Problem with .NET 1.1 SP1 - Events

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I suspect that several others have seem the same program but here goes:

I have sets of code (C# and VB.Net) that both show the same problem.

Basically, the call to "ManagementEventWatcher.Start" fails with an access
denied since upgrading to SP1 for .Net 1.1 - the same code runs on non SP1
machines without a problem. Also, the code is basically the Microsoft
example code.

I have seen notes regarding STAThread and MTAThread, etc. Non of this seems
to make a difference. Has anyone got any more adviice/details?

Thanks,
Mark

Below is the VB.Net code (as the C# is still part of a larger program) -
console app calls GetEvents() - reference to the system.management.dll (the
new one from SP1)
--------------------------------------------------------------------------------------------
Imports System
Imports System.Management

' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample
Public Shared Sub GetEvents()

Dim sc As ManagementScope
Dim co As ConnectionOptions

co = New ConnectionOptions
co.Impersonation = ImpersonationLevel.Impersonate
co.EnablePrivileges = True

sc = New ManagementScope("\ROOT\CIMV2", co)

' Set up an event watcher and a handler for the event
Dim q As New WqlEventQuery("__InstanceCreationEvent",
"TargetInstance ISA 'Win32_NTLogEvent'")
Dim watcher As New ManagementEventWatcher(sc, q)
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived

' Start watching for events
watcher.Start()

System.Threading.Thread.Sleep(20000)

' Stop watching
watcher.Stop()

End Sub
End Class

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("OK")
End Sub
End Class
 
Did you try to issue this command using 'WMI tools' studio?
I have the same problem using .NET and ManagementEventWatcher, but using WMI
studio seems to work as expected. That means the problem is related to .NET
only or due to security changes in consumer hosting in SP2.
Note also that this has nothing to do with .NET SP1 as the same error exists
with the Beta1 v2 framework.

Willy.
 
I have tried the code using Win XP SP2 with .Net 1.1.4322 with and without
the .Net 1.1 SP1. The results are consistent across a series of systems.
The program only stops with the 1.1 SP1.

I have tested several other WMI queries and it seems to be related to the
EventLog class (I can use the ManagementEventWatcher type call with other
classes). The code below is a direct copy from the Microsoft site, and it
works (calling a __ClassDeletionEvent).

One other notes, I did read that an error sounding similar to this existed
in .NET 1.0 and was fixed.

Any pointers or ideas are most welcome.

Thanks,
Mark


Code
----------------------------------
Imports System
Imports System.Management

' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample2
Public Shared Sub GetEvents()

' For the example, we'll put a class into the repository, and watch
' for class deletion events when the class is deleted.
Dim newClass As New ManagementClass
newClass("__CLASS") = "TestDeletionClass"
newClass.Put()

' Set up an event watcher and a handler for the event
Dim watcher As _
New ManagementEventWatcher(New
WqlEventQuery("__ClassDeletionEvent"))
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived

' Start watching for events
watcher.Start()

' For the purpose of this sample, we delete the class to trigger the
event
' and wait for two seconds before terminating the consumer
newClass.Delete()

System.Threading.Thread.Sleep(2000)

' Stop watching
watcher.Stop()

End Sub

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("Class Deleted = " & _
CType(e.NewEvent("TargetClass"),
ManagementBaseObject)("__CLASS"))
End Sub
End Class
End Class
 
Just to give an example: changing the WqlEventQuery

Works for:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0,
10), "TargetInstance ISA ""Win32_Process"" ")

Does not work for:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0,
10), "TargetInstance ISA ""Win32_NTLogEvent"" ")
 
Right, the problem shows up with:

XP SP2 and .NET v1.1 SP1 and .NET v2 Beta1, or
XP SP1 and .NET v2 Beta1.
Didn't try W2K3 and .NET v1.1 SP1 yet.

