERVER" -Port 135

Test-NetConnection -ComputerName "TARGET_SERVER" -Port 5985

WMI Service Verification

Check WMI service status on the target:

powershell

Get-Service -Name "Winmgmt" | Select-Object Name, Status, StartType

If the service needs a restart:

powershell

Restart-Service -Name "Winmgmt" -Force

Configure WinRM (if needed)

Run the following on the target server:

powershell

winrm quickconfig

DCOM Configuration

Open dcomcnfg.
Navigate to Component Services > Computers > My Computer > DCOM Config.
Check permissions for "Windows Management and Instrumentation."
Enable "Remote Launch" and "Remote Activation."

UAC Remote Restrictions

Create or modify the registry key to disable UAC remote restrictions:

powershell

New-ItemProperty -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force

MID Server Specific Checks

Verify the MID Server status in ServiceNow.
Check MID Server logs for WMI-related errors.
Ensure Windows and WMI capabilities are enabled.

Additional Troubleshooting Steps

If issues persist:

Enable debug logging on the MID Server.
Check Windows Event Logs on the target server.
Review ServiceNow discovery logs.
Test WMI connectivity using the wbemtest utility.

Common Error Resolution

"Active, couldn't classify: No WMI connection"

Verify network connectivity.
Check firewall rules.
Confirm service account permissions.
Validate the WMI service is running.

"RPC server unavailable"

Check port 135 accessibility.
Verify the WMI service status.
Review firewall rules.

Best Practices

Use domain accounts when possible.
Implement least privilege access.
Document successful configurations.
Regularly monitor discovery logs.

If you need further assistance, please provide:

MID Server logs.
Discovery job logs.
Windows Event logs from the target server.
A list of troubleshooting steps already attempted.

This should help resolve your WMI discovery issues. Please share the logs or screenshots to help you further.

If you believe the solution provided has adequately addressed your query, could you please **mark it as 'Helpful'** and **'Accept it as a Solution'**? This will help other community members who might have the same question find the answer more easily.

Thank you for your consideration

Selva Arun

Kalpan2 · ‎03-12-2025

Thanks for this information and troubleshooting steps. I have run through all and everything is tested; however, Discovery fails without any error at classification.

We have decided to use patterns instead of OOTB WMI and WinRM probes. It has given us the desired results.

Amy Stamper · ‎07-22-2025

WMIC (WMI) is off on Windows 11 by default as it is Depreciated. That is probably what is causing your issue.