Exception while ManagementEventWatcher(WMI) to notify events from remote machine

Question

I am trying to get notification from a remote machine 's event viewer using WMI and C#. I am able to connect the system and also get event log by using ManagementObjectSearcher. But when I tried to use ManagementEventWatcher.Start method I am getting a exception:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I have given the permisions in WMI Control to root\cimv2 and also given the admin rights to the user's account in DCOM Config.

I have normal windows application hence I am not using ASP.net(ASPNET user) in my case.

My code is:

ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'  and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here

Answer 1

First, keep in mind that Microsoft recommends the use of semi-synchronous operations (as Brian suggested):

If you can, we recommend that you use a semi-synchronous operation instead. The performance effect is small, and a semi-synchronous operation allows the same functionality but does not require a reverse connection.

See also Setting Security on an Asynchronous Call in VBScript.

If you still want to use Async operations, refer to the following articles:

• How to troubleshoot WMI-related issues in Windows XP SP2
• Connecting to WMI Remotely Starting with Windows Vista
• Securing a Remote WMI Connection
• Connecting Between Different Operating Systems

YMMV, but for me (Client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 w/o firewall) the solution for the E_ACCESSDENIED exception was found in the third article:

1. Click Start, click Run, type DCOMCNFG, and then click OK.
2. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
3. In the My Computer Properties dialog box, click the COM Security tab.
4. Under Access Permissions, click Edit Limits.
5. In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Note that I did the above in the client. While that fixed the DCOM permission problem for me, I then encountered WMI access denied errors (0x80041003). Turns out it was due to a registry key mentioned in the second article:

The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.

The following registry entry needs to be modified to allow anonymous callbacks: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback

If the AllowAnonymousCallback key is set to 0, the WMI service prevents anonymous callbacks to the client. If the value is set to 1, the WMI service allows anonymous callbacks to the client.

Note that you need to set the above in the server. Once I did that, async callbacks worked. Other things you could try are running your client as an administrator and setting ConnectionOptions.EnablePrivileges to true.

For troubleshooting see:

• WMI Troubleshooting
• Logging WMI Activity (Pre vista)
• Tracing WMI Activity (Starting with Vista)

Finally, I recommend you take advantage of Microsoft's WMI tester (%windir%\system32\wbem\wbemtest.exe)

Answer 2

Try listening semi-synchronously with WaitForNextEvent():

    var managementScope = new ManagementScope(@"\\mysever\root\onguard"); 
    managementScope.Connect(); 

    var query = new EventQuery("select * from lnl_AccessEvent");
    var eventWatcher = new ManagementEventWatcher(managementScope, query);
    var wmiEvent = eventWatcher.WaitForNextEvent();
    Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));

We've also found wbemtest.exe useful. Click the Notification Query... button to listen for events. You can try the various connection methods (synchronous, asynchronous or semi-synchorous). All connection methods work when connecting to your local machine but we were only able to get semi-synchronous to work remotely. Asynchronous (which you are using) is more complex (and less secure) because the server must make a connection back to the client.

Some good information here on security and configuration settings: http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682