The problems seems to relate to the 'Win32_NTLogEvent', if you take a look
at the wbem log files you will see that WMI refuses to register the consumer
for "security reasons".
Other WMI related problems I've found are: "Win32_OperatingSystem" class
methods - Win32shutdown, Shutdown, and Reboot , they fail with ...."Access
denied".
For "Win32Shutdow" it's even impossible to retrieve the method arguments
(Flags, Reserved), so this seems completely broken.

I will do some further reserch and keep you informed.

Willy.
 
Hi Willy,

I have done some more investigation and I have narrowed down my problems a
little more too ... the extra details are:

Event: __InstanceCreationEvent
TargetInstance: Win32_NTLogEvent (due to the Security log)

For example the following will fail:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" "

Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Security"" "

But these work:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Application"" "

Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Audit Failure"" "

So, I can use (if I do not need events from the security log):
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and (" & _
"TargetInstance.LogFile = ""Audit Success"" or " & _
"TargetInstance.LogFile = ""Audit Failure"" or " & _
"TargetInstance.LogFile = ""Application"" or " & _
"TargetInstance.LogFile = ""System"")")

Also, when I eliminate the security log from the query I can use the settings

co.EnablePrivileges = False

So, I have a "work around" provided I do not need the security log (which I
am not right now). Still, I would like to know what "changed" and whether it
is a bug or be deisgn.

Next thing to learn is how to pass security information correctly. It is
possible that Microsoft disabled or ignored the enabledprivilages call for
some security reasons.

I suspect this is the cause of the shutdown issue you noted. That DOES
require the enableprivilages to be set to true. So, if the call is now
ignoring it the call will fail.

If I hear or learn more I will post to this thread.

Thanks,
Mark
 
See inline ***

Willy.

MarkD VIT@UK said:
Hi Willy,

Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0,
5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Security"" "
Click to expand...
*** This is by design, the security logfile us only accesible by the OS
security subsystem.

Looking at you code, I guess you are no longer using a
ManagementEventWatcher , so now you aren't using asynch callbacks .
The problem when using asynch callbacks, is that the consumer (your
application event sink) can't be registered by WMI simply because the client
(now the WMI service) fails to authenticate with the server (your
application).
Asynch callbacks are sinds long considered dangerous, MSFT included a
program unsecapp.exe that can host consumers to serve as a proxy that takes
care of authentication when using callbacks (event sinks in WMI).

If you run following script (using cscript <thisscript.vbs>), you will see
in taskman a new process unsecapp.exe, that process now hosts script and
tkaes care of event sink authentication and delegates the events to the sink
implemented in script (SINK_OnObjectReady):

Sub SINK_OnObjectReady(objObject, objAsyncContext)
WScript.Echo (objObject.TargetInstance.Message)
End Sub

Set objWMIServices = GetObject( _
"WinMgmts:{impersonationLevel=impersonate, (security)}")

' Create the event sink object that receives the events
Set sink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")

' Set up the event selection. SINK_OnObjectReady is called when
' a Win32_NTLogEvent event occurs
objWMIServices.ExecNotificationQueryAsync sink,"SELECT * FROM
__InstanceCreationEvent " & _
"WHERE TargetInstance ISA 'Win32_NTLogEvent'"

WScript.Echo "Waiting for events"

While (TRUE)
WScript.Sleep (1000)
Wend

This procedure works without problems. That means WMI isn't the cause of the
problem, but it is .NET.
*** End
Also, when I eliminate the security log from the query I can use the
settings

co.EnablePrivileges = False

So, I have a "work around" provided I do not need the security log (which
I
am not right now). Still, I would like to know what "changed" and whether
it
is a bug or be deisgn.
Click to expand...
*** this is by design the "security log" is only accessible by the OS
security system.
Next thing to learn is how to pass security information correctly. It is
possible that Microsoft disabled or ignored the enabledprivilages call for
some security reasons.
Click to expand...
*** No it's not the privileges are set correctly, you can check this in the
eventlog (security events) after having enabled security auditing.
I suspect this is the cause of the shutdown issue you noted. That DOES
require the enableprivilages to be set to true. So, if the call is now
ignoring it the call will fail.
Click to expand...
*** I know you have to enable the privileges, but it fails despite setting
it to true. And the call is not ignoring it.
 
