ManagementEventWatcher(WMI) 通知来自远程计算机的事件时出现异常

发布于 2024-08-31 09:32:08 字数 1237 浏览 7 评论 0原文

我正在尝试使用 WMI 和 C# 从远程计算机的事件查看器获取通知。我可以使用 ManagementObjectSearcher 连接系统并获取事件日志。但是当我尝试使用 ManagementEventWatcher.Start 方法时,我遇到了异常:

访问被拒绝。 (HRESULT 异常:0x80070005 (E_ACCESSDENIED))

我已将 WMI 控制中的权限授予 root\cimv2,并在 DCOM Config 中授予用户帐户的管理员权限。

我有普通的 Windows 应用程序,因此在我的例子中我没有使用 ASP.net(ASPNET 用户)。

我的代码是:

ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'  and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here

I am trying to get notification from a remote machine 's event viewer using WMI and C#. I am able to connect the system and also get event log by using ManagementObjectSearcher. But when I tried to use ManagementEventWatcher.Start method I am getting a exception:

Access is denied. (Exception from HRESULT: 0x80070005
(E_ACCESSDENIED))

I have given the permisions in WMI Control to root\cimv2 and also given the admin rights to the user's account in DCOM Config.

I have normal windows application hence I am not using ASP.net(ASPNET user) in my case.

My code is:

ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = @"Domain\UName";//txtUserName.Text;
connectionOptions.Password = "pass";//txtPassword.Text;
connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
ManagementScope managementScope = new ManagementScope(@"\\server\root\cimv2",connectionOptions);
managementScope.Options.EnablePrivileges = true;
managementScope.Connect(); // this line is executing fine.
eventWatcher = new ManagementEventWatcher(managementScope, new EventQuery("Select * From __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'  and TargetInstance.LogFile = 'Application'"));
eventWatcher.EventArrived += new EventArrivedEventHandler(Arrived);
eventWatcher.Scope.Options.EnablePrivileges = true;
eventWatcher.Start(); // Error occurs here

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

梦行七里 2024-09-07 09:32:08

首先,请记住 Microsoft 建议使用半同步操作 (正如布莱恩建议的那样):

如果可以的话,我们建议您使用半同步操作
反而。性能影响小,半同步
操作允许相同的功能,但不需要相反
连接。

另请参阅设置异步的安全性在 VBScript 中调用

如果您仍想使用异步操作,请参阅以下文章:

YMMV,但对我来说(客户端:Win7 x64 SP1 服务器:Windows Server 2008 Enterprise SP2 w/o 防火墙)的解决方案在第三篇文章中发现了 E_ACCESSDENIED 异常:

  1. 单击“开始”,单击“运行”,键入 DCOMCNFG,然后单击“确定”。
  2. 组件服务对话框中,展开组件服务,展开计算机,然后右键单击我的电脑,单击属性
  3. 我的电脑属性对话框中,单击COM安全选项卡。
  4. 访问权限下,点击编辑限制
  5. 访问权限对话框中,在组或用户名框中选择匿名登录名称。在用户权限下的允许列中,选择远程访问,然后单击确定

请注意,我是在客户端中执行上述操作的。虽然这解决了我的 DCOM 权限问题,但我随后遇到了 WMI 访问被拒绝错误 (0x80041003)。事实证明这是由于第二篇文章中提到的注册表项所致:

如果远程连接不可用,则需要更新 CIMOM 设置
不具有信任关系的计算机之间;否则,一个
异步连接将会失败。不应修改此设置
对于同一域或受信任域中的计算机。

需要修改以下注册表项以允许匿名
回调:HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback

如果AllowAnonymousCallback键设置为0,WMI服务
防止对客户端的匿名回调。如果该值设置为 1,
WMI 服务允许对客户端进行匿名回调。

请注意,您需要在服务器中设置以上内容。一旦我这样做了,异步回调就起作用了。您可以尝试的其他操作是以管理员身份运行客户端并设置 ConnectionOptions.EnablePrivileges 为 true。

有关故障排除,请参阅:

最后,我建议您利用 Microsoft 的 WMI 测试器 (%windir%\system32\wbem\wbemtest.exe)

First, keep in mind that Microsoft recommends the use of semi-synchronous operations (as Brian suggested):

If you can, we recommend that you use a semi-synchronous operation
instead. The performance effect is small, and a semi-synchronous
operation allows the same functionality but does not require a reverse
connection.

