Hello AskPerf. Happy New Year! My name is Gangadharan Prashanth and we’re going to kick off 2009 with a quick look at WMI Namespace Security and a common error message that we see when running the WMI Diagnosis Utility (WMIDiag). When running WMIDiag, we often see an alert that looks something like this: WMIDIAG log may report default security on the WMI namespace has been changed. Open up the WMIDiag logs, and towards the end look for a section marked WMI REPORT: BEGIN. The section will look something like this:
If the default security on a namespace has been changed, then the following information will appear:
If there are multiple namespaces that have been identified by WMIDiag, then each one will have its own entry. There are three main sections to consider in this error message. The first section tells us which namespace has had its security modified. The entry will begin with WMI namespace security for ‘ROOT/’. After ‘ROOT/’, any one of the namespaces below ROOT or the ROOT namespace itself could be the one identified. In our example above, the namespace in question is ‘ROOT/RSOP’. In this first section, we are also provided the account name whose security rights differ from the expected defaults. In this example, the account is the ‘NT AUTHORITY\NETWORK SERVICE’ account:
The second section will tell us the current security settings on the server/machine for the user/account in question. This section will start with the line - ACTUAL ACE:
The third section tells us what the expected security settings on the account are. this section starts with the line – EXPECTED ACE:
Within the expected security settings section, there are some things to take note of. the first part of this section describes whether or not the account specified is supposed to have access:
The second part of this section tells us if the security information is inherited from its parent object:
The last part of this section enumerates the expected permissions:47338 16:15:40 (0) ** ACEMask: &h6003F
So now that we know what exactly how to interpret the data in our logs, let’s quickly go over what these permissions mean (this info is documented in the MSDN Article: Access to WMI Namespaces (Windows)
|WMI Nomenclature||GUI “Friendly Name”||Description|
|WBEM_ENABLE||Enable Account||Permits read access to WMI Classes|
|WBEM_METHOD_EXECUTE||Execute Methods||Permits the user to execute methods defined on WMI classes|
|WBEM_FULL_WRITE_REP||Full Write||Permits full read, write and delete access to WMI classes and class instances, both static and dynamic|
|WBEM_PARTIAL_WRITE_REP||Partial Write||Permits write access to static WMI class instances|
|WBEM_WRITE_PROVIDER||Provider Write||Permits write access to dynamic WMI class instances|
|WBEM_REMOTE_ACCESS||Remote Enable||Permits access to the namespace by remote computers|
|WBEM_WRITE_DAC||Edit Security||Permits write access to DACL settings|
|WBEM_READ_CONTROL||Read Security||Permits read-only access to DACL settings|
Let’s assume for a moment, that we haven’t deliberately altered the permissions on this namespace and that we want to change the permissions to match what WMIDiag reports as the expected permissions. The process is outlined in Microsoft KB Article 325353 . Once you have made the requisite changes, re-run the WMI Diagnosis Utility to verify that the changes have taken effect.
And that brings us to the end of this post. Thanks for stopping by, and once again – HAPPY NEW YEAR!
- Gangadharan Prashanth
|Share this post :||
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.