C
chen
[Posted this earlier in microsoft.public.dotnet.framework.wmi &
microsoft.public.dotnet.security newsgroups - reposting here for a
wider audience]
I'm running into this issue wrt enabling WMI to query Service status
on a remote server for a non-admin user (domain account).
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/19/2008
Time: 1:23:20 PM
User: <domain\user>
Computer: <machine>
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,740776537}
Process ID: 460
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <machine>
Primary Domain: <domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <user>
Client Domain: <domain>
Client Logon ID: (0x0,0x2C275796)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
The problem i'm trying to solve is to determine when a particular
service deployed on a server goes down. The client app (.Net 2.0) is
running in the context of a regular non-admin domain user & is using
WMI to query the service status.
Configuration:
Server: Windows Server 2003 SP2 (SP1 exhibits similar behavior
as
well)
Client: Windows XP SP2
[Btw, http://www.poweradmin.com/help/enableWMI.aspx lists the steps
required on how to enable WMI for non-admin users]
Specifically, this query fails:
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE
TargetInstance ISA \"Win32_Service\" and TargetInstance.Name =
\"FooService\"");
But this one succeeds:
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance
ISA \"Win32_Process\" and TargetInstance.Name = \"FooService.exe\"");
What permissions/privileges are required to enumerate and/or query
service status for a non-admin user? While i can work around the
issue
by listening for __InstanceCreationEvent & __InstanceDeletionEvent
events, it doesn't sound right especially if the process hosts more
than one svc. Can anyone shed more light on this?
TIA.
chen
microsoft.public.dotnet.security newsgroups - reposting here for a
wider audience]
I'm running into this issue wrt enabling WMI to query Service status
on a remote server for a non-admin user (domain account).
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/19/2008
Time: 1:23:20 PM
User: <domain\user>
Computer: <machine>
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,740776537}
Process ID: 460
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <machine>
Primary Domain: <domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <user>
Client Domain: <domain>
Client Logon ID: (0x0,0x2C275796)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
The problem i'm trying to solve is to determine when a particular
service deployed on a server goes down. The client app (.Net 2.0) is
running in the context of a regular non-admin domain user & is using
WMI to query the service status.
Configuration:
Server: Windows Server 2003 SP2 (SP1 exhibits similar behavior
as
well)
Client: Windows XP SP2
[Btw, http://www.poweradmin.com/help/enableWMI.aspx lists the steps
required on how to enable WMI for non-admin users]
Specifically, this query fails:
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE
TargetInstance ISA \"Win32_Service\" and TargetInstance.Name =
\"FooService\"");
But this one succeeds:
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance
ISA \"Win32_Process\" and TargetInstance.Name = \"FooService.exe\"");
What permissions/privileges are required to enumerate and/or query
service status for a non-admin user? While i can work around the
issue
by listening for __InstanceCreationEvent & __InstanceDeletionEvent
events, it doesn't sound right especially if the process hosts more
than one svc. Can anyone shed more light on this?
TIA.
chen