WMI / DCOM 'ACCESS DENIED'

TheMSsForum.com: The Microsoft Software Forum

Hello,

I have been researching this for hours now. Whenever I run WMI local queries
or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER
PROCESS LAUNCH service.... I GET WIN32: Access is denied!

I restored rootsec and setupsec with no avail.

I finally started logging Object Access and looks like Network Service does
not have permission... but to what and how to set it???
Thanks
Chris

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/27/2007
Time: 10:47:40 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: PC267
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: winmgmt
Handle ID: -
Operation ID: {0,873090}
Process ID: 696
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: PC267$
Primary Domain: Work.com
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: READ_CONTROL
Query information from service

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
Top

Re: WMI / DCOM 'ACCESS DENIED' by Nick

Nick
Wed Feb 28 06:51:33 CST 2007

fixitchris =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
> Hello,
>=20
> I have been researching this for hours now. Whenever I run WMI local q=
ueries
> or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER=

> PROCESS LAUNCH service.... I GET WIN32: Access is denied!
>=20
> I restored rootsec and setupsec with no avail. =20
>=20
> I finally started logging Object Access and looks like Network Service =
does
> not have permission... but to what and how to set it???
> Thanks
> Chris
>=20
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access=20
> Event ID: 560
> Date: 2/27/2007
> Time: 10:47:40 AM
> User: NT AUTHORITY\NETWORK SERVICE
> Computer: PC267
> Description:
> Object Open:
> Object Server: SC Manager
> Object Type: SERVICE OBJECT
> Object Name: winmgmt
> Handle ID: -
> Operation ID: {0,873090}
> Process ID: 696
> Image File Name: C:\WINDOWS\system32\services.exe
> Primary User Name: PC267$
> Primary Domain: Work.com
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: NETWORK SERVICE
> Client Domain: NT AUTHORITY
> Client Logon ID: (0x0,0x3E4)
> Accesses: READ_CONTROL=20
> Query information from service=20
> =09
> Privileges: -
> Restricted Sid Count: 0
>=20
>=20
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>=20
use dcomcnfg
Component Services->Computers->My Computer->DCOM Config to set
permissions on the DCOM Servers.


--=20
With best regards
Nickolay Domukhovsky, MCSA

Top

Re: WMI / DCOM 'ACCESS DENIED' by Roger

Roger
Wed Feb 28 06:53:21 CST 2007

You have not state the involved OS version.

Hopefully you have not made things worse by what I think you mean in
> I restored rootsec and setupsec with no avail.

Anyway, see if the following is applicable
http://support.microsoft.com/kb/907460

"fixitchris" <u28526@uwe> wrote in message news:6e709c0352520@uwe...
> Hello,
>
> I have been researching this for hours now. Whenever I run WMI local
> queries
> or WBEMTEST or WMIC or even look at the dependencies of the DCOM SERVER
> PROCESS LAUNCH service.... I GET WIN32: Access is denied!
>
> I restored rootsec and setupsec with no avail.
>
> I finally started logging Object Access and looks like Network Service
> does
> not have permission... but to what and how to set it???
> Thanks
> Chris
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/27/2007
> Time: 10:47:40 AM
> User: NT AUTHORITY\NETWORK SERVICE
> Computer: PC267
> Description:
> Object Open:
> Object Server: SC Manager
> Object Type: SERVICE OBJECT
> Object Name: winmgmt
> Handle ID: -
> Operation ID: {0,873090}
> Process ID: 696
> Image File Name: C:\WINDOWS\system32\services.exe
> Primary User Name: PC267$
> Primary Domain: Work.com
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: NETWORK SERVICE
> Client Domain: NT AUTHORITY
> Client Logon ID: (0x0,0x3E4)
> Accesses: READ_CONTROL
> Query information from service
>
> Privileges: -
> Restricted Sid Count: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
>


Top

Re: WMI / DCOM 'ACCESS DENIED' by fixitchris

fixitchris
Wed Feb 28 11:55:48 CST 2007

XP sp2....

I did restore the defaults with Security config and analysis snap-in. How
can that be bad?

This started to happen, coincidentally after I applied a GPO to the whole
domain ( with a WMI filter) .

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1

Top

Re: WMI / DCOM 'ACCESS DENIED' by Roger

Roger
Thu Mar 01 01:26:58 CST 2007

"fixitchris via WinServerKB.com" <u28526@uwe> wrote in message
news:6e7dbdee9789b@uwe...
> XP sp2....
>
> I did restore the defaults with Security config and analysis snap-in. How
> can that be bad?
>
> This started to happen, coincidentally after I applied a GPO to the whole
> domain ( with a WMI filter) .
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
>

http://support.microsoft.com/kb/313222
notice that this does not reset _all_ settings back to what they
were set to during install. Also, this action can wipe out needed
post-install changes.

