I know this question is old, but came across is when I was trying to find a solution so figured would direct people to an answer I wrote up and posted here:

.NET - Copying an executable across LAN to another computer, and executing it

In short, it is possible to echo base64 conversion of any file (including an exe) using WMI and then decode it with certutil.

I learned that WMI cannot create files on a remote host, and it cannot copy files over a network connection: http://msdn.microsoft.com/en-us/library/windows/desktop/aa389288%28v=vs.85%29.aspx

However, it can run a cmd process. Here's Frank White's code in C sharp, followed by his example: https://stackoverflow.com/a/8913231/1569434

InputParameters("CommandLine") = "cmd /c echo myFTPCommands > c:\ftpscript.txt"

You will need four things to use all the following scriptlets, which build on each other to use psexec to run a "normal" VBScript or batch script on the remote host:

1. admin rights on the remote host;
2. WMI enabled on the remote host
3. a network share (using RPC, UNC, FTP, etc., but NOT DFS! ("Distributed File System" - see note) that your remote host can access; and
4. psexec.exe and your "normal" script(s) on the network share.

Important Note: Do NOT use DFS to map the network share! It will fail if you use Distributed File System for your network share. An error code you might get depending on how you try is "System error 1312", no matter which operating system (e.g., XP, Win 7) you use.

When RPC is not available on a remote host but WMI is, then the following method will create a local ASCII file on the remote host's c:\temp folder, containing the text "myTextCommands", without the quotes.

' https://stackoverflow.com/questions/8884728/wmi-remote-process-to-copy-file
strCommand = "cmd /c echo myTextCommands > c:\temp\testscript.txt"
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")
Set objProcess = objWMIService.Get("Win32_Process")
errReturn = objProcess.Create(strCommand, null, null, intProcessID)
' See following link for error codes returned by errReturn
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa389388(v=vs.85).aspx

Notice the important limitation in the script above: it can only create ASCII files - not binary.

Let's use that technique to map a drive letter:

strCommand = "cmd /c net use z: " & MyShare & " /user:%USERDOMAIN%\%USERNAME% " _
    & strPassword & ">" & strRemoteLog
Set objProcess = objWMIService.Get("Win32_Process")
Call errProcess

where "strRemoteLog" is set to something like "c:\temp\MyLog.txt", "strPassword" is prompted (see full script example and reference at bottom), and "errProcess" is a subroutine that runs the following process using the "cmd /c" trick mentioned above:

Sub errProcess
errReturn = objProcess.Create(strCommand, null, null, intProcessID)
If errReturn = 0 Then
    Wscript.Echo "Process was started with a process ID: " & intProcessID
    WScript.Sleep 5000
Else
    Wscript.Echo "Process could not be started due to error: " & errReturn
End If
End Sub

With a network drive mapped, copy your script to the host:

strCommand="cmd /c xcopy Z:\scripts\SCRIPT1.bat c:\temp\ >>" & strRemoteLog
Call errProcess

SCRIPT1.bat is ready, so start psexec against it on the remote host, passing your script a variable strUserID that would be obtained earlier and is here for example:

strCommand="cmd /c Z:\psexec \\%COMPUTERNAME% /accepteula -s -n 120 " _
    & cmd /c c:\temp\SCRIPT1.bat " & strUserID & ">>" & strRemoteLog
Call errProcess

Once psexec finishes, you might want to save the results. So you rename the log file, upload it, unmap your drive, and clean up residual files:

strCommand="cmd /c REN " & strRemoteLog & " SCRIPT1-%COMPUTERNAME%.txt"
Call errProcess
strCommand="cmd /c MOVE /Y c:\temp\SCRIPT1*.txt Z:\scripts\LOGS\"
Call errProcess
strCommand="cmd /c net use * /del /Y"
Call errProcess
strCommand="cmd /c del c:\temp\SCRIPT1*.bat /q"
Call errProcess

You're done. You've successfully mapped a drive, run a routine script against the remote host, and uploaded its output.

Note this method also works on Windows 7 and Windows 2008 with UAC.

Here's the full 'sample' integrated script. Feel free to suggest fixes, improvements, etc.

