授予远程用户(非管理员)使用 WMI 和 cimv2 枚举命名空间 cimv2 中的 Win32_Service 中的服务的能力C#
我正在创建一个看门狗服务,它将监视各种远程服务器(都在同一域中)上的其他服务。我用来连接远程服务器的用户不是管理员。当我尝试枚举 Win32_Service 类中的服务时,出现访问被拒绝错误。
我已经给用户“远程启用”& WMI 控件中 Root\CIMV2 命名空间的“启用帐户”权限。
我可以使用以下代码连接到服务器。对象 ServiceListItem 只是一个包含服务器名称和服务名称的简单类:
SecureString secureString = new SecureString();
foreach ( char c in "password" )
{
secureString.AppendChar( c );
}
ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = "domain\\user";
connectionOptions.SecurePassword = secureString;
foreach ( ServiceListItem service in _serviceList )
{
ManagementScope managementScope = new ManagementScope();
managementScope = new ManagementScope( String.Format( @"\\{0}\root\cimv2", service.ServerName ), connectionOptions );
managementScope.Connect();
//RelatedObjectQuery relatedObjectQuery = new RelatedObjectQuery( String.Format( "Win32_Service.Name='{0}'", service.ServiceName ) );
//ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, relatedObjectQuery );
ObjectQuery objectQuery = new ObjectQuery( "SELECT * FROM Win32_Service WHERE Name = '" + service.ServiceName + "'" );
ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, objectQuery );
ManagementObjectCollection objectCollection = objectSearcher.Get();
foreach ( ManagementObject managementObject in objectCollection )
{
serviceStatus = managementObject.Properties["State"].Value.ToString();
Debug.Print(service.ServiceName + " - " + serviceStatus);
//break;
}
}
managementScope.Connect() 运行良好,这意味着 cimv2 上的 wmi 安全设置正确。但是,当我尝试枚举 objectCollection 时,出现“访问被拒绝”异常。这告诉我(我认为)用户没有枚举 Win32_Service 类 (SC_MANAGER_ENUMERATE_SERVICE) 的权限。
我只是找不到任何关于如何为远程用户启用该权限的好示例。我在使用 Windows api 进行编码方面不是很有经验,所以请在您的答案中尽可能详细:)
I'm creating a watch dog service that will be monitoring other services on various remote servers (all in the same domain). The user that I'm using to connect to the remote servers is not an admin. When I try to enumerate the services in the Win32_Service class, I get an access denied error.
I've given the user 'Remote Enable' & 'Enable Account' persmissions to the Root\CIMV2 namespace in the WMI Control.
I am able to connect to the server with the following code. The object ServiceListItem is just a simple class that contains the server name and the service name:
SecureString secureString = new SecureString();
foreach ( char c in "password" )
{
secureString.AppendChar( c );
}
ConnectionOptions connectionOptions = new ConnectionOptions();
connectionOptions.Username = "domain\\user";
connectionOptions.SecurePassword = secureString;
foreach ( ServiceListItem service in _serviceList )
{
ManagementScope managementScope = new ManagementScope();
managementScope = new ManagementScope( String.Format( @"\\{0}\root\cimv2", service.ServerName ), connectionOptions );
managementScope.Connect();
//RelatedObjectQuery relatedObjectQuery = new RelatedObjectQuery( String.Format( "Win32_Service.Name='{0}'", service.ServiceName ) );
//ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, relatedObjectQuery );
ObjectQuery objectQuery = new ObjectQuery( "SELECT * FROM Win32_Service WHERE Name = '" + service.ServiceName + "'" );
ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, objectQuery );
ManagementObjectCollection objectCollection = objectSearcher.Get();
foreach ( ManagementObject managementObject in objectCollection )
{
serviceStatus = managementObject.Properties["State"].Value.ToString();
Debug.Print(service.ServiceName + " - " + serviceStatus);
//break;
}
}
The managementScope.Connect() runs fine, which means the wmi security on cimv2 is set up correctly. However, when I try to enumerate the objectCollection, I get the 'Access Denied' exception. This tells me (I think) that the user doesn't have permissions to enumerate the Win32_Service class (SC_MANAGER_ENUMERATE_SERVICE).
I just haven't been able to find any good examples on how to enable that permission for a remote user. I'm not very experienced when it comes to coding with Windows api's, so please be as detailed as possible in your answers :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
今天我自己也尝试着找到同样的答案,我做了很多谷歌搜索。经过半个小时的咒语,我找到了这篇 MSDN 文章 (907460),其中使用
sc sdet。到目前为止,它似乎有效,即使安全描述符适用于 Windows Server 2003。我发现您可以执行sc sdshow SCMANAGER来获取当前值,因此明天回到办公室时我会进行比较,以确保我没有锁定一些我不应该锁定的东西:-)为了完整起见,KB907460 中的注释(以防它移动/消失):
Trying to find the same answer myself today, I've been doing a lot of googling. After a good half hour of incantations, I found this MSDN article (907460) which uses
sc sdet. It seems to work so far, even though the security descriptor is for Windows Server 2003. I've found you can dosc sdshow SCMANAGERto get the current value so when back in the office tomorrow I'll be comparing an contrasting to make sure I've not locked something out I shouldn't have :-)For completeness, the notes in KB907460 (in case it moves/goes away):
我发现自己陷入了类似的问题。就我而言,它与权限无关,我是通过以下链接设置的: http: //www.poweradmin.com/help/enableWMI.aspx
因此,经过数小时的思考,我发现这篇文章讲述了 UAC 如何干扰您的权限集以及如何解决该问题:
http://www.solarwinds.com/documentation/apm/docs/APMWMITroubleshooting。 pdf
就我而言,注册表项不存在,因此我创建了它。
希望这也能有所帮助,干杯!
I found myself stuck into a similar problem. In my case it had nothing to do with permissions, which I did set by following this link: http://www.poweradmin.com/help/enableWMI.aspx
So, After hours of wondering lost I found this article that tells how UAC interfere with your set of permissions and how can you fix that:
http://www.solarwinds.com/documentation/apm/docs/APMWMITroubleshooting.pdf
In my case, the registry key didn't existed, so I created it.
Hope this helps also, cheers!