See also Setting Security on an Asynchronous Call in VBScript.

If you still want to use Async operations, refer to the following articles:

YMMV, but for me (Client: Win7 x64 SP1 Server: Windows Server 2008 Enterprise SP2 w/o firewall) the solution for the E_ACCESSDENIED exception was found in the third article:

  1. Click Start, click Run, type DCOMCNFG, and then click OK.
  2. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, click the COM Security tab.
  4. Under Access Permissions, click Edit Limits.
  5. In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Note that I did the above in the client. While that fixed the DCOM permission problem for me, I then encountered WMI access denied errors (0x80041003). Turns out it was due to a registry key mentioned in the second article:

The CIMOM settings need to be updated if the remote connection is
between computers that do not have a trust relationship; otherwise, an
asynchronous connection will fail. This setting should not be modified
for computers in the same domain or in trusted domains.

The following registry entry needs to be modified to allow anonymous
callbacks: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback

If the AllowAnonymousCallback key is set to 0, the WMI service
prevents anonymous callbacks to the client. If the value is set to 1,
the WMI service allows anonymous callbacks to the client.

Note that you need to set the above in the server. Once I did that, async callbacks worked. Other things you could try are running your client as an administrator and setting ConnectionOptions.EnablePrivileges to true.

For troubleshooting see:

Finally, I recommend you take advantage of Microsoft's WMI tester (%windir%\system32\wbem\wbemtest.exe)

帅哥哥的热头脑 2024-09-07 09:32:08

尝试使用 WaitForNextEvent() 半同步监听:

    var managementScope = new ManagementScope(@"\\mysever\root\onguard"); 
    managementScope.Connect(); 

    var query = new EventQuery("select * from lnl_AccessEvent");
    var eventWatcher = new ManagementEventWatcher(managementScope, query);
    var wmiEvent = eventWatcher.WaitForNextEvent();
    Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));

我们还发现 wbemtest.exe 很有用。单击“通知查询...”按钮来侦听事件。您可以尝试各种连接方法(同步、异步或半同步)。所有连接方法在连接到本地计算机时都有效,但我们只能半同步远程工作。异步(您正在使用的)更加复杂(并且安全性较低),因为服务器必须与客户端建立连接。

这里有一些关于安全和配置设置的好信息:
http://www.packettrap.com/network /知识库/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682

Try listening semi-synchronously with WaitForNextEvent():

    var managementScope = new ManagementScope(@"\\mysever\root\onguard"); 
    managementScope.Connect(); 

    var query = new EventQuery("select * from lnl_AccessEvent");
    var eventWatcher = new ManagementEventWatcher(managementScope, query);
    var wmiEvent = eventWatcher.WaitForNextEvent();
    Console.Out.WriteLine(wmiEvent.GetPropertyValue("Description"));

We've also found wbemtest.exe useful. Click the Notification Query... button to listen for events. You can try the various connection methods (synchronous, asynchronous or semi-synchorous). All connection methods work when connecting to your local machine but we were only able to get semi-synchronous to work remotely. Asynchronous (which you are using) is more complex (and less secure) because the server must make a connection back to the client.

