Datto RMM: I think that the audit information is corrupted or missing. What can I do?

Follow

Question

I think that the audit information is corrupted or missing. What can I do?

Environment

  • Datto RMM

Answer

On the affected endpoint, perform the following steps:

Part 1: Initial Troubleshooting

  1. Follow the steps in the What should I do if I am having trouble with the Datto RMM Agent? article to deploy the Health Check Tool and review its results.
  2. Ensure that the version of the Microsoft .NET Framework installed on the endpoint is up-to-date and functional. Repair the installation if necessary. For Datto RMM system requirements, refer to our Detailed Windows Requirements article.
  3. Uninstall and reinstall the Datto RMM Agent. To learn more about this process, see the Install and Uninstall Agents article.
  4. Check the health of the endpoint's WMI Repository, and repair it if it is corrupted. See the Discover if the WMI Repository is corrupted section of this article for more information.

Part 2: Discover if the WMI Repository is corrupted

The Datto RMM Agent imports information about an endpoint by querying the host device's Windows Management Instrumentation (WMI). Occasionally, the WMI can become corrupted and become unreadable. This affects the audit information that the Datto RMM Agent can gather and send to the platform.

There are many ways to check for WMI corruption. This process focuses on evaluating parts of the WMI that the Agent uses to retrieve audit information.

To check if the WMI Repository is corrupted, open an elevated command prompt on the device and run the following commands:

wmic computersystem list full /format:list
wmic baseboard list full /format:list
wmic bios list full /format:list

Normal output for each line should show a list of information about the area of the WMI queried. If any of your queries return one of the following error messages, then the WMI on your device is faulted, preventing the Datto RMM Agent from reading its data:

  • The interface is unknown
  • Invalid class
  • Invalid namespace \root\cimv2
  • Invalid namespace \root\default
  • Provider load failure
  • Specified cast is not valid
  • The specified module could not be found
  • Value does not fall within the expected range
  • The executable program that this service is configured to run in does not implement the service
  • The service did not respond to the start or control request in a timely fashion
  • Class not registered

If you see any of the above-listed error messages, proceed to the Attempt to fix the WMI Repository section of this article.

Figure 1: Example of a corrupt WMI Repository (click to enlarge)

Part 3: Attempt to fix the WMI Repository

Method 1: Verify and restore the repository

Perform the following steps from an elevated command prompt to verify and restore the WMI:

1. From the Windows Command Prompt, enter:

winmgmt /verifyrepository

2. If you see any output other than, “WMI repository is consistent,” run the following command to merge the readable content of the inconsistent repository into the rebuilt repository:

Winmgmt /salvagerepository

Method 2: Re-register all DLL files and recompile .MOF files

1. Run the following script to re-register all DLL files and recompile .MOF files in the C:\Windows\System32\Wbem folder on the endpoint.

You can save this script as a .BAT file and run it locally on the endpoint, from an elevated Windows Command Prompt session, or from the Desktop as an Administrator. You can also run it from the remote Agent shell or deploy it via a component.

@ECHO OFF
sc config winmgmt start= auto
reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d "Y" /f
reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d "2" /f
reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d "3" /f
reg delete HKLM\SOFTWARE\Microsoft\Ole /v DefaultLaunchPermission /f
reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineAccessRestriction /f
reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineLaunchRestriction /f
NET STOP SharedAccess
NET STOP winmgmt
CD %WINDIR%\System32\Wbem\Repository
DEL /F /Q /S %WINDIR%\System32\Wbem\Repository\*.*
CD %WINDIR%\system32\wbem
REGSVR32 /s %WINDIR%\system32\scecli.dll
REGSVR32 /s %WINDIR%\system32\userenv.dll
MOFCOMP cimwin32.mof
MOFCOMP cimwin32.mfl
MOFCOMP rsop.mof
MOFCOMP rsop.mfl
FOR /f %%s IN ('DIR /b /s *.dll') DO REGSVR32 /s %%s
FOR /f %%s IN ('DIR /b *.mof') DO MOFCOMP %%s
FOR /f %%s IN ('DIR /b *.mfl') DO MOFCOMP %%s
MOFCOMP exwmi.mof
MOFCOMP -n:root\cimv2\applications\exchange wbemcons.mof
MOFCOMP -n:root\cimv2\applications\exchange smtpcons.mof
MOFCOMP exmgmt.mof
rundll32 wbemupgd, UpgradeRepository
NET STOP Cryptsvc
DEL /F /Q /S %WINDIR%\System32\catroot2\*.*
DEL /F /Q C:\WINDOWS\security\logs\*.log
NET START Cryptsvc
cd c:\windows\system32
lodctr /R
cd c:\windows\sysWOW64
lodctr /R
WINMGMT.EXE /RESYNCPERF
msiexec /unregister
msiexec /regserver
REGSVR32 /s msi.dll
NET START winmgmt
NET START SharedAccess

2. After you run the script, restart the endpoint.

3. Run an audit on the endpoint by selecting it in the Web Portal and clicking the Audit icon. To ensure a full audit, make sure that you do not select any other devices.

Method 3: Rebuild the WMI Repository

If all other troubleshooting described in this article has failed to resolve the issue, you can perform the following procedure to rebuild your WMI repository. Proceed with caution and at your own risk.

Before attempting this process, review the following warning from Microsoft:

If you suspect WMI or repository corruption, rebuilding the repository is the last thing you should do. Deleting and rebuilding the repository can cause damage to the system or to installed applications. Other steps should be taken first to eliminate other possibilities or to confirm you have repository corruption. An extremely large repository also creates problems and can sometimes be interpreted as a corrupt repository, which is not always the case. If issues are due to a large repository, rebuilding it is currently the only method available to reduce its size.

If this process fails to re-add any .MOF files, some installed programs on your endpoint may stop working and require reinstallation. Consider your options carefully before continuing.

1. To rebuild your WMI, run the following commands from an elevated command prompt on the affected endpoint:

Net stop Winmgmt
Winmgmt.exe /standalonehost
Winmgmt.exe /resetrepository
Net start Winmgmt

Was this article helpful?

0 out of 0 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Community Forum or get live help.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Datto Homepage