• Home
• Contact

Solving Connectivity Issues

The information on this page applies to configuring Windows 7/8.x/10 resp. 2008/2012 systems for remote access with these applications ("the apps"):

• WMI Browser
• Service Control
• Hyper-V Control

The apps do not require any custom code on Windows target systems. However, Windows systems must be configured properly for the apps to connect remotely.

Login account

The account used to connect to a Windows remote system must be a member of the local Administrators group. To add an account to the Administrators group, you can run the following command from the command line:

net localgroup Administrators <username> /add

Remote Registry Service

Make sure the Remote Registry Service is not disabled:

1. Launch Control Panel as Administrator.
2. Open Administrive Tools
3. Open Service
4. Find the Remote Registry service in the services list
5. Double click the Remote Registry service entry
6. Make sure the Startup type is not set to Disabled

WBEM Scripting Locator registry key

On Windows 7 / 2008 Server and higher, members of the Administrators group no longer have full control privileges for a WMI registry key. These need to be enabled following the steps below using the Administrator account:

1. Launch 'Regedit.exe' as Administrator. On 64bit systems make sure to run the 64bit version of Regedit.
2. Go to HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
3. Right-click and select 'Permissions'
4. Change owner to Administrators group (Advanced...).
5. Change permissions for administrators group. Grant Full Control.
6. Optional: Change owner back to TrustedInstaller (user is "NT Service\TrustedInstaller" on local machine)
7. Restart Remote Registry Service (Administrative Tools / Services)   

Disable Network UAC

To disable filtering of WMI objects, it is recommended to disable network UAC:

1. Launch 'Regedit.exe' as Administrator. On 64bit systems make sure to run the 64bit version of Regedit.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. Create or modify 32-bit DWORD value: LocalAccountTokenFilterPolicy
4. Set the value to: 1
5. Restart system

Firewall

Configuring WMI traffic through Windows firewall is tricky and involves several steps. To just try out the apps, it is recommended to turn Windows firewall off in a secure private network environment.

If Windows firewall is active, it must be configured to allow WMI remote traffic. Since the required changes affect several core Windows sub-systems, it is recommended to perform the below instructions only in a secure private network environment. Note that the instructions  are for Windows 7 SP1 / Windows Server 2008 R2. The exact steps might slightly vary depending on your Windows version.

If SMB file and printer sharing is not enabled by default, run from the command line:

netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes

Then run:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Windows dynamically allocates ports for WMI Remote Procedure Call (RPC) servers that the apps need to connect to. To minimize the number of possible ports that must be opened in the firewall, it is recommended to configure the dynamic RPC port range:

1. Open Control Panel - Administrative Tools - Components Services
2. Select Components Services | Computers | My Computer
3. Right-click on My Computer and choose properties.
4. Activate the Default Protocols tab.
5. Choose Properties for Connection Oriented TCP/IP.
6. Add the range you want DCOM to be listening at (e.g. 3001 - 3010).

After that, the selected port range must be enabled for incoming connections in the Windows firewall settings:

1. Open Control Panel - Windows Firewall
2. Click Advanced Settings in the left-hand pane
3. Right-click on Inbound Rules in the tree view and select New Rule…
4. In the New Inbound Rule Wizard, select Custom as rule type and click Next
5. On the Program page, select All Programs and continue
6. In the Protocol and Ports step, select TCP as protocol type
7. From the Local Port dropdown box, select RPC Dynamic Ports
8. Leave Remote Port in the box beneath as All Ports and continue
9. Leave Any IP Address for local and remote IP addresses on the Scope page and continue
10. On the Action page, select Allow the connection and click Next
11. Make your choices on the Profile page and continue. It is not recommended to enable the rule for public network locations.
12. Assign a name to the new rule and click Finish
13. If the rule is displayed as disabled, enable it