stackoom
  简体   繁体   中英

System.Management.ManagementException "Access Denied" with Win32_ProcessStartTrace

 原文  2015-08-04 06:24:47       c#/ managementeventwatcher

Question

I have a piece of code to handle scenarios where specific processes are started or stopped and in order to achieve this I am using ManagementEventWatcher.

       string queryStart = "SELECT * FROM Win32_ProcessStartTrace" +
                     " WHERE ProcessName LIKE '...'"; // WHERE clause includes all the processnames that I want to monitor 
       ManagementEventWatcher startWatch = new ManagementEventWatcher(
            new WqlEventQuery(queryStart));
        startWatch.EventArrived += new EventArrivedEventHandler(ProcessNewInstanceWhenCreated);
        startWatch.Start();

This code works fine locally on my machine but when I deploy it to one of the servers it throw "Access denied" exception. The user running this on the server does not have admin rights and accordingly I added the user as explained in this link - http://world.episerver.com/faq/Items/SystemManagementManagementException-Access-denied/

This doesnt seem to solve the problem. Do I have perform any other action to get this to work on the server?

I added a ManagementScope to the ManagementEventHandler as well but still doesnt help the cause.

       string scopeString = "\\\\" + System.Environment.MachineName + "\\root\\CIMV2";
        ManagementScope theScope = new ManagementScope(scopeString);
        ManagementEventWatcher startWatch = new ManagementEventWatcher(theScope,
            new WqlEventQuery(queryStart));

Thank you for your time and help

1 answers

solution1
 0  2022-08-23 02:36:50

I was successful in getting events with process names and ids without admin privileges using the following query:

string queryString = "SELECT * FROM __InstanceCreationEvent WITHIN .025 WHERE TargetInstance ISA 'Win32_Process'";
processWatcher = new ManagementEventWatcher(@"\\.\root\CIMV2", queryString);
processWatcher.EventArrived += ProcessStartHandler;
processWatcher.Start();

Unlike the query you were using, the event received doesn't have most of its properties filled.

However, they are accessible through the event's TargetInstance property.

private void ProcessStartHandler(object sender, EventArrivedEventArgs e)
{
    var targetInstance = ((System.Management.ManagementBaseObject)e.NewEvent.Properties["TargetInstance"].Value);
    var processName = targetInstance.Properties["Caption"].Value.ToString();
    var processId   = (uint)targetInstance.Properties["ProcessId"].Value;
    var parentProcessId = (uint)targetInstance.Properties["ParentProcessId"].Value;
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question System.Management.ManagementException System.Management.ManagementException: Not found Truncated ProcessName in Win32_ProcessStartTrace query WMI Query - System.Management.ManagementException ManagementEventWatcher for Win32_ProcessStartTrace no longer working in Win 8.1 Why Win32_ProcessStopTrace-Events arrive, but Win32_ProcessStartTrace doesn't? Error in Wmi-Activity event log when using Win32_ProcessStartTrace from C# System.ComponentModel.Win32Exception: Access is denied… Error System.ComponentModel.Win32Exception : Access is denied System.ComponentModel.Win32Exception: Access is denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM