WMI / DCOM 'ACCESS DENIED'

WMI / DCOM 'ACCESS DENIED'
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
WMI / DCOM 'ACCESS DENIED' fixitchris 02-28-2007
Posted by fixitchris on February 28, 2007, 7:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

I have been researching this for hours now. Whenever I run WMI local queries
or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER
PROCESS LAUNCH service.... I GET WIN32: Access is denied!

I restored rootsec and setupsec with no avail.

I finally started logging Object Access and looks like Network Service does
not have permission... but to what and how to set it???
Thanks
Chris

Event Type:        Failure Audit
Event Source:        Security
Event Category:        Object Access
Event ID:        560
Date:                2/27/2007
Time:                10:47:40 AM
User:                NT AUTHORITY\NETWORK SERVICE
Computer:        PC267
Description:
Object Open:
        Object Server:        SC Manager
        Object Type:        SERVICE OBJECT
        Object Name:        winmgmt
        Handle ID:        -
        Operation ID:        
        Process ID:        696
        Image File Name:        C:\WINDOWS\system32\services.exe
        Primary User Name:        PC267$
        Primary Domain:        Work.com
        Primary Logon ID:        (0x0,0x3E7)
        Client User Name:        NETWORK SERVICE
        Client Domain:        NT AUTHORITY
        Client Logon ID:        (0x0,0x3E4)
        Accesses:                READ_CONTROL
                        Query information from service
                        
        Privileges:                -
        Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1


Posted by Nick Domukhovsky on February 28, 2007, 7:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
fixitchris =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> Hello,
>=20
> I have been researching this for hours now. Whenever I run WMI local q=
ueries
> or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER=

> PROCESS LAUNCH service.... I GET WIN32: Access is denied!
>=20
> I restored rootsec and setupsec with no avail. =20
>=20
> I finally started logging Object Access and looks like Network Service =
does
> not have permission... but to what and how to set it???
> Thanks
> Chris
>=20
> Event Type:        Failure Audit
> Event Source:        Security
> Event Category:        Object Access=20
> Event ID:        560
> Date:                2/27/2007
> Time:                10:47:40 AM
> User:                NT AUTHORITY\NETWORK SERVICE
> Computer:        PC267
> Description:
> Object Open:
>         Object Server:        SC Manager
>         Object Type:        SERVICE OBJECT
>         Object Name:        winmgmt
>         Handle ID:        -
>         Operation ID:        
>         Process ID:        696
>         Image File Name:        C:\WINDOWS\system32\services.exe
>         Primary User Name:        PC267$
>         Primary Domain:        Work.com
>         Primary Logon ID:        (0x0,0x3E7)
>         Client User Name:        NETWORK SERVICE
>         Client Domain:        NT AUTHORITY
>         Client Logon ID:        (0x0,0x3E4)
>         Accesses:                READ_CONTROL=20
>                         Query information from service=20
>                 =09
>         Privileges:                -
>         Restricted Sid Count: 0
>=20
>=20
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>=20
use dcomcnfg
Component Services->Computers->My Computer->DCOM Config to set
permissions on the DCOM Servers.


--=20
With best regards
Nickolay Domukhovsky, MCSA


Posted by Roger Abell [MVP] on February 28, 2007, 7:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
You have not state the involved OS version.

Hopefully you have not made things worse by what I think you mean in
> I restored rootsec and setupsec with no avail.

Anyway, see if the following is applicable
http://support.microsoft.com/kb/907460

> Hello,
>
> I have been researching this for hours now. Whenever I run WMI local
> queries
> or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER
> PROCESS LAUNCH service.... I GET WIN32: Access is denied!
>
> I restored rootsec and setupsec with no avail.
>
> I finally started logging Object Access and looks like Network Service
> does
> not have permission... but to what and how to set it???
> Thanks
> Chris
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/27/2007
> Time: 10:47:40 AM
> User: NT AUTHORITY\NETWORK SERVICE
> Computer: PC267
> Description:
> Object Open:
> Object Server: SC Manager
> Object Type: SERVICE OBJECT
> Object Name: winmgmt
> Handle ID: -
> Operation ID:
> Process ID: 696
> Image File Name: C:\WINDOWS\system32\services.exe
> Primary User Name: PC267$
> Primary Domain: Work.com
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: NETWORK SERVICE
> Client Domain: NT AUTHORITY
> Client Logon ID: (0x0,0x3E4)
> Accesses: READ_CONTROL
> Query information from service
>
> Privileges: -
> Restricted Sid Count: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
>



Posted by fixitchris via WinServerKB.com on February 28, 2007, 12:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
XP sp2....

I did restore the defaults with Security config and analysis snap-in. How
can that be bad?

This started to happen, coincidentally after I applied a GPO to the whole
domain ( with a WMI filter) .

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1


Posted by Roger Abell [MVP] on March 1, 2007, 2:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> XP sp2....
>
> I did restore the defaults with Security config and analysis snap-in. How
> can that be bad?
>
> This started to happen, coincidentally after I applied a GPO to the whole
> domain ( with a WMI filter) .
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
>

http://support.microsoft.com/kb/313222
notice that this does not reset _all_ settings back to what they
were set to during install. Also, this action can wipe out needed
post-install changes.

Why didn't just unlinking the GPO effect resolution?

From the event message you posted it appears that the
Network Service has no permissions on the winmgmt
service, at least it does not have Read Control which
I assume means it does not have any.

http://support.microsoft.com/kb/894794

Probably explains the problem you have bumped up
against, but obtaining the hotfix will not resolve your
problem (it has already happened, the hotfix replaces
the sce editor so it will not happen again).

You should grant full to network service on winmgmt
Here is some info using sc in a cmd window from this XP SP2


C:\>sc qc winmgmt
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME : LocalSystem

C:\>sc sdshow winmgmt

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


Notice that on this machine winmgmt is configured to run a Local System,
not Network Service (which you event log message indicated was not
granted the sufficient permissions). In the SDDL shown just above the
Network Service would only have the permissions given to Authenticated
Users (the grouping ending in AU).
The SDDL shown above (be careful about line breaks) should be usable
in a sc sdset command.

Roger



Similar ThreadsPosted
DCOM access denied error on Windows 2003 server SP1 January 16, 2006, 9:09 am
Access is denied to some my folders. How to regain access? June 17, 2005, 7:38 am
Allowing access to admin$ on NT4 -- getting "Access is Denied" November 17, 2005, 12:01 pm
Access DCOM remotly W2003 June 29, 2005, 8:53 am
Access and roles in DCOM technology December 27, 2005, 3:52 am
DCOM - Allowing Remote Anonymous Access January 28, 2006, 7:46 pm
Denied access March 30, 2006, 3:49 pm
Help...access denied April 18, 2006, 4:14 pm
Access is Denied August 24, 2006, 9:05 pm
User-"Access Denied" October 5, 2005, 9:25 pm

The site map in XML format XML site map

Contact Us | Privacy Policy