I am trying to get notification from a remote machine 's event viewer using WMI and C#. I am able to connect the system and also get event log by using ManagementObjectSearcher
. But when I tried to use ManagementEventWatcher.Start
method I am getting a exception:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
I have given the permisions in WMI Control to root\cimv2
and also given the admin rights to the user's account in DCOM Config.
I have normal windows application hence I am not using ASP.net(ASPNET user) in my case.
My code is:
ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here
First, keep in mind that Microsoft recommends the use of semi-synchronous operations (as Brian suggested):
If you can, we recommend that you use a semi-synchronous operation instead. The performance effect is small, and a semi-synchronous operation allows the same functionality but does not require a reverse connection.
See also Setting Security on an Asynchronous Call in VBScript.
If you still want to use Async operations, refer to the following articles:
YMMV, but for me (Client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 w/o firewall) the solution for the E_ACCESSDENIED
exception was found in the third article:
Note that I did the above in the client. While that fixed the DCOM permission problem for me, I then encountered WMI access denied errors (0x80041003
). Turns out it was due to a registry key mentioned in the second article:
The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.
The following registry entry needs to be modified to allow anonymous callbacks: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback
If the AllowAnonymousCallback key is set to 0, the WMI service prevents anonymous callbacks to the client. If the value is set to 1, the WMI service allows anonymous callbacks to the client.
Note that you need to set the above in the server. Once I did that, async callbacks worked. Other things you could try are running your client as an administrator and setting ConnectionOptions.EnablePrivileges to true.
For troubleshooting see:
Finally, I recommend you take advantage of Microsoft's WMI tester (%windir%\system32\wbem\wbemtest.exe
)
Try listening semi-synchronously with WaitForNextEvent():
var managementScope = new ManagementScope(@"\\mysever\root\onguard");
managementScope.Connect();
var query = new EventQuery("select * from lnl_AccessEvent");
var eventWatcher = new ManagementEventWatcher(managementScope, query);
var wmiEvent = eventWatcher.WaitForNextEvent();
Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));
We've also found wbemtest.exe useful. Click the Notification Query... button to listen for events. You can try the various connection methods (synchronous, asynchronous or semi-synchorous). All connection methods work when connecting to your local machine but we were only able to get semi-synchronous to work remotely. Asynchronous (which you are using) is more complex (and less secure) because the server must make a connection back to the client.
Some good information here on security and configuration settings: http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With