Is the Win Remote executable (rwin.exe) copied from PAM and launched on the remote box ?

If all goes well rwin.exe is copied to C$ in the remote box - and upon execution, e.g. when doing an account scan job of local accounts it is creating in ADMIN$ a file starting with __ and a number.
Its contents are e.g.:
List all the accounts
Account= Administrator
Account= Guest
Operation successful
The status code 0-NERR_Success

All this is done by SMBv2 and WMI COM API calls.


What you can do is to setup a local account scan job using a Windows Remote Target account and hit "Run" several times to run it more than once, so that you have the chance to see in the target the above named files
(e.g. using a cmd and running a dir loop in C:\ and C:\Windows

Use Wireshark to confirm SMB and WMI ports are open and it shows traffic on these ports.
See: PAM Windows Remote Connector Unable to Discover Local Accounts
Use a filter similar to the following in order to narrow down the traffic.
(smb2 || dcerpc) && (tcp.dstport >= 49152 || tcp.dstport == 445 ) && ip.dst == "WINbox" && ip.src == "PAMbox"

Use for WINbox and PAMbox the respective IP addresses.

Confirm the Registry parameter LocalAccountTokenFilterPolicy is enabled on the target box

Please contact PAM Support if you can't figure out the problem.