Why didn't just unlinking the GPO effect resolution?

From the event message you posted it appears that the
Network Service has no permissions on the winmgmt
service, at least it does not have Read Control which
I assume means it does not have any.

http://support.microsoft.com/kb/894794

Probably explains the problem you have bumped up
against, but obtaining the hotfix will not resolve your
problem (it has already happened, the hotfix replaces
the sce editor so it will not happen again).

You should grant full to network service on winmgmt
Here is some info using sc in a cmd window from this XP SP2


C:\>sc qc winmgmt
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME : LocalSystem

C:\>sc sdshow winmgmt

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


Notice that on this machine winmgmt is configured to run a Local System,
not Network Service (which you event log message indicated was not
granted the sufficient permissions). In the SDDL shown just above the
Network Service would only have the permissions given to Authenticated
Users (the grouping ending in AU).
The SDDL shown above (be careful about line breaks) should be usable
in a sc sdset command.

Roger


Top

Re: WMI / DCOM 'ACCESS DENIED' by fixitchris

fixitchris
Thu Mar 01 08:27:02 CST 2007

Thanks for the help!

Some services were manually set in the GPO, however with default permissions
provided by the GPO. I turned off this feature and it works fine now.

sc sdshow winmgmt

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

How can I translate this SDDL (?) into something readible so that I can
implement it into the permissions of the service inside the GPO?

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1

Top

Re: WMI / DCOM 'ACCESS DENIED' by Roger

Roger
Thu Mar 01 19:33:00 CST 2007

try a search at msdn2.microsoft.com/library for SDDL

"fixitchris via WinServerKB.com" <u28526@uwe> wrote in message
news:6e887e077ea36@uwe...
> Thanks for the help!
>
> Some services were manually set in the GPO, however with default
> permissions
> provided by the GPO. I turned off this feature and it works fine now.
>
> sc sdshow winmgmt
>
> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
> (A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
>
> How can I translate this SDDL (?) into something readible so that I can
> implement it into the permissions of the service inside the GPO?
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1
>


Top

Re: WMI / DCOM 'ACCESS DENIED' by fixitchris

fixitchris
Fri Mar 02 12:46:47 CST 2007

Thanks for the help.

What happened now is that once I ENABLED the WMI service in the GPO to be
Automatic, the only security settings were Interactive and System. Then I
changed the GPO to NOT CONFIGURED but the service retained the same security.
What would be the best way to change security across the domain for this
service for SY,BA,AU,PU?

thanks again
Chris

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1

Top

Re: WMI / DCOM 'ACCESS DENIED' by fixitchris

fixitchris
Fri Mar 02 13:01:09 CST 2007

Here is a healthy security setting:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


Here is a non-working one (access denied):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,
\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,48,00,03,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,\

05,20,00,00,00,20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,\

12,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,01,\

01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCLCSWLOCRRC;;;IU)

The thing is that I can't just simply add POWER USERS and AUTH USERS though
the GPO? Or can I?

So the other alternative is to replace the reg key with the one that works.

Are there any drawbacks to this method, anything that would be a concern?

Chris

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1

Top

Re: WMI / DCOM 'ACCESS DENIED' by fixitchris

fixitchris
Fri Mar 02 13:30:12 CST 2007

I think i got it... AUTH USERS is a builtin sec principle, PU isn't, however
I was able to reverse the security changes. Now I have to match the SDDL to
what it orignially was.

thanks.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1

Top

Re: WMI / DCOM 'ACCESS DENIED' by Roger

Roger
Fri Mar 02 16:40:18 CST 2007

You could try a sc sdset command fired from a startup script

--
Roger
"fixitchris via WinServerKB.com" <u28526@uwe> wrote in message
news:6e97b659ac6c0@uwe...
>I think i got it... AUTH USERS is a builtin sec principle, PU isn't,
>however
> I was able to reverse the security changes. Now I have to match the SDDL
> to
> what it orignially was.
>
> thanks.
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1
>


Top

Re: WMI / DCOM 'ACCESS DENIED' by Roger

Roger
Fri Mar 02 23:52:22 CST 2007

Why not check on a reference system, and then use W2k3 (or an
XP SP2 with the patch from the KB) to edit the GPO and set the
security to match the reference system ?

"fixitchris via WinServerKB.com" <u28526@uwe> wrote in message
news:6e97b659ac6c0@uwe...
>I think i got it... AUTH USERS is a builtin sec principle, PU isn't,
>however
> I was able to reverse the security changes. Now I have to match the SDDL
> to
> what it orignially was.
>
> thanks.
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200703/1
>


Top