Commercial Support Clients: Clients with support contracts can get escalated support assistance by visiting Nagios Answer Hub. These forums are for community support services. Although we at Nagios try our best to help out on the forums here, we always give priority support to our support clients.


Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.


Postby delboy1966 » Thu Sep 30, 2021 8:09 am

This might be a longshot, but here goes.

We use check_wmi_plus.pl to do checks on our Windows estate, which has worked well up until now.
After a Windows update we are seeing lots of eventlog message's relating to DCOM account permissions.

We opened a case with Microsoft, and the upshot is we need to change the authentication method for the check, however, I don't see an option to do this in check_wmi_plus.pl.
Wondering if anyone else has seen this issue and if they found a way of changing the authentication method?

Here is what we got back from Microsoft.

> KB5005568 (for WS2019) introduced new event logging, with event ID 10036, to allow customers to easily identify if they have any applications/components encountering issues because of the authentication level in their environments during testing, without having to live debug the said applications.

> As the error message that is being logged (subject of the case) suggests, you have Nagios client application trying to activate the DCOM server on this machine with a lower authentication level.

> This is all due to the hardening behavior that will be changed in Q1 2022 so that, by default, any calls with the authentication level below RPC_C_AUTHN_LEVEL_PKT_INTEGRITY will be rejected by the OS (not the application).

> Some applications may have implemented a mechanism (on the client-side) which detects if a call with a lower authentication level fails and then initiates a new one with a higher level. This means that you will see some 10036 events logged, but the application itself is actually working fine, without causing any problems.

> The idea of this event error is to track down the applications that are not using the more secure authentication levels and to reach out to your internal teams or 3rd party vendor/developer maintaining them.

> P.S: There are 7 authentication levels in total, from 0 to 6 and the only one that should still be used to avoid any issues is levels 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY).
Authentication-Level Constants (Rpcdce.h) - Win32 apps | Microsoft Docs

Thanks in advance
Posts: 92
Joined: Thu Oct 22, 2015 5:26 am

Re: check_wmi_plus.pl

Postby meni2029 » Fri Oct 01, 2021 11:46 am

Hi, not found a solution. But for your information the issue is also reported here: https://edcint.co.nz/checkwmiplus/forums/topic/wmic-rpc_c_authn_level_pkt_integrity/
Posts: 1
Joined: Thu Sep 30, 2021 7:21 am

Re: check_wmi_plus.pl

Postby alienone » Thu Oct 07, 2021 4:44 am

We got the same issue with this but have not yet find any solution.
Posts: 11
Joined: Tue May 06, 2014 9:05 am

Re: check_wmi_plus.pl

Postby mcapra » Thu Oct 07, 2021 8:24 am

I don't have a lab machine to crack open wmic and see what it does or does not support, though this definitely seems like it would be a wmic limitation.

impacket definitely supports this, and I'd started on a Python based WMI checks plugin a while ago but never finished it:
https://github.com/mcapra/nagios-check_ ... eck_wmi.py
Former Nagios employee
User avatar
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: check_wmi_plus.pl

Postby delboy1966 » Wed Oct 13, 2021 3:35 am

HI Guys

Sorry for the late reply, i've been away.

I did find that check_wmi_plus.pl allows you to include additional arguments to pass to wmic, by using -extrawmicargs.
One option you can pass is --use-security-mechanisms, where you can specify the level to use.
So, I added:

--extrawmicargs "--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY"

To the commands in commands.cfg.

Running the check_wmi_plus.pl command from command line with the debug option shows it being sent.

QUERY: /usr/local/bin/wmic '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '-U' 'USER%PASS' '--use-security-mechanisms=RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' '--namespace' 'root/cimv2' '//' 'select Name,CommandLine,ExecutablePath from Win32_Process'

But doesn't seem to work as the eventlogs are still full of the errors.

Posts: 92
Joined: Thu Oct 22, 2015 5:26 am

Re: check_wmi_plus.pl

Postby rudi.lotze » Mon Oct 18, 2021 4:47 am

Bump - anyone had any luck getting this issue resolved?
Posts: 3
Joined: Fri Oct 08, 2021 9:17 am

Re: check_wmi_plus.pl

Postby ebinjast » Fri Oct 22, 2021 3:12 am

I found a wmic on github (not the original) and it looks like it uses code from the samba project. https://github.com/astbss/wmic
Someone who understands a little of python might be able to find something that can be changed in here to raise the rpc auth level and then recompile it.

Should the rpc implementation in samba not support to raise the auth level, it would probably break some other linux -> windows stuff as well.
Posts: 1
Joined: Wed Apr 08, 2020 3:07 am

Re: check_wmi_plus.pl

Postby amoss24 » Tue Nov 23, 2021 5:56 pm

I'll add my two cents - we've also started noticing this issue on Windows servers as we update them.

Seems like there is some time to figure out a solution based on the timeline from Microsoft.


May have to consider switching to NCPA perhaps - there goes my agentless monitoring!
Posts: 12
Joined: Thu Dec 17, 2020 1:19 pm

Re: check_wmi_plus.pl

Postby stuartbeckasg » Sun Jan 16, 2022 10:46 pm

Hi All,

Just wondering what the consensus is for WMI based Nagios checks going forward?
Is this still an option or will we need to migrate the checks over to something else?

Posts: 3
Joined: Mon Sep 02, 2019 9:11 pm

Return to Open Source Nagios Projects

Who is online

Users browsing this forum: Fess [Nagios Bot], Google [Bot], Majestic-12 [Bot] and 12 guests