I went and wrote a powershell script that performs a software audit of a Microsoft network. However half the machines on the network returned an error saying Invalid Class 0x80041010. When I ran a wmi query against a failed computer manually, sure thing it failed again!
wmic /Failfast:on /node:"ausdc01" product GET /all
Node - AUSDC01
ERROR:
Code = 0x80041010
Description = Invalid class
Facility = WMI
When powershell queried it I also got an error:
Get-WmiObject : Invalid Class
When performing these queries against the server the following event logs were generated under the Application logs:
Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_MemoryError where (type = 3221553223) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.
Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_PCIBusError where (type = 2147811416) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.
Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_SMBIOSError where (type = 3221553253) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.
Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_CPUError where (type = 2147811392) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.
Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 10
Date: 1/12/2009
Time: 9:57:43 AM
User: N/A
Computer: AUSDC01
Description:
Event filter with query "select * from MSMCAEvent_PlatformSpecificError where (type = 3221553255) and (LogToEventlog <> 0)" could not be (re)activated in namespace "//./root/WMI" because of error 0x80041010. Events may not be delivered through this filter until the problem is corrected.
I installed WMITools on both a server that was working correctly and a server that was not working. Download WMITools from here:
http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5-F2ABDC3ED314&displaylang=en
In the WMI CIM Studio I saw that on one server the CIM_Products\Win32_Product WMI class existed on one server, but not on the other.
Server that fails with the WMI error 0x80041010:
Server that worked:
After some more research I found out that this Win32_Product class object gets added in when the Management and Monitoring Tools --> WMI Windows Installer Provider is installed.
Add this component and it will resolve the problem:
Remotely Pushout WMI Windows Installer Provider
In my case I want to to use the WMI Windows Installer Provider to perform a software inventory of my network. I cannot do this if this component isn't installed on every computer through out my domain. It is installed by default on vista, 2008 and windows 7 by default but not windows XP or 2003.
To do this first we must place the i386 folder from a Windows 2003 CD on a network share as WMI Windows Installer Provider requires a few files from it.
Next we are going to have to create a custom .reg file to change the place where our computers look for i386 directory for windows component files. This data is located under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup
The two main values we need to change is CDInstall to be 0, as we are not installing from a CD and SourcePath. Whatever you put as SourcePath the add and remove windows components utility will add \i386 to the end of it. I shared my i386 directory out as "i386" so to navigate to it I need to type \\ausdc01\i386. This means for my SoucePath I enter it as \\ausdc01.
The default value for SourcePath is D:
Next we need to export the changes to a .reg file. Right click on Setup and click Export. Make sure the export range is set to Selected branch and not all.
Once exported open up the .reg file in notepad. There are many registry directory keys under the Setup folder that would have been exported along with our data. These are not required and need to be removed. Please click the below image to enlarge. Everything south of the red square should be removed. Also please remove BootDir encase we actually do have a server that doesn't have C:\ as its boot partition!
Copy the registry file you have crated to a network share. In my environment I just used the netlogon directory in which I created a folder wmichange \\domain\netlogon\wmichange.
You could use pstools or a startup script to make this change on servers now by simply scripting:
regedit /s \\domain\netlogon\wmichange\installsource.reg
However we are going to encompase this as part of our same script.
Next we need to make an unattended setup file, much like we do when we are doing desktop or server deployment on large scales. Create the file under the same directory as above. I called mine answer.txt
\\domain\netlogon\wmichange\answer.txt
In the answer file enter:
[Components]
WbemMSI = On
This is what is required to install the Management and Monitoring Tools --> WMI Windows Installer Provider component.
You can specify any components in add and remove windows components in an answer file. Here are some good links for future reference:
http://itk.samfundet.no/dok-filer/ms-xp-sp2-deployment-ref/u_components.htm
http://forums.techarena.in/server-scripting/738510.htm
The command to kick off this unattended install is:
sysocmgr.exe /i:%windir%\inf\sysoc.inf /u:\\domain\netlogon\wmichange\answer.txt
This will go through and add the WMI Windows Installer Provider component for us.
This should install the component without even prompting for any user interaction. It will pull the files of the network share as configured above.
Now finally lets create a batch script under our \\domain\netlogon\wmichange\ directory called run.bat
Put both commands in the bat file:
regedit /s \\domain\netlogon\wmichange\installsource.reg
sysocmgr.exe /i:%windir%\inf\sysoc.inf /u:\\domain\netlogon\wmichange\answer.txt
Now you got two methods to use this, you can either run it remotely using PSExec or you can use startup scripts. Below I will only show how to use PSExec.
PSexec is a program to remotely execute commands which is part of the PSTools pack... get it from:
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
PSExec has the capability of running a command against every computer in a domain, or a list of computers from a text file. Remember only 2003 and XP dont have WMI Windows Installer Provider installed by default, so we only want to do these.
Below I will run the command against a single computer CANHQDC01 which did not have the WMI Windows Installer Provider installed.
psexec \\CANHQDC01 "\\domain\netlogon\wmichange\run.bat"
Below shows you the output of the command and how it carried out all the tasks:
Error code 0 is good, it means there were no errors. Now I can perform software audits on CANHQDC01 using WMI where before I couldn't!
Subscribe to:
Post Comments (Atom)
how does one ensure this is on when building a server 2008 box which uses "Server Manager" with "Roles" and "Features" and not "Add/Remove Windows Components"?
ReplyDeletecarcla
Vista, 2008 and Windows 7 always has this enabled.
ReplyDeleteCould you post/explain the PowerShell script you're using to audit the machines?
ReplyDeleteSure Miha, I posted a full guide on my script for you and how to use it:
ReplyDeletehttp://clintboessen.blogspot.com/2009/12/software-inventory-powershell-script.html
Hi
ReplyDeleteJust wanted to know if you know of a way to use this to audit a portion of your AD rather than the entire tree.
So your trying to configure audit logging on a particular sub container within Active Directory?
ReplyDeleteFWI - if the target server for the WbemMSI install has Microsoft SQL Server installed, the SQL Server, SQL Server Agent, and MSDTC services will shut down without notice....
ReplyDeleteThanks for detailing the instructions so well, I am removing unnecessary software remotely and WMIC is not installed on any of the XP workstations making it harder. However I do get 'Access Denied' when running from a batch script (running only the 2 commands you have), but running them manually seems to be working. I'll figure it out, I'm sure.
ReplyDeleteIt is good people like you who make the community so great :)
Great article, very helpful
ReplyDeleteStill helpful!
ReplyDeleteIf any kind of firewall error please go through this site and a make a error free of your windows.
ReplyDeletewindows firewall error 1068 windows 7
Thank you
Aalia lyon