Movere does query the Windows Common Information Model (CIM) and this connection is initially used to confirm if Movere can scan the system locally or remotely. If Movere is unable to connect to the CIM then no further scanning is attempted. If Movere can connect to the CIM but not the registry, then scanning will continue as the data Movere collects from Windows devices is primarily from the CIM. Whether Movere is scanning the target locally or remotely, it uses the .NET System.Management.ManagementObjectSearcher which initializes a new instance of the class used to invoke a specific query in the specified scope (i.e. root\CIMV2). For remote scanning Movere uses impersonation for getting the correct access level coupled with a timeout of 30 seconds to account for slow connections which are made via WMI.
Articles in this section
- Scheduling a Windows Rescan
- Terminating a Windows ARC Scan
- Testing Windows 443 Connectivity
- Running Movere Without Domain Administrator Privileges
- Scanning a Windows Subnet
- Uploading ARC Payloads via the Console
- Does Movere query the Windows Common Information Model?
- Does Movere query the Windows registry?
- Does Movere require domain administrator credentials to scan a Windows device?
- Scanning Windows Devices