[英]Exception while ManagementEventWatcher(WMI) to notify events from remote machine
I am trying to get notification from a remote machine 's event viewer using WMI and C#. 我正在尝试使用WMI和C#从远程计算机的事件查看器获取通知。 I am able to connect the system and also get event log by using
ManagementObjectSearcher
. 我可以使用
ManagementObjectSearcher
连接系统并获取事件日志。 But when I tried to use ManagementEventWatcher.Start
method I am getting a exception: 但是当我尝试使用
ManagementEventWatcher.Start
方法时,我得到一个异常:
Access is denied.
访问被拒绝。 (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
(HRESULT异常:0x80070005(E_ACCESSDENIED))
I have given the permisions in WMI Control to root\\cimv2
and also given the admin rights to the user's account in DCOM Config. 我已将WMI Control中的
root\\cimv2
赋予root\\cimv2
并在DCOM Config中授予用户帐户的管理员权限。
I have normal windows application hence I am not using ASP.net(ASPNET user) in my case. 我有正常的Windows应用程序,因此我不使用ASP.net(ASPNET用户)在我的情况下。
My code is: 我的代码是:
ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here
First, keep in mind that Microsoft recommends the use of semi-synchronous operations (as Brian suggested): 首先,请记住, Microsoft建议使用半同步操作 (如Brian建议的那样):
If you can, we recommend that you use a semi-synchronous operation instead.
如果可以,我们建议您使用半同步操作。 The performance effect is small, and a semi-synchronous operation allows the same functionality but does not require a reverse connection.
性能影响很小,半同步操作允许相同的功能,但不需要反向连接。
See also Setting Security on an Asynchronous Call in VBScript . 另请参阅在VBScript中设置异步调用的安全性 。
If you still want to use Async operations, refer to the following articles: 如果您仍想使用异步操作,请参阅以下文章:
YMMV, but for me (Client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 w/o firewall) the solution for the E_ACCESSDENIED
exception was found in the third article: YMMV,但对我来说(客户端:Win7 x64 SP1服务器:没有防火墙的Windows Server 2008 Enterprise SP2),在第三篇文章中找到了
E_ACCESSDENIED
异常的解决方案:
Note that I did the above in the client . 请注意,我在客户端中执行了上述操作。 While that fixed the DCOM permission problem for me, I then encountered WMI access denied errors (
0x80041003
). 虽然这为我修复了DCOM权限问题,然后我遇到了WMI访问被拒绝错误(
0x80041003
)。 Turns out it was due to a registry key mentioned in the second article: 原来这是由于第二篇文章中提到的注册表项:
The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship;
如果远程连接是在没有信任关系的计算机之间,则需要更新CIMOM设置; otherwise, an asynchronous connection will fail.
否则,异步连接将失败。 This setting should not be modified for computers in the same domain or in trusted domains.
不应为同一域或受信任域中的计算机修改此设置。
The following registry entry needs to be modified to allow anonymous callbacks: HKLM\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback
需要修改以下注册表项以允许匿名回调:HKLM \\ SOFTWARE \\ Microsoft \\ WBEM \\ CIMOM \\ AllowAnonymousCallback
If the AllowAnonymousCallback key is set to 0, the WMI service prevents anonymous callbacks to the client.
如果AllowAnonymousCallback键设置为0,则WMI服务会阻止对客户端的匿名回调。 If the value is set to 1, the WMI service allows anonymous callbacks to the client.
如果该值设置为1,则WMI服务允许匿名回调客户端。
Note that you need to set the above in the server . 请注意,您需要在服务器中设置上述内容。 Once I did that, async callbacks worked.
一旦我这样做,异步回调就起作用了。 Other things you could try are running your client as an administrator and setting ConnectionOptions.EnablePrivileges to true.
您可以尝试的其他事项是以管理员身份运行客户端并将ConnectionOptions.EnablePrivileges设置为true。
For troubleshooting see: 有关疑难解答请参
Finally, I recommend you take advantage of Microsoft's WMI tester ( %windir%\\system32\\wbem\\wbemtest.exe
) 最后,我建议你利用微软的WMI测试器(
%windir%\\system32\\wbem\\wbemtest.exe
)
Try listening semi-synchronously with WaitForNextEvent(): 尝试与WaitForNextEvent()半同步监听:
var managementScope = new ManagementScope(@"\\mysever\root\onguard");
managementScope.Connect();
var query = new EventQuery("select * from lnl_AccessEvent");
var eventWatcher = new ManagementEventWatcher(managementScope, query);
var wmiEvent = eventWatcher.WaitForNextEvent();
Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));
We've also found wbemtest.exe useful. 我们还发现wbemtest.exe很有用。 Click the Notification Query... button to listen for events.
单击通知查询...按钮以侦听事件。 You can try the various connection methods (synchronous, asynchronous or semi-synchorous).
您可以尝试各种连接方法(同步,异步或半同步)。 All connection methods work when connecting to your local machine but we were only able to get semi-synchronous to work remotely.
连接到本地计算机时,所有连接方法都有效,但我们只能半远程同步工作。 Asynchronous (which you are using) is more complex (and less secure) because the server must make a connection back to the client.
异步(您正在使用)更复杂(并且安全性更低),因为服务器必须建立与客户端的连接。
Some good information here on security and configuration settings: http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682 这里有一些关于安全性和配置设置的好信息: http : //www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682
I spent hours figuring this one out. 我花了好几个小时搞清楚这个。 None of the above worked for me.
以上都不适合我。
After analyzing the Event logs on my IIS server I found I was receivingthe following error event in the System Log every time I called the Start method on the ManagementEventWatcher object: 在我的IIS服务器上分析事件日志后,我发现每次在ManagementEventWatcher对象上调用Start方法时,我都在系统日志中收到以下错误事件:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} and APPID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} to the user IIS APPPOOL\\DefaultAppPool SID (S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415) from address LocalHost (Using LRPC).
机器默认权限设置不会将具有CLSID {49BD2028-1523-11D1-AD79-00C04FD8FDFF}和APPID {49BD2028-1523-11D1-AD79-00C04FD8FDFF}的COM服务器应用程序的本地激活权限授予用户IIS APPPOOL \\ DefaultAppPool SID(S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)来自地址LocalHost(使用LRPC)。 This security permission can be modified using the Component Services administrative tool.
可以使用组件服务管理工具修改此安全权限。
A registry search revealed that the application with the APPID specified in the error was 注册表搜索显示错误中指定APPID的应用程序是
Microsoft WBEM Unsecured Apartment
Microsoft WBEM无担保公寓
To make the asynchronous callback work you need to grant Local Activation permissions on the this COM object to the IIS APPPOOL\\DefaultAppPool user, which sounds easy enough except for the fact that user does not show up as a valid acount in the security database. 要使异步回调工作,您需要将此COM对象的本地激活权限授予IIS APPPOOL \\ DefaultAppPool用户,这听起来很容易,除非用户未在安全数据库中显示为有效帐户。 This is because it is a system generated user account automatically built when an IIS Application Pool is created.
这是因为它是在创建IIS应用程序池时自动构建的系统生成的用户帐户。
The process to make this work is as follows: 完成这项工作的过程如下:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.