wntServerType Command

Started by chrislegarth, February 16, 2017, 07:12:18 AM

Previous topic - Next topic

chrislegarth

I am using the wntServerType command to determine if a computer is live on the network before running additional commands against the computer.
Our network group recently made some changes to firewalls and network connections.  Right after the change the command now returns a 0 instead of 4.
What does the command do under the covers so I can provide some information to our network groups to fix what they broke? :)

Thanks,
Chirs

td

You will have Microsoft what the wntServerInfo function does under the covers as it relies on APIs provided by them but it is possible to get a good idea of what is happening.  It is surprising your 'network groups' didn't check the firewall logs to determine the source of the problem for themselves.  They would have likely found that they needed to open up at least one Netbios TCP port.  The most likely candidate is port 139 but there is some chance that UPD ports 137 and 138 are required as well.  They can trial-and-error for the correct ports or  use Wireshark to check network traffic, if the information isn't in the logs.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

You can also use the build-in "netstat" program from a  cmd.exe prompt to check  ports.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

chrislegarth

After digging deeper and performing a packet capture myself, I came to find that the network guys made two changes: 1. to re-terminate VPN's on a new firewall and 2. turning on IPS services.  The response to the wntServerType was getting blocked.  They should have it unblocked shortly.  Thanks for the quick response as usual!