授予远程用户(非管理员)使用WMI和C#在命名空间cimv2中枚举Win32_Service中的服务的能力
[英]Granting remote user (non admin) the ability to enumerate services in Win32_Service in namespace cimv2 using WMI & C#
问题描述
I'm creating a watch dog service that will be monitoring other services on various remote servers (all in the same domain). 
我正在创建一个监视狗服务,它将监视各种远程服务器上的其他服务(所有服务都位于同一个域中)。 The user that I'm using to connect to the remote servers is not an admin. 我用来连接远程服务器的用户不是管理员。 When I try to enumerate the services in the Win32_Service class, I get an access denied error. 当我尝试枚举Win32_Service类中的服务时,我得到一个拒绝访问错误。
I've given the user 'Remote Enable' & 'Enable Account' persmissions to the Root\\CIMV2 namespace in the WMI Control. 我已将用户的“远程启用”和“启用帐户”权限提供给WMI控件中的Root \\ CIMV2命名空间。
I am able to connect to the server with the following code. 我可以使用以下代码连接到服务器。 The object ServiceListItem is just a simple class that contains the server name and the service name: 对象ServiceListItem只是一个包含服务器名称和服务名称的简单类:
SecureString secureString = new SecureString();
foreach ( char c in "password" )
{
secureString.AppendChar( c );
}
ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = "domain\\user";
connectionOptions.SecurePassword = secureString;
foreach ( ServiceListItem service in _serviceList )
{
ManagementScope managementScope = new ManagementScope();
managementScope = new ManagementScope( String.Format( @"\\{0}\root\cimv2", service.ServerName ), connectionOptions );
managementScope.Connect();
//RelatedObjectQuery relatedObjectQuery = new RelatedObjectQuery( String.Format( "Win32_Service.Name='{0}'", service.ServiceName ) );
//ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, relatedObjectQuery );
ObjectQuery objectQuery = new ObjectQuery( "SELECT * FROM Win32_Service WHERE Name = '" + service.ServiceName + "'" );
ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, objectQuery );
ManagementObjectCollection objectCollection = objectSearcher.Get();
foreach ( ManagementObject managementObject in objectCollection )
{
serviceStatus = managementObject.Properties["State"].Value.ToString();
Debug.Print(service.ServiceName + " - " + serviceStatus);
//break;
}
}
The managementScope.Connect() runs fine, which means the wmi security on cimv2 is set up correctly. managementScope.Connect()运行正常,这意味着cimv2上的wmi安全性已正确设置。 However, when I try to enumerate the objectCollection, I get the 'Access Denied' exception. 但是,当我尝试枚举objectCollection时,我得到了“拒绝访问”异常。 This tells me (I think) that the user doesn't have permissions to enumerate the Win32_Service class (SC_MANAGER_ENUMERATE_SERVICE). 这告诉我(我认为)用户没有枚举Win32_Service类(SC_MANAGER_ENUMERATE_SERVICE)的权限。
I just haven't been able to find any good examples on how to enable that permission for a remote user. 我还没有找到关于如何为远程用户启用该权限的任何好例子。 I'm not very experienced when it comes to coding with Windows api's, so please be as detailed as possible in your answers :) 在使用Windows api进行编码方面我不是很有经验,所以请在答案中尽可能详细:)
2 个解决方案
解决方案1
2 2013-03-31 10:58:36
I found myself stuck into a similar problem. 我发现自己陷入了类似的问题。 In my case it had nothing to do with permissions, which I did set by following this link: http://www.poweradmin.com/help/enableWMI.aspx 在我的情况下,它与权限无关,我通过以下链接设置了这些权限: http : //www.poweradmin.com/help/enableWMI.aspx
So, After hours of wondering lost I found this article that tells how UAC interfere with your set of permissions and how can you fix that: http://www.solarwinds.com/documentation/apm/docs/APMWMITroubleshooting.pdf 所以,经过几个小时的迷惑,我发现这篇文章告诉UAC如何干扰你的权限集,以及如何解决这个问题: http : //www.solarwinds.com/documentation/apm/docs/APMWMITroubleshooting.pdf
In my case, the registry key didn't existed, so I created it. 在我的情况下,注册表项不存在,所以我创建了它。
Hope this helps also, cheers! 希望这也有所帮助,欢呼!
解决方案2
1 已采纳 2010-12-13 19:34:18
Trying to find the same answer myself today, I've been doing a lot of googling. 我今天试图找到相同的答案,我一直在做很多谷歌搜索。 After a good half hour of incantations, I found this MSDN article (907460) which uses sc sdet . 经过半个小时的咒语,我发现这篇MSDN文章(907460)使用了sc sdet 。 It seems to work so far, even though the security descriptor is for Windows Server 2003. I've found you can do sc sdshow SCMANAGER to get the current value so when back in the office tomorrow I'll be comparing an contrasting to make sure I've not locked something out I shouldn't have :-) 它似乎工作到目前为止,即使安全描述符是针对Windows Server 2003.我发现你可以做sc sdshow SCMANAGER来获取当前值,所以当明天回到办公室时我将比较对比以确保我没有锁定我应该没有的东西:-)
For completeness, the notes in KB907460 (in case it moves/goes away): 为了完整起见,KB907460中的注释(如果它移动/消失):
Symptoms: After you install Microsoft Windows Server 2003 Service Pack 1 (SP1), non-administrators cannot remotely access the Service Control Manager.
Cause: Windows Server 2003 SP1 changes the Service Control Manager default security settings.
Resolution: To resolve this issue, use version 5.2.3790.1830 of the Sc.exe tool.
- Click Start, click Run, type cmd, and then click OK.
Type the following command at the command prompt, and then press ENTER:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.