Exception while ManagementEventWatcher(WMI) to notify events from remote machine

Question

I am trying to get notification from a remote machine 's event viewer using WMI and C#. I am able to connect the system and also get event log by using ManagementObjectSearcher . But when I tried to use ManagementEventWatcher.Start method I am getting a exception:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I have given the permisions in WMI Control to root\\cimv2 and also given the admin rights to the user's account in DCOM Config.

I have normal windows application hence I am not using ASP.net(ASPNET user) in my case.

My code is:

ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'  and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here

Answer 1

First, keep in mind that Microsoft recommends the use of semi-synchronous operations (as Brian suggested):

If you can, we recommend that you use a semi-synchronous operation instead. The performance effect is small, and a semi-synchronous operation allows the same functionality but does not require a reverse connection.

See also Setting Security on an Asynchronous Call in VBScript .

If you still want to use Async operations, refer to the following articles:

• How to troubleshoot WMI-related issues in Windows XP SP2
• Connecting to WMI Remotely Starting with Windows Vista
• Securing a Remote WMI Connection
• Connecting Between Different Operating Systems

YMMV, but for me (Client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 w/o firewall) the solution for the E_ACCESSDENIED exception was found in the third article:

1. Click Start, click Run, type DCOMCNFG , and then click OK.
2. In the Component Services dialog box, expand Component Services , expand Computers , and then right-click My Computer and click Properties .
3. In the My Computer Properties dialog box, click the COM Security tab.
4. Under Access Permissions , click Edit Limits .
5. In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User , select Remote Access , and then click OK .

Note that I did the above in the client . While that fixed the DCOM permission problem for me, I then encountered WMI access denied errors ( 0x80041003 ). Turns out it was due to a registry key mentioned in the second article:

The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.

The following registry entry needs to be modified to allow anonymous callbacks: HKLM\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback

If the AllowAnonymousCallback key is set to 0, the WMI service prevents anonymous callbacks to the client. If the value is set to 1, the WMI service allows anonymous callbacks to the client.

Note that you need to set the above in the server . Once I did that, async callbacks worked. Other things you could try are running your client as an administrator and setting ConnectionOptions.EnablePrivileges to true.

For troubleshooting see:

• WMI Troubleshooting
• Logging WMI Activity (Pre vista)
• Tracing WMI Activity (Starting with Vista)

Finally, I recommend you take advantage of Microsoft's WMI tester ( %windir%\\system32\\wbem\\wbemtest.exe )

Answer 2

Try listening semi-synchronously with WaitForNextEvent():

    var managementScope = new ManagementScope(@"\\mysever\root\onguard"); 
    managementScope.Connect(); 

    var query = new EventQuery("select * from lnl_AccessEvent");
    var eventWatcher = new ManagementEventWatcher(managementScope, query);
    var wmiEvent = eventWatcher.WaitForNextEvent();
    Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));

We've also found wbemtest.exe useful. Click the Notification Query... button to listen for events. You can try the various connection methods (synchronous, asynchronous or semi-synchorous). All connection methods work when connecting to your local machine but we were only able to get semi-synchronous to work remotely. Asynchronous (which you are using) is more complex (and less secure) because the server must make a connection back to the client.

Some good information here on security and configuration settings: http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682

Answer 3

I spent hours figuring this one out. None of the above worked for me.

After analyzing the Event logs on my IIS server I found I was receivingthe following error event in the System Log every time I called the Start method on the ManagementEventWatcher object:

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} and APPID {49BD2028-1523-11D1-AD79-00C04FD8FDFF} to the user IIS APPPOOL\\DefaultAppPool SID (S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

A registry search revealed that the application with the APPID specified in the error was

Microsoft WBEM Unsecured Apartment

To make the asynchronous callback work you need to grant Local Activation permissions on the this COM object to the IIS APPPOOL\\DefaultAppPool user, which sounds easy enough except for the fact that user does not show up as a valid acount in the security database. This is because it is a system generated user account automatically built when an IIS Application Pool is created.

The process to make this work is as follows:

1. Run mmc, add the Component Services snap in
2. Open Computers->My Computer->DCOM Config
3. Scroll down to the "Microsoft WBEM Unsecured Apartment Object"
4. Right Click and select Properties
5. Click the Security Tab and under the section for "Launch and Activation Permissions" select the Customize option and hit Edit
6. If your IIS server is part of a Domain make sure that you have the Local Machine specified in the location field and not the Domain.
7. Hit the Add button and type in "IIS APPPool\\DefaultAppPool" into the user box and hit the Check Names button. If you are not using the DefaultAppPool then substitute the name of the App Pool you are using.
8. You will see a valid user appear in the box, hit OK.
9. Select the user in the list and check the Allow boxes for Local Launch and Local Activation.
10. Enjoy the fact that you will no longer see E_ACCESSDENIED on asynch callbacks to your WMI Event Listener.