Close

Remote WMI Access with Local Account in Administrators Group

Previously I shared how to setup Remote WMI Connection in a Workgroup using the default Administrator account. However, remote WMI access using a local user in the Administrator group will still get Access Denied (for all Windows operating systems beyond XP). This is because of remote User Access Control (UAC) token filtering when in a Workgroup. Here are steps on how to disable remote UAC. These settings are for lab use and should not be used in production without proper risk mitigation.

Remote WMI Access for Local User

Save Credentials

Open Windows PowerShell as an Administrator. Then type $defaultAdmin = Get-Credential

This will open a prompt to enter credentials. Here we begin by first saving the valid credentials of the default administrator account on the target host.

Next, save the local user credentials for the user who is also a member of the Administrators group on the target host. Do this by typing $localAdmin = Get-Credential

Note that you must prefix the credentials with the hostname or IP address of the target host followed by the account name.

Verify Process Execution

Using the saved credentials, verify that the default administrator is able to start an instance of Notepad.

Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe -ComputerName ip_address -Credential $defaultAdmin

Verify Remote UAC Filter Enabled

Using the saved credentials, verify that the local account is not able to start an instance of Notepad even though this user is part of the Administrators group on the target host.

Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe -ComputerName ip_address -Credential $localAdmin

Open Registry Editor

From Start > Search type regedit.exe and click Yes to open the Registry Editor.

Add New DWORD Key

Navigate to  HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System

Create a new DWORD named  LocalAccountTokenFilterPolicy

Set the value of this key to one (1) to disable remote UAC access token filtering.

Verify Remote UAC Filter Disabled

When the registry modification is applied to the target host, we can then verify that UAC filter is disabled.

Using the saved credentials, verify that the local account part of the Administrators group on the target host is able to start an instance of Notepad.

Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe -ComputerName ip_address -Credential $localAdmin