The WMI service normally runs as part of svchost.exe but, as can be seen below, based on the usage information from the winmgmt command we see that it can run as a stand alone process with it's own TCP port. The default TCP port is 24158. This can be leveraged in conjunction with LogLogic Universal Collector to eliminate the need to open the 1024-65535 port range between UC and all the remote Windows log sources.

/standalonehost [<level>]
        Moves the Winmgmt service to a standalone Svchost process that has a
        fixed DCOM endpoint. The default endpoint is "ncacn_ip_tcp.0.24158".
        However, the endpoint may be changed by running Dcomcnfg.exe. The level
        argument is the authentication level for the Svchost process. If level
        is not specified, the default is 4 (RPC_C_AUTHN_LEVEL_PKT).

/sharedhost
        Moves the Winmgmt service into the shared Svchost process.

This article explains how to configure the WMI service on Windows hosts to utilize a single port. This reduces the total quantity of ports required by Universal Collector to communicate with a Windows host to just a few ports rather than a range between 1024 and 65535.

To set up a fixed port for WMI:

1. At the command prompt, type winmgmt -standalonehost.
2. Stop the WMI service by typing the command net stop "Windows Management Instrumentation", or use the short name of net stop winmgmt.
3. Restart the WMI service again in a new service host by typing net start "Windows Management Instrumentation" or net start winmgmt.
4. If the Windows Firewall is enabled, establish a new port number for the WMI service in the Windows Firewall by typing netsh firewall add portopening TCP 24158 WMIFixedPort.

To undo any changes you make to WMI, type winmgmt /sharedhost, then stop and start the winmgmt service again.

After executing the above procedure you will not need to do anything else unless you want to. The WMI port is only used when initializing collection from a Windows source so if collection is already active then no changes are required. But if you want to at least test to ensure your change worked then you'll need to either restart the LogLogic UC service or disable then re-enable the Windows source used for testing.

Whether you restart the service or disable/re-enable a single log source you will then either need to run a packet capture program or execute the netstat -anb | find "<UC IP>" command on the Windows source multiple times to verify that port 24158 was used. Executing multiple times is necessary to ensure you catch the port in use because it is only used in the initial phase of collection. About a minute or so after the UC service is restarted you should see output similar to the following from netstat which shows UC connecting to the RPC port (135/tcp) then connecting to the WMI port (24158/tcp) and then the event log port (49153/tcp).

  TCP    110.13.14.17:135      110.13.14.16:30733    ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    110.13.14.17:135      110.13.14.16:30740    ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    110.13.14.17:135      110.13.14.16:30784    ESTABLISHED
  RpcSs
 [svchost.exe]
  TCP    110.13.14.17:445      110.13.14.16:30789    ESTABLISHED
 Can not obtain ownership information
  TCP    110.13.14.17:24158    110.13.14.16:30754    ESTABLISHED
  Winmgmt
 [svchost.exe]
  TCP    110.13.14.17:49153    110.13.14.16:30785    ESTABLISHED
  eventlog
 [svchost.exe]
  TCP    110.13.14.17:49153    110.13.14.16:30800    ESTABLISHED
  eventlog