All geek questions in one place

Exception while ManagementEventWatcher (WMI) notifies events from a remote machine

I am trying to get a notification from the event viewer of a remote computer using WMI and C #. I can connect the system and also get the event log using ManagementObjectSearcher . But when I tried to use the ManagementEventWatcher.Start method, I get an exception:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I gave permissions in WMI Control root\cimv2 , and also gave administrator privileges to the user account in DCOM Config.

I have a regular Windows application, so I do not use ASP.net (ASPNET user) in my case.

My code is:

 ConnectionOptions connectionOptions = new ConnectionOptions(); connectionOptions.Username = @"Domain\UName";//txtUserName.Text; connectionOptions.Password = "pass";//txtPassword.Text; connectionOptions.Impersonation = ImpersonationLevel.Impersonate; ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions); managementScope.Options.EnablePrivileges = true; managementScope.Connect(); // this line is executing fine. eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'Application'")); eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived); eventWatcher.Scope.Options.EnablePrivileges = true; eventWatcher.Start(); // Error occurs here
+4
source share
3 answers

Try listening semi-synchronously with WaitForNextEvent ():

  var managementScope = new ManagementScope(@"\\mysever\root\onguard"); managementScope.Connect(); var query = new EventQuery("select * from lnl_AccessEvent"); var eventWatcher = new ManagementEventWatcher(managementScope, query); var wmiEvent = eventWatcher.WaitForNextEvent(); Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));

We also found a useful wbemtest.exe file. Click the "Request Notifications ..." button to listen to events. You can try different connection methods (synchronous, asynchronous or semi-synchronous). All connection methods work when connected to the local machine, but we could get semi-synchronous access to remote work. Asynchronous (which you use) is more complex (and less secure) because the server must make a connection to the client.

Some useful information here about security and configuration settings: http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682

+4
source

First, keep in mind that Microsoft recommends using semi-synchronous operations (as Brian suggested):

If you can, we recommend using a semi-synchronous operation instead. The effect is small, and the semi-synchronous operation allows you to use the same functions, but does not require a reverse connection.

See also Configuring Asynchronous Call Security in VBScript .

If you still want to use Async operations, see the following articles:

YMMV, but for me (client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 without a firewall), the solution to exclude E_ACCESSDENIED was found in the third article:

  • Click Start, click Run, type DCOMCNFG and click OK.
  • In the Component Services dialog box, expand Component Services , expand Computers and right-click My computer strong> and click Properties .
  • In the My Computer Settings dialog box, click the Security tab > .
  • In the Access Permissions section , click Change restrictions .
  • In the Access Permission dialog box , select the ANONYMOUS LOGON name in the Group or user names box. In the Allow column, under User Permissions, select Remote Access , and then click OK .

Please note that I did this in the client . Although this fixed the DCOM permission issue for me, I came across the fact that WMI access denied errors ( 0x80041003 ). It turns out this is due to the registry key mentioned in the second article:

CIMOM settings must be updated if there is a remote connection between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This parameter should not be changed for computers in the same domain or in trusted domains.

The following registry entry must be modified to allow anonymous callbacks: HKLM \ SOFTWARE \ Microsoft \ WBEM \ CIMOM \ AllowAnonymousCallback

If AllowAnonymousCallback is set to 0, the WMI service prevents anonymous callbacks for the client. If the value is 1, the WMI service allows anonymous client callbacks.

Please note that you need to install above on the server . As soon as I did this, asynchronous callbacks worked. Other things you could try start your client as an administrator and set ConnectionOptions.EnablePrivileges to true.

For troubleshooting see:

Finally, I recommend you use the Microsoft WMI tester ( %windir%\system32\wbem\wbemtest.exe )

+4
source

I spent several hours figuring this out. None of this helped me.

After analyzing the event logs on my IIS server, I found that every time I called the Start method on the ManagementEventWatcher object, I received the following error event in the syslog:

The default permission settings for the computer do not provide local activation permission for the COM server application with CLSID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} and APPID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} to IIS APPPOOL \ DefaultAppPool SID (S -1-5-82-3006700770-424185619-1745488364-794895919-4004696415) from the LocalHost address (using LRPC). This permission can be changed using the component services administration tool.

A search in the registry showed that the application with the APPID indicated in the error was

Unsecured Microsoft WBEM Apartment

To perform the asynchronous callback operation, you need to provide local activation permissions for this COM object for the IIS APPPOOL \ DefaultAppPool user, which sounds quite simple, except that the user does not appear as a valid security account for the database. This is because when you create an IIS application pool, an automatically created user account is automatically created.

The process for doing this work is as follows:

  • Launch mmc, add the Component Services snap-in to
  • Open Computers-> My Computer-> DCOM Configuration
  • Scroll down to "Microsoft WBEM Unsecured Apartment Object"
  • Right click and select Properties
  • Go to the "Security" tab and in the "Launch and Activation Permissions" section, select the "Configure" option and click "Change"
  • If your IIS server is part of a domain, make sure you have the local machine specified in the location field and not in the domain.
  • Click the "Add" button and enter "IIS APPPool \ DefaultAppPool" in the user field and click the "Check Names" button. If you are not using DefaultAppPool, replace the name of the application pool that you are using.
  • The current user will appear in the field, click OK.
  • Select a user from the list and select the "Allow" checkboxes for local launch and local activation.
  • Enjoy the fact that you will no longer see E_ACCESSDENIED for asynchronous callbacks to your WMI event listener.
0
source

Source: https://habr.com/ru/post/1309020/

More articles:


All Articles