使用 WMI 备份应用程序事件日志时需要 seBackupPrivilige

发布于 2024-11-06 00:10:45 字数 2043 浏览 1 评论 0原文

我有一个功能可以将事件日志归档到所需格式的文件中。

我正在针对 Windows 事件日志、应用程序、安全性和系统进行测试。在所有测试中，代码均以本地管理员权限运行。

在我的开发环境中，代码成功地将每个日志文件备份到我们命名的“*.evt”文件。

在目标参考系统上，安全性和系统日志正常工作，但处理应用程序日志会引发ManagementException。

下面包括对例外情况的询问。我的问题是，我认为这是安全权限问题是否正确？哪些代码更改将使该代码适用于我想要的所有情况？如果没有明确的答案，您的想法和想法将受到赞赏。

错误代码：访问被拒绝
错误信息：描述：打开日志文件但备份失败，权限错误
操作：ExecMethod
参数信息：Win32_NTEventlogFile.Name="C:\WINDOWS\system32\config\AppEvent.Evt"
未保留的特权：- SeBackupPrivilege
所需权限：- SeBackupPrivilege
提供商名称：WinMgmt
状态代码：2147749891

using System.Management;
/* ... Omitted for brevity */

public static void WMIBackup(String logName, String targetFile)
{
    ManagementScope scope = new ManagementScope("root\\CIMV2");
    scope.Options.Impersonation = ImpersonationLevel.Impersonate;
    scope.Options.EnablePrivileges = true;

    ObjectQuery query = new ObjectQuery(
        String.Format("SELECT * FROM Win32_NTEventLog WHERE LogFileName={0}", 
            logName)
    );

    using (ManagementObjectSearcher search = 
        new ManagementObjectSearcher(scope, query))
    {
        var logs = search.Get();
        if (logs.Count != 1)
            throw new ArgumentOutOfRangeException("logName not found");

        foreach (ManagementObject log in logs)
        {
            ManagementClass eventLogClass = 
                new ManagementClass("Win32_NTEventLogFile");
            ManangementBaseObject params = 
                eventLogClass.GetMethodParameters("BackupEventLog");
            params["ArchiveFileName"] = targetFile;
            log.InvokeMethod(
                "BackupEventLog",
                params,
                new InvokeMethodOptions(
                    null, 
                    InvokeMethodOptions.InfiniteTimeout)
            );
        } 
    }
}

所有数据均已转录，因此对勘误表表示歉意。

原文

I have a function that archives an event log to a file in a required format.

I'm testing against the windows event logs,Application,SecurityandSystem. In all tests the code is run with local administrator privileges.

On my development environment the code backs up the each logfile, to what we name an "*.evt" file, succesfully.

On the target reference system theSecurityandSystemlogs work correctly but processing the Applicationlog throws a ManagementException.

An interogation of the exception is included below. My questions are, am I right to assume this is a security privileges issue? What code changes will make this code work for all my desired cases? Failing a definite answer, your thoughts and ideas are appreciated.

ErrorCode: AccessDenied
ErrorInformation: Description: Opened the logfile but failed to back it up, privilige error
Operation: ExecMethod
ParameterInfo: Win32_NTEventlogFile.Name="C:\WINDOWS\system32\config\AppEvent.Evt"
PrivilegesNotHeld:-
SeBackupPrivilege
PrivilegesRequired:-
SeBackupPrivilege
ProviderName: WinMgmt
StatusCode: 2147749891

using System.Management;
/* ... Omitted for brevity */

public static void WMIBackup(String logName, String targetFile)
{
    ManagementScope scope = new ManagementScope("root\\CIMV2");
    scope.Options.Impersonation = ImpersonationLevel.Impersonate;
    scope.Options.EnablePrivileges = true;

    ObjectQuery query = new ObjectQuery(
        String.Format("SELECT * FROM Win32_NTEventLog WHERE LogFileName={0}", 
            logName)
    );

    using (ManagementObjectSearcher search = 
        new ManagementObjectSearcher(scope, query))
    {
        var logs = search.Get();
        if (logs.Count != 1)
            throw new ArgumentOutOfRangeException("logName not found");

        foreach (ManagementObject log in logs)
        {
            ManagementClass eventLogClass = 
                new ManagementClass("Win32_NTEventLogFile");
            ManangementBaseObject params = 
                eventLogClass.GetMethodParameters("BackupEventLog");
            params["ArchiveFileName"] = targetFile;
            log.InvokeMethod(
                "BackupEventLog",
                params,
                new InvokeMethodOptions(
                    null, 
                    InvokeMethodOptions.InfiniteTimeout)
            );
        } 
    }
}

All data is transcribed so apologies for errata.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

白首有我共你 2024-11-13 00:10:46

我过去在访问 WMI 和/或 COM 接口时遇到过问题。它可以在一个系统上运行，但在另一个系统上失败。

我发现如果您重试，错误就不会发生。我建议当失败时，您等待一小段时间（半秒左右）然后重试。

我的代码对所有 COM 和 WMI 调用都有一个重试循环，类似于此示例：

int errorCount = 0;
bool success = false;
while (!success || errorCount < maxRetryCount)
{
    try
    {
         /* Call to WMI interface */
         DoSomething();
         success = true;
    }
    catch (Exception ex)
    {
         if (errorCount < maxRetryCount)
         {
             logWarning(ex);
         }
         else
         {
             logError(ex);
             throw; /* pass exception up the stack 
             or break and handle failure below */
         }
    }
}
if (!success)
{
    /* Handle failure */
}

从未弄清楚根本问题是什么，但这对我有用。

I've had issues accessing WMI and/or COM interfaces in the past. It would work on one system and fail on another.

I found that the the error did not happen if you retried. I'd suggest that when it fails, you wait for a short period (half a second or so) and retry.

My code has a retry loop around all the COM and WMI calls similar to this sample:

int errorCount = 0;
bool success = false;
while (!success || errorCount < maxRetryCount)
{
    try
    {
         /* Call to WMI interface */
         DoSomething();
         success = true;
    }
    catch (Exception ex)
    {
         if (errorCount < maxRetryCount)
         {
             logWarning(ex);
         }
         else
         {
             logError(ex);
             throw; /* pass exception up the stack 
             or break and handle failure below */
         }
    }
}
if (!success)
{
    /* Handle failure */
}

Never did work out what the underlying issue was, but this works for me.

回复收藏 0 原文

~没有更多了~