Hello Fellas,
I have created a non-admin user, and trying to get details of Win32_Process but i'm either not getting any value or incorrect value for commandLine argument. I followed below steps to create the non-admin user and to give permissions to the non-admin user :
Non-admin User creation-
Create a discovery user account on the stand-alone Windows server.
- Open Computer Management Console by running the compmgmt.msc command.
- In the navigation tree, expand System Tools > Local Users and Groups > Users
- From the Action menu, click New User
- Provide the following information:
- User name: user1
- Full name: non-admin user
- Description: non-admin user
- Password
- Clear the User must change password at next logon check box.
- Select the Password never expires check box.
- Click Create
To verify whether the new user is a standard user by default, right-click the user name, and then click Properties. In the Properties window, go to the Member Of tab. If the user is a standard user, Administrators group is not on the list.
Setting up the WMI configuration-
When you set up the WMI configuration, you can add the user to the access list to enable permissions that are required for the discovery.
- In the navigation tree of the Computer Management Console, expand Services and Applications > WMI Control.
- From the Action menu, click Properties.
- Click the Security tab, select Root namespace, and click Security.
- Add the ibmcol user to the list. The following permissions must be allowed:
- Execute Methods
- Enable Account
- Remote Enable
- Click Advanced and choose the ibmcol user from the list
- Change the Apply to property to This namespace and subnamespaces.
- Click OK.
Setting up the DCOM Access for ibmcol on the stand-alone Windows server-
Complete the following steps to set up the DCOM Access for the user on the stand-alone Windows server.
- Open the Component Services Administrative Tool by running the dcomcnfg command.
- In the navigation tree, expand Component Services > Computers > My Computer
- From the Action menu, click Properties , and go to the COM Security tab.
- In the Access Permissions section, click Edit Default
- Add the user1 to the list and ensure that it has the Local Accessand Remote Accesspermissions enabled, and click OK
- In the Access Permissions section, click Edit Limits
- Add the user1 to the list and ensure that the Local Accessand Remote Accesspermissions are enabled, and click OK
- In the Launch and Activation Permissions section, click Edit Default
- Add the user1 to the list and ensure that it has the Local Launchand Remote Launchpermissions enabled, and click OK
- In the Launch and Activation Permissions section, click Edit Limits
- Add the user1 to the list and ensure that the Local Launch, Remote Launch, Local Activation, and Remote Activationpermissions are enabled, and click OK.
- Restart the Windows server.
What I have tried:
I have created a below .vbs script -
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colProcess= objWMIService.ExecQuery("SELECT * FROM Win32_Process")
For Each objProcess In colProcess
WScript.Echo "Process Name: " & objProcess.Name & ",Command line: " & objProcess.commandline
Next
As I executed this script from Administrator user it is giving proper o/p as-
Process Name: notepad++.exe,Command line: "C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Log\ERRORLOG"
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=61 --time-ticks-at-unix-epoch=-1710314528264240 --launch-time-ticks=86505940061 --mojo-platform-channel-handle=5492 --field-trial-handle=2024,i,7735249812583322662,9714461642129916857,262144 --variations-seed-version /prefetch:1
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5168 --field-trial-handle=2024,i,7735249812583322662,9714461642129916857,262144 --variations-seed-version /prefetch:8
Process Name: sqlservr.exe,Command line: "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
Process Name: SQLAGENT.EXE,Command line: "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i MSSQLSERVER
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: fdhost.exe,Command line: "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\fdhost.exe" "MSSQL16.MSSQLSERVERD33b06c22f3184f4737fbdc7ff9fb0698fed98no53i" "MSSQL16.MSSQLSERVER" "MSSQL16.MSSQLSERVER" "4" "" "16384" "M" "0" "" "" ""
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: msmdsrv.exe,Command line: "C:\Program Files\Microsoft SQL Server\MSAS16.MSSQLSERVER\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSAS16.MSSQLSERVER\OLAP\Config"
Process Name: sqlceip.exe,Command line: "C:\Program Files\Microsoft SQL Server\MSAS16.MSSQLSERVER\OLAP\Bin\sqlceip.exe" -Service MSSQLSERVER MSAS
Process Name: sqlbrowser.exe,Command line: "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