Hi Willy,

Thanks for the details - maybe I have consuded the issue but I am still do
not understand why it stopped working unless MS has "pulled" the plug on this
functionality for security reasons. Let me show you the code that works
pre-SP1 and now fails. It is using the managementEventWatcher call.

A copy of the code is shown below. Now, if I change the value of "q" to
limit the call to include "TargetInstance.LogFile = ""Application"" the
routine works (regardless of the EnablePrivileges flag) with SP1. A change
to the .NET framework as stopped the security log from being read using this
code. I know you can still read the security log using VBScript code with
async callbacks (although I would prefer to use the .NET framework).

So, what I do know is that I can not longer access the Security log using
the constructs I have here. Is there a way to access the security log via
the .NET framework using the managementEventWatcher?

Thanks for the pointers and information,
Mark

Imports System
Imports System.Management

' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample1
Public Shared Sub GetEvents()

Dim sc As ManagementScope
Dim co As ConnectionOptions

co = New ConnectionOptions
co.Impersonation = ImpersonationLevel.Impersonate
co.EnablePrivileges = True

sc = New ManagementScope("\ROOT\CIMV2", co)

' Set up an event watcher and a handler for the event

Dim q As New WqlEventQuery("__InstanceCreationEvent", New
TimeSpan(0, 0, 10), _
"TargetInstance ISA ""Win32_NTLogEvent"" " & _


Dim watcher As New ManagementEventWatcher(sc, q)
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived

' Start watching for events
watcher.Start()

Console.WriteLine("Started")
System.Threading.Thread.Sleep(20000)

' Stop watching
watcher.Stop()

End Sub
End Class

Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("OK")
End Sub
End Class
 
Willy Denoyette said:
See inline ***

Willy.


*** this is by design the "security log" is only accessible by the OS
security system.
Click to expand...

*** Sorry but here I'm mistaken, you can't write to the security log, but
should be able to enumerate the security log. So this seems to be a bug in
System.Management.

Willy.
 
MarkD VIT@UK said:
Hi Willy,

Thanks for the details - maybe I have consuded the issue but I am still do
not understand why it stopped working unless MS has "pulled" the plug on
this
functionality for security reasons. Let me show you the code that works
pre-SP1 and now fails. It is using the managementEventWatcher call.

A copy of the code is shown below. Now, if I change the value of "q" to
limit the call to include "TargetInstance.LogFile = ""Application"" the
routine works (regardless of the EnablePrivileges flag) with SP1. A
change
to the .NET framework as stopped the security log from being read using
this
code. I know you can still read the security log using VBScript code with
async callbacks (although I would prefer to use the .NET framework).

So, what I do know is that I can not longer access the Security log using
the constructs I have here. Is there a way to access the security log via
the .NET framework using the managementEventWatcher?

Thanks for the pointers and information,
Mark
Click to expand...
Mark,

It looks like a bug in System.Management .NET v1.1 SP1 and v2.0 Beta1.
It fails to set the privileges required to execute some of the provider
methods using InvokeMethod.
Note that NONE of the privileges can be set. So the problem is not
restricted to ManagementEventWatcher but also "InvokeMethod" calls that need
privileges to be set (EnablePrivileges) will fail.
This is realy bad. I'll file a bug.

Willy.
 
Hello,

catching up this thread once again ...

Are there any new informations about this bug in .Net Framework? Yesterday I was running into this problem and yet have no solution for it. I have to write a application for my company collecting several evetlog entries (and YES: they are mostly in the security log ...).

Any informations are welcome.

cu,
Alex
 
Back
Top