On Error Resume Next

 MyShare="\\SHARE1"
 strRemoteLog="c:\temp\MapZ.txt"

' Set remote hostname
strComputer="HOST2"
'strComputer = InputBox("Enter Computer name", _
'"Find PC", strComputer)

' Set remote userid
strUserID="USERID1"
'strComputer = InputBox("Enter userid", _
'"Find User", strComputer)

' Enumerate cimv2 on remote host strComputer
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!//" & strComputer & "\root\cimv2")

' Verify remote host exists on domain
If( IsEmpty( objWMIService ) = True ) Then
    WScript.Echo( "OBJECT_NOT_INITIALIZED :: " & strComputer )
    WScript.Quit( OBJECT_NOT_INITIALIZED )
End If

' Prompt for masked password
strPassword=GetPass

' Build and run command to execute on strComputer
strCommand = "cmd /c net use z: " & MyShare & " /user:%USERDOMAIN%\%USERNAME% " & strPassword & ">" & strRemoteLog
Set objProcess = objWMIService.Get("Win32_Process")
Call errProcess

' Copy script(s) from MyShare to HOST2 since psexec cannot run scripts on shared drives
strCommand="cmd /c xcopy Z:\scripts\cleanpclocal.bat c:\temp\ /V /C /I /Q /H /R /Y>>" & strRemoteLog
Call errProcess

' Change directory to c:\temp
'strCommand="cmd /c cd c:\temp>" & strRemoteLog
'Call errProcess

' Start PSEXEC against script
strCommand="cmd /c Z:\psexec \\%COMPUTERNAME% /accepteula -s -n 120 cmd /c c:\temp\cleanpclocal.bat " & strUserID & ">>" & strRemoteLog
Call errProcess

' Rename logfile to include hostname, upload to share,  unmap networked drive, and delete script
strCommand="cmd /c REN " & strRemoteLog & " cleanpc-%COMPUTERNAME%.txt"
Call errProcess
strCommand="cmd /c MOVE /Y c:\temp\clean*.txt Z:\scripts\LOGS\"
Call errProcess
strCommand="cmd /c net use * /del /Y"
Call errProcess
strCommand="cmd /c del c:\temp\clean*.bat /q"
Call errProcess

WScript.Quit





' ***********
' APPENDIX
' Subroutines, functions
' ***********

' **SUBROUTINES**
'strCommand="cmd /c dir z:\scripts\>" & strRemoteLog ' Works to get dir of z:\scripts\

' Function to handle errReturn
Sub errProcess
WScript.Echo "strCommand=" & strCommand
errReturn = objProcess.Create(strCommand, null, null, intProcessID)

If errReturn = 0 Then
    Wscript.Echo "Process was started with a process ID: " & intProcessID
    WScript.Sleep 5000
Else
    Wscript.Echo "Process could not be started due to error: " & errReturn
End If
WScript.Echo

' Error return codes for Create method of the Win32_Process Class
' http://msdn.microsoft.com/en-us/library/windows/desktop/aa389388(v=vs.85).aspx
' 0=Successful Completion
' 2=Access Denied
' 3=Insufficient Privilege
' 8=Unknown failure
' 9=Path Not Found
' 21=Invalid Parameter

End Sub



' **FUNCTIONS**

' Subroutine to get masked password
Function GetPass
' Mask Passwords Using Internet Explorer
' Ensure you follow the technet.com instructions and create file password.htm
' http://blogs.technet.com/b/heyscriptingguy/archive/2005/02/04/how-can-i-mask-passwords-using-an-inputbox.aspx

Set objExplorer = WScript.CreateObject _
    ("InternetExplorer.Application", "IE_")

objExplorer.Navigate "file:///C:\SCRIPTS\password.htm"   
objExplorer.ToolBar = 0
objExplorer.StatusBar = 0
objExplorer.Width = 400
objExplorer.Height = 350 
objExplorer.Left = 300
objExplorer.Top = 200
objExplorer.Visible = 1             

Do While (objExplorer.Document.Body.All.OKClicked.Value = "")
    Wscript.Sleep 250                 
Loop 

strPassword = objExplorer.Document.Body.All.UserPassword.Value
strButton = objExplorer.Document.Body.All.OKClicked.Value
objExplorer.Quit
Wscript.Sleep 250

If strButton = "Cancelled" Then
    Wscript.Quit
'Else
'    Wscript.Echo strPassword
End If

' Return the password
GetPass = strPassword

End Function

Firstly, I think there's a typo in your code where you've written:

errResults  = objFolder.Copy("f:\temp\test1.txt")

I think you meant:

errResults  = objFiles.Copy("f:\temp\test1.txt")

Secondly, I don't know if what you're trying to do is possible. I think the code you've got might copy a file from a directory on the remote computer to another directory on the remote computer.

For a solution though, if WMI is available remotely on all the computers, that means that at least one port is open. If that's the case, are there any other ports that are open? If so, maybe you could set up a FTP server on your admin host on port X and then have the other hosts send the file by automating the default XP FTP client.

WMI is a database of information. You cannot use it to copy files.

Have you tried the following ?

set fso = CreateObject("Scripting.FileSystemObject")
fso.CopyFile "f:\temp\test1.txt", "\\HOST1\C$\temp\test1.txt", true