Process Name: sqlceip.exe,Command line: "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlceip.exe" -Service
Process Name: MsDtsSrvr.exe,Command line: "C:\Program Files\Microsoft SQL Server\160\DTS\Binn\MsDtsSrvr.exe"
Process Name: sqlceip.exe,Command line: "C:\Program Files\Microsoft SQL Server\160\DTS\Binn\sqlceip.exe" -Service default MSIS
Process Name: sqlwriter.exe,Command line: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
Process Name: mmc.exe,Command line: "C:\Windows\SysWOW64\mmc.exe" /32 C:\Windows\SysWOW64\SQLServerManager16.msc
Process Name: unsecapp.exe,Command line: C:\Windows\system32\wbem\unsecapp.exe -Embedding
Process Name: Ssms.exe,Command line: "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe"
Process Name: mmc.exe,Command line: "C:\Windows\SysWOW64\mmc.exe" /32 C:\Windows\SysWOW64\SQLServerManager16.msc
Process Name: unsecapp.exe,Command line: C:\Windows\system32\wbem\unsecapp.exe -Embedding
Process Name: cmd.exe,Command line: "C:\Windows\system32\cmd.exe"
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=98 --time-ticks-at-unix-epoch=-1710314528264240 --launch-time-ticks=92784109333 --mojo-platform-channel-handle=6876 --field-trial-handle=2024,i,7735249812583322662,9714461642129916857,262144 --variations-seed-version /prefetch:1
Process Name: dllhost.exe,Command line: C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
Process Name: cmd.exe,Command line: "C:\Windows\system32\cmd.exe"
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: regedit.exe,Command line: "C:\Windows\regedit.exe"
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=134 --time-ticks-at-unix-epoch=-1710314528264240 --launch-time-ticks=93756406444 --mojo-platform-channel-handle=8764 --field-trial-handle=2024,i,7735249812583322662,9714461642129916857,262144 --variations-seed-version /prefetch:1
Process Name: mmc.exe,Command line: "C:\WINDOWS\SYSTEM32\MMC.EXE" "C:\WINDOWS\SYSTEM32\GPEDIT.MSC"
Process Name: ApplicationFrameHost.exe,Command line: C:\Windows\system32\ApplicationFrameHost.exe -Embedding
But for the non-admin user I'm not getting value of commandLine as below -
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=11 --time-ticks-at-unix-epoch=-1710314528266916 --launch-time-ticks=84642249813 --mojo-platform-channel-handle=5300 --field-trial-handle=2404,i,2867887684073055332,4233896353366572665,262144 --variations-seed-version /prefetch:1
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=17 --time-ticks-at-unix-epoch=-1710314528266916 --launch-time-ticks=84657853849 --mojo-platform-channel-handle=4692 --field-trial-handle=2404,i,2867887684073055332,4233896353366572665,262144 --variations-seed-version /prefetch:1
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1.5 --num-raster-threads=1 --renderer-client-id=18 --time-ticks-at-unix-epoch=-1710314528266916 --launch-time-ticks=84658031655 --mojo-platform-channel-handle=6724 --field-trial-handle=2404,i,2867887684073055332,4233896353366572665,262144 --variations-seed-version /prefetch:1
Process Name: msedge.exe,Command line: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4768 --field-trial-handle=2404,i,2867887684073055332,4233896353366572665,262144 --variations-seed-version /prefetch:8
Process Name: mmc.exe,Command line:
Process Name: mmc.exe,Command line:
Process Name: notepad++.exe,Command line:
Process Name: msedge.exe,Command line:
Process Name: msedge.exe,Command line:
Process Name: sqlservr.exe,Command line:
Process Name: SQLAGENT.EXE,Command line:
Process Name: conhost.exe,Command line:
Process Name: fdhost.exe,Command line:
Process Name: conhost.exe,Command line:
Process Name: msmdsrv.exe,Command line:
Process Name: sqlceip.exe,Command line:
Process Name: sqlbrowser.exe,Command line:
Process Name: sqlceip.exe,Command line:
Process Name: MsDtsSrvr.exe,Command line:
Process Name: sqlceip.exe,Command line:
Process Name: sqlwriter.exe,Command line:
Process Name: Ssms.exe,Command line: "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe"
Process Name: mmc.exe,Command line: "C:\Windows\SysWOW64\mmc.exe" /32 C:\Windows\SysWOW64\SQLServerManager16.msc
Process Name: unsecapp.exe,Command line: C:\Windows\system32\wbem\unsecapp.exe -Embedding
Process Name: cmd.exe,Command line: "C:\Windows\system32\cmd.exe"
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: msedge.exe,Command line:
Process Name: dllhost.exe,Command line:
Process Name: cmd.exe,Command line: "C:\Windows\system32\cmd.exe"
Process Name: conhost.exe,Command line: \??\C:\Windows\system32\conhost.exe 0x4
Process Name: regedit.exe,Command line: "C:\Windows\regedit.exe"
Process Name: msedge.exe,Command line:
Process Name: mmc.exe,Command line:
So, am I missing any property, or configuration for the non-admin user. Please guide.
Submit an article or tip