cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Two Minute Drill: WMIDiag and Namespace Security
By
CraigMarcho
Published Mar 15 2019 07:54 PM 265 Views
CraigMarcho
Microsoft
‎Mar 15 2019 07:54 PM

Two Minute Drill: WMIDiag and Namespace Security

‎Mar 15 2019 07:54 PM
First published on TECHNET on Jan 13, 2009

Hello AskPerf.  Happy New Year!  My name is Gangadharan Prashanth and we’re going to kick off 2009 with a quick look at WMI Namespace Security and a common error message that we see when running the WMI Diagnosis Utility (WMIDiag).  When running WMIDiag, we often see an alert that looks something like this:  WMIDIAG log may report default security on the WMI namespace has been changed.  Open up the WMIDiag logs, and towards the end look for a section marked WMI REPORT: BEGIN.  The section will look something like this:

44072 12:41:02 (0) ** ----------------------------------------------------------------------------------------------
44073 12:41:02 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------
44074 12:41:02 (0) ** ----------------------------------------------------------------------------------------------


If the default security on a namespace has been changed, then the following information will appear:


WMI namespace security for 'ROOT/RSOP': ............................................... MODIFIED.
47318 16:15:40 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match
corresponding expected trustee rights (Actual->Default)

47319 16:15:40 (0) ** - ACTUAL ACE:

47320 16:15:40 (0) ** ACEType: &h0
47321 16:15:40 (0) ** ACCESS_ALLOWED_ACE_TYPE
47322 16:15:40 (0) ** ACEFlags: &h12
47323 16:15:40 (0) ** CONTAINER_INHERIT_ACE
47324 16:15:40 (0) ** INHERITED_ACE
47325 16:15:40 (0) ** ACEMask: &h3F
47326 16:15:40 (0) ** WBEM_ENABLE
47327 16:15:40 (0) ** WBEM_METHOD_EXECUTE
47328 16:15:40 (0) ** WBEM_FULL_WRITE_REP
47329 16:15:40 (0) ** WBEM_PARTIAL_WRITE_REP
47330 16:15:40 (0) ** WBEM_WRITE_PROVIDER
47331 16:15:40 (0) ** WBEM_REMOTE_ACCESS

47332 16:15:40 (0) ** - EXPECTED ACE:

47333 16:15:40 (0) ** ACEType: &h0
47334 16:15:40 (0) ** ACCESS_ALLOWED_ACE_TYPE
47335 16:15:40 (0) ** ACEFlags: &h12
47336 16:15:40 (0) ** CONTAINER_INHERIT_ACE
47337 16:15:40 (0) ** INHERITED_ACE
47338 16:15:40 (0) ** ACEMask: &h6003F
47339 16:15:40 (0) ** WBEM_ENABLE
47340 16:15:40 (0) ** WBEM_METHOD_EXECUTE
47341 16:15:40 (0) ** WBEM_FULL_