The Windows Machine I'm using:
- I ran this on Windows Server 2012 R2 no service pack.
- the ip is 10.10.123.123 (changed for my privacy!)
- winrm listener is setup on HTTPS 5986
The user I'm using:
- is a local user on 10.10.123.123
- I've also tried a domain user with the same steps below
- is intentionally not an administrator user to limit access
- is a member of Remote Management Users (for powershell)
- is a member of WinRMRemoteWMIUsers__ (for winrm queries)
- "Remote Enable" under WMI Control
-
- Open Computer Management
-
- WMI Control -> Right Click -> Properties -> Security Tab
-
- Root -> Select it -> Click Security at bottom
-
- Add remote enabled for the user in "This namespace and subnamespaces"
Running Locally
This is the command I used to run it directly on the machine with ip 10.10.123.123, logged in as the same user as the remote command.
Get-WSManInstance -Enumerate -ResourceURI wmicimv2/* -Dialect WQL -Filter "SELECT PercentProcessorTime, Timestamp_Sys100NS FROM Win32_PerfRawData_Counters_ProcessorInformation WHERE NOT Name LIKE '%_Total'"
xsi : http://www.w3.org/2001/XMLSchema-instance
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
m : http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd
lang : en-US
PercentProcessorTime : 1616986718750
Timestamp_Sys100NS : 131753759127044458
xsi : http://www.w3.org/2001/XMLSchema-instance
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
m : http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd
lang : en-US
PercentProcessorTime : 1613812500000
Timestamp_Sys100NS : 131753759127044458
xsi : http://www.w3.org/2001/XMLSchema-instance
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
m : http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd
lang : en-US
PercentProcessorTime : 1606279375000
Timestamp_Sys100NS : 131753759127044458
xsi : http://www.w3.org/2001/XMLSchema-instance
w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
m : http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd
lang : en-US
PercentProcessorTime : 1604592187500
Timestamp_Sys100NS : 131753759127044458
Running "Remotely"
This is the command I used to run. I can run it from on 10.10.123.123 or from a separate Windows machine. No matter where, the result is empty. There is no error message.
$cred = Get-Credential
Get-WSManInstance -Enumerate -ResourceURI wmicimv2/* -Dialect WQL -Filter "SELECT PercentProcessorTime, Timestamp_Sys100NS FROM Win32_PerfRawData_Counters_ProcessorInformation WHERE NOT Name LIKE '%_Total'" -ComputerName 10.10.123.123 -useSSL -SessionOption (New-WSManSessionOption -SkipCACheck -SkipCNCheck) -Credential $cred
# The result is empty unlikely the local command.
Extra Info
- I still get an empty result when I remove the WHERE clause
- Local and remote works with an Administrator user
- If I use the Win32_Service object instead, it works for local but remote throws an error "The WS-Management
service cannot process the request. The WMI service returned an 'access denied' error." - i've tried with a domain user instead of a local user
Question
What permissions are needed to query Win32_PerfRawData_Counters_ProcessorInformation and similar objects remotely? What is the method for figuring out the permissions for similar objects like: Win32_Service?
Reference
I've primarily used this as my reference for setting up WMI remote access, without needing an Adminstrator Account by Ondrej Sevecek https://www.sevecek.com/Lists/Posts/Post.aspx?ID=280
Best Answer
After a lot of search I came across this article http://vniklas.djungeln.se/2012/08/22/set-up-non-admin-account-to-access-wmi-and-performance-data-remotely-with-powershell/ which suggested adding the user to the "Performance Monitor Users" group. After that, Win32_PerfRawData_Counters_ProcessorInformation returns results on remote queries! :)
Unfortunately, I still get access denied for Win32_Service. So the question of what's the general method for figuring out which permissions are needed for each wmi object remains.