Introduction
This article will explain how to scan your network for open shares and start remote processes using WMI - Windows Management Instrumentation. The script will attempt to create remote processes: notepad.exe and an interactive command shell on ComputerName using PSEXEC.
Background
I've been looking for code to scan a network for open shares such as C$\Admin$ etc.,... and didn't have much luck. So, I decided to write this simple VBScript code to probe a PC to see if execute/write permissions are available.
Using the code
Create a file called wmi.vbs:
strComputer=Wscript.Arguments(0)
sleep=3
Wscript.Echo strComputer
Set filesys = CreateObject("Scripting.FileSystemObject")
Set objSWbemServices = GetObject ("WinMgmts:Root\Cimv2")
Set colProcess = objSWbemServices.ExecQuery ("Select * From Win32_Process")
For Each objProcess In colProcess
If InStr (objProcess.CommandLine, WScript.ScriptName) <> 0 Then
pid=objProcess.ProcessId
End If
Next
On Error Resume Next
Err.Clear
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "cmd /c ping -n " & sleep & " 127.0.0.1>nul & _
taskkill /PID " & pid & " /F" ,0,false
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\cimv2")
if Err.Number <> 0 then
Wscript.Echo Err.Description
else
Wscript.Echo "ok"
Set objWMIService = GetObject("winmgmts:\\" & _
strComputer & "\root\cimv2:Win32_Process")
objWMIService.Create "notepad.exe", null, null, intProcessID
WshShell.Run "psexec \\" & strComputer &" cmd"
End If
WshShell.Run "taskkill /IM ping.exe /T",0,true
Then, launch it by passing your computer name:
cscript.exe wmi.vbs ComputerName
Points of interest
One problem with using WMI is that it "hangs" from seconds to minutes on a GetObject
- which is detrimentally slow if there are 1000s of PCs to scan.
To overcome the WMI hang, the script will sneakily terminate itself via a TASKKILL
after a number of specified seconds (sleep=3) have elapsed. The end result is that scans are fast, and doesn't create threads or involve writing complex code. But most importantly, the "hangs" have been greatly reduced!
To test the script, open a command prompt and type:
net view /domain
This will return a list of domains on the network. To get a list of PCs for a specific domain, type:
net view /domain:yourdomain
At this point, save the output results and create a batch file called wmi.bat:
cscript.exe C:\wmi.vbs COMPUTER1
cscript.exe C:\wmi.vbs COMPUTER2
cscript.exe C:\wmi.vbs COMPUTER3
...
cscript.exe C:\wmi.vbs COMPUTERN