Access Denied Error

[Komfort IT]

Hello,

I'm trying to use the .NET Management Extension for VS .NET Server Explorer
to add a Management Event query against Event Log entries on my machine,
which is a Windows 2000 Member server.

The error is: System.Management.ManagementException: Access denied
at
System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode)
at System.Management.ManagementEventWatcher.Start()
at Microsoft.VSDesigner.WMI.EventQueryNode.GetEvents()

The query is: SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE
TargetInstance ISA "Win32_NTLogEvent"

I am able to execute the same query against a production server
successfully. The security tab on the WMI properties appears to be the same
on the two machines, so I am very perplexed as to what's going on. Can
anyone provide any further insight or troubleshooting steps?

Thank you in advance,

Gavin Faux
Systems Developer
Komfort Office Environments plc

[Ivan Brugiolo [MS]]

do you have the SeSecurity privilege enabled on your token while query-ing
for the Security event-log ?

can you replicate the behavior with %windir%\system32\wbem\wbemtest.exe,
after having checked the "enable all privileges" box,
in the root\cimv2 namespace, and with Async call-style ?

if you enable verbose logging
HKLM\Software\Microsoft\WBEM\CIMOM : Logging = REG_SZ "2"
HKLM\Software\Microsoft\WBEM\CIMOM : Log File Max Size = REG_SZ "2000000"
and look at %windir%\system32\wbem\logs\wbemcore.log and framedyn.log,
after having executed the notification query with wbemtest.exe
can you find something interesting ?

--
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Komfort IT" <it_...@hotmail.com> wrote in message
news:uO8cff6NCHA.2520@tkmsftngp13...

[Willy Denoyette [MVP]]

Did you enable the privileges for the connection.

Here is a sample how to do this...

....
ManagementScope scope = new ManagementScope("root\\CIMV2");
scope.Options.EnablePrivileges = true; //enables required privileges
try {
q = new WqlEventQuery();
q.EventClassName = "__InstanceCreationEvent";
q.Condition = @"TargetInstance ISA 'Win32_NTLogEvent'";
w = new ManagementEventWatcher(scope, q);

Willy.

"Komfort IT" <it_...@hotmail.com> wrote in message news:uO8cff6NCHA.2520@tkmsftngp13...

[Komfort IT]

Hi Ivan,

Thanks for the prompt reply.

The query works fine using wbemtest.exe with 'enable all privalages'
checked, but fails when unchecked. The only thing I can see of any interest
in the log files when I don't check 'enable all privalages' is:

(Tue Jul 30 12:13:35 2002) : Error 80041003 occured executing queued request
(Tue Jul 30 12:13:35 2002) : CAsyncReq_ExecNotificationQueryAsync, Query=

SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE TargetInstance ISA
"Win32_NTLogEvent"

in namespace root\cimv2 using flags 0x0

Regards,

Gavin

"Ivan Brugiolo [MS]" <ivan...@online.microsoft.com> wrote in message
news:#FsSrl6NCHA.360@tkmsftngp13...

[Komfort IT]

Hi Willy,

Thanks for the reply. I've tried using your sample (converting it to VB) but
I still get an Access Denied error when I try to start it:

Dim scope As New ManagementScope("root\CIMV2")
scope.Options.EnablePrivileges = True 'enables required privileges
Dim q As New WqlEventQuery()
q.EventClassName = "__InstanceCreationEvent"
q.Condition = "TargetInstance ISA 'Win32_NTLogEvent'"
Dim w As New ManagementEventWatcher(scope, q)
AddHandler w.EventArrived, AddressOf EventArrived
w.Start() ' error occurs here....

However this works (connecting to a production server:)

Dim options As New ConnectionOptions()
options.Username = "domain\user"
options.Password = "password"
Dim scope As New ManagementScope("\\server\root\CIMV2", options)
' scope.Options.EnablePrivileges = True 'enables required privileges
Dim q As New WqlEventQuery()
q.EventClassName = "__InstanceCreationEvent"
q.Condition = "TargetInstance ISA 'Win32_NTLogEvent'"
Dim w As New ManagementEventWatcher(scope, q)
AddHandler w.EventArrived, AddressOf EventArrived
w.Start()

Any thoughts? Thanks,

Gavin

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message
news:#0mUsw6NCHA.2392@tkmsftngp04...

[Phil Wilson]

This reminds me of similar behavior when using WMI to shut down systems - I can shut down remote
systems fine, but I can't shut down mine unless I explicitly enable SeShutdownPrivilege. As Ivan
said, you may need to explicitly enable SeSecurityPrivilege.

I've seen no mention in the thread about having ConnectionOptions Impersonation set to
ImpersonationLevel.Impersonate.

"Komfort IT" <it_...@hotmail.com> wrote in message news:#Umtv77NCHA.1300@tkmsftngp13...

[Ivan Brugiolo [MS]]

Privileges' propagation across a process bonadary and across a nework
boundary are different.

To be precise, if you authenticate across LPC,
all the non explicitely-enabled privileges will be stripped out of your
token,
If you authenticate via InitialzieSecurityContext/AcceptSecurityContext
(AKA, when using RPC over TCP or over NP), all the privileges present in
your token
will be present and enabled on the token created on the remote machine.

You need at least an impersonation token at identify level to connect
remotely to WinMgmt.
Then if you need identify or impersonate or delegate level token depends
upon the provider and/or the kind of operation you are doing

--
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Phil Wilson" <phil....@unisys.spamcom> wrote in message
news:OqINE7BOCHA.360@tkmsftngp13...

[Willy Denoyette [MVP]]

Ok, I see VB.NET.
The problem with VB.Net is that the main thread runs in an STA (initialized by the VB compiler).
However, the WMI COM class will be instantiated on an MTA thread (this is done by the Management classes).
So when you call scope.Options.EnablePrivileges = True, you effective enable the privilege (SeSecurityPrivilege) on the current
(STA) thread, but the actual call will be executed on the MTA thread, and this one doesn't have the privilege enabled resulting in
an "Access denied error".

What you should do is run the code on an MTA thread.

Here is how you can do it using an asynch delegate (C# code, but you get the idea).

public delegate void RebootProc();

// Call reboot from an MTA worker thread
EventlogProcpfn = new EventlogProc(EvHandler);
IAsyncResult ar = pfn.BeginInvoke( null, null);
ar.AsyncWaitHandle.WaitOne(10000, false);
}

static void EvHandler( )
{
// Your code here....
// It is critical to call EnablePrivileges on this thread (MTA)
....
ms.Options.EnablePrivileges = true;
...

}

Willy.

"Komfort IT" <it_...@hotmail.com> wrote in message news:#Umtv77NCHA.1300@tkmsftngp13...

[Willy Denoyette [MVP]]

The problem with Komfort's code is that the privileges are enabled on an STA thread (VB.NET initializes the Main thread to run in an
STA) , while the COM WMI code runs on a MTA thread spawned by the Management classes.
The privileges enabled on the main (STA) thread are not propagated accross threads, so the MTA thread executes without the privilege
enabled, resulting in an "Access denied error".

Willy.

"Ivan Brugiolo [MS]" <ivan...@online.microsoft.com> wrote in message news:OfZOBeDOCHA.2488@tkmsftngp09...

[Komfort IT]

Hi Willy,

So if I convert my WMI code from VB .NET to C#, do I still need to spit off
an MTA thread when connecting to the local machine?

Thanks,

Gavin

"Willy Denoyette [MVP]" <willy.d...@pandora.be> wrote in message

news:OeyWkvHOCHA.2460@tkmsftngp04...