Some good information here on security and configuration settings:
http://www.packettrap.com/network/Knowledge-Base/PacketTrap-MSP/WMI-Troubleshooting.aspx#_Toc239699682

紧拥背影 2024-09-07 09:32:08

我花了好几个小时才弄清楚这个问题。以上都不适合我。

分析 IIS 服务器上的事件日志后,我发现每次在 ManagementEventWatcher 对象上调用 Start 方法时,我都会在系统日志中收到以下错误事件:

计算机默认权限设置不授予本地激活
具有 CLSID 的 COM 服务器应用程序的权限
{49BD2028-1523-11D1-AD79-00C04FD8FDFF} 和 APPID
{49BD2028-1523-11D1-AD79-00C04FD8FDFF} 到用户 IIS
APPPOOL\默认应用程序池 SID
(S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415)来自
地址 LocalHost(使用 LRPC)。该安全权限可以是
使用组件服务管理工具进行修改。

注册表搜索显示,具有错误中指定的 APPID 的应用程序是

微软 WBEM 无担保公寓

要使异步回调工作,您需要将此 COM 对象的本地激活权限授予 IIS APPPOOL\DefaultAppPool 用户,这听起来很简单,除了用户在安全数据库。这是因为它是创建 IIS 应用程序池时自动构建的系统生成的用户帐户。

完成此工作的过程如下:

  1. 中添加组件服务管理单元
  2. 运行 mmc,在打开计算机 -> 我的电脑 -> DCOM 配置
  3. 向下滚动到“Microsoft WBEM Unsecured Apartment Object”,
  4. 右键单击并选择属性
  5. 单击安全性选项卡并在“启动和激活权限”部分下选择“自定义”选项并单击“编辑”。
  6. 如果您的 IIS 服务器是域的一部分,请确保您在位置字段中指定了本地计算机而不是域。
  7. 单击“添加”按钮,然后在用户框中输入“IIS APPPool\DefaultAppPool”,然后单击“检查名称”按钮。如果您不使用 DefaultAppPool,则替换您正在使用的应用程序池的名称。
  8. 您将看到框中出现一个有效的用户,单击“确定”。
  9. 在列表中选择用户,然后选中本地启动和本地激活的允许框。
  10. 享受这样一个事实:您将不再在 WMI 事件侦听器的异步回调中看到 E_ACCESSDENIED。

I spent hours figuring this one out. None of the above worked for me.

After analyzing the Event logs on my IIS server I found I was receivingthe following error event in the System Log every time I called the Start method on the ManagementEventWatcher object:

The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID
{49BD2028-1523-11D1-AD79-00C04FD8FDFF} and APPID
{49BD2028-1523-11D1-AD79-00C04FD8FDFF} to the user IIS
APPPOOL\DefaultAppPool SID
(S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415) from
address LocalHost (Using LRPC). This security permission can be
modified using the Component Services administrative tool.

A registry search revealed that the application with the APPID specified in the error was

Microsoft WBEM Unsecured Apartment

To make the asynchronous callback work you need to grant Local Activation permissions on the this COM object to the IIS APPPOOL\DefaultAppPool user, which sounds easy enough except for the fact that user does not show up as a valid acount in the security database. This is because it is a system generated user account automatically built when an IIS Application Pool is created.

The process to make this work is as follows:

  1. Run mmc, add the Component Services snap in
  2. Open Computers->My Computer->DCOM Config
  3. Scroll down to the "Microsoft WBEM Unsecured Apartment Object"
  4. Right Click and select Properties
  5. Click the Security Tab and under the section for "Launch and Activation Permissions" select the Customize option and hit Edit
  6. If your IIS server is part of a Domain make sure that you have the Local Machine specified in the location field and not the Domain.
  7. Hit the Add button and type in "IIS APPPool\DefaultAppPool" into the user box and hit the Check Names button. If you are not using the DefaultAppPool then substitute the name of the App Pool you are using.
  8. You will see a valid user appear in the box, hit OK.
  9. Select the user in the list and check the Allow boxes for Local Launch and Local Activation.
  10. Enjoy the fact that you will no longer see E_ACCESSDENIED on asynch callbacks to your WMI Event Listener.
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文