I think that the audit information is corrupted or missing. What can I do?
- Datto RMM
On the affected endpoint, perform the following steps:
- Part 1: Initial Troubleshooting
- Part 2: Discover if the WMI Repository is corrupted
- Part 3: Attempt to fix the WMI Repository
Part 1: Initial Troubleshooting
- Follow the steps in the What should I do if I am having trouble with the Datto RMM Agent? article to deploy the Health Check Tool and review its results.
- Ensure that the version of the Microsoft .NET Framework installed on the endpoint is up-to-date and functional. Repair the installation if necessary. For Datto RMM system requirements, refer to our Detailed Windows Requirements article.
- Uninstall and reinstall the Datto RMM Agent. To learn more about this process, see the Install and Uninstall Agents article.
- Check the health of the endpoint's WMI Repository, and repair it if it is corrupted. See the Discover if the WMI Repository is corrupted section of this article for more information.
Part 2: Discover if the WMI Repository is corrupted
The Datto RMM Agent imports information about an endpoint by querying the host device's Windows Management Instrumentation (WMI). Occasionally, the WMI can become corrupted and become unreadable. This affects the audit information that the Datto RMM Agent can gather and send to the platform.
There are many ways to check for WMI corruption. This process focuses on evaluating parts of the WMI that the Agent uses to retrieve audit information.
To check if the WMI Repository is corrupted, open an elevated command prompt on the device and run the following commands:
wmic computersystem list full /format:list wmic baseboard list full /format:list wmic bios list full /format:list
Normal output for each line should show a list of information about the area of the WMI queried. If any of your queries return one of the following error messages, then the WMI on your device is faulted, preventing the Datto RMM Agent from reading its data:
- The interface is unknown
- Invalid class
- Invalid namespace \root\cimv2
- Invalid namespace \root\default
- Provider load failure
- Specified cast is not valid
- The specified module could not be found
- Value does not fall within the expected range
- The executable program that this service is configured to run in does not implement the service
- The service did not respond to the start or control request in a timely fashion
- Class not registered
If you see any of the above-listed error messages, proceed to the Attempt to fix the WMI Repository section of this article.
Part 3: Attempt to fix the WMI Repository
- Method 1: Verify and restore the repository
- Method 2: Re-register all DLL files and recompile .MOF files
- Method 3: Rebuild the WMI repository
Method 1: Verify and restore the repository
Perform the following steps from an elevated command prompt to verify and restore the WMI:
1. From the Windows Command Prompt, enter:
2. If you see any output other than, “WMI repository is consistent,” run the following command to merge the readable content of the inconsistent repository into the rebuilt repository:
Method 2: Re-register all DLL files and recompile .MOF files
1. Run the following script to re-register all DLL files and recompile .MOF files in the C:\Windows\System32\Wbem folder on the endpoint.
You can save this script as a .BAT file and run it locally on the endpoint, from an elevated Windows Command Prompt session, or from the Desktop as an Administrator. You can also run it from the remote Agent shell or deploy it via a component.
@ECHO OFF sc config winmgmt start= auto reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d "Y" /f reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d "2" /f reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d "3" /f reg delete HKLM\SOFTWARE\Microsoft\Ole /v DefaultLaunchPermission /f reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineAccessRestriction /f reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineLaunchRestriction /f NET STOP SharedAccess NET STOP winmgmt CD %WINDIR%\System32\Wbem\Repository DEL /F /Q /S %WINDIR%\System32\Wbem\Repository\*.* CD %WINDIR%\system32\wbem REGSVR32 /s %WINDIR%\system32\scecli.dll REGSVR32 /s %WINDIR%\system32\userenv.dll MOFCOMP cimwin32.mof MOFCOMP cimwin32.mfl MOFCOMP rsop.mof MOFCOMP rsop.mfl FOR /f %%s IN ('DIR /b /s *.dll') DO REGSVR32 /s %%s FOR /f %%s IN ('DIR /b *.mof') DO MOFCOMP %%s FOR /f %%s IN ('DIR /b *.mfl') DO MOFCOMP %%s MOFCOMP exwmi.mof MOFCOMP -n:root\cimv2\applications\exchange wbemcons.mof MOFCOMP -n:root\cimv2\applications\exchange smtpcons.mof MOFCOMP exmgmt.mof rundll32 wbemupgd, UpgradeRepository NET STOP Cryptsvc DEL /F /Q /S %WINDIR%\System32\catroot2\*.* DEL /F /Q C:\WINDOWS\security\logs\*.log NET START Cryptsvc cd c:\windows\system32 lodctr /R cd c:\windows\sysWOW64 lodctr /R WINMGMT.EXE /RESYNCPERF msiexec /unregister msiexec /regserver REGSVR32 /s msi.dll NET START winmgmt NET START SharedAccess
2. After you run the script, restart the endpoint.
3. Run an audit on the endpoint by selecting it in the Web Portal and clicking the Audit icon. To ensure a full audit, make sure that you do not select any other devices.
Method 3: Rebuild the WMI Repository
If all other troubleshooting described in this article has failed to resolve the issue, you can perform the following procedure to rebuild your WMI repository. Proceed with caution and at your own risk.
Before attempting this process, review the following warning from Microsoft:
If this process fails to re-add any .MOF files, some installed programs on your endpoint may stop working and require reinstallation. Consider your options carefully before continuing.
1. To rebuild your WMI, run the following commands from an elevated command prompt on the affected endpoint:
Net stop Winmgmt Winmgmt.exe /standalonehost Winmgmt.exe /resetrepository Net start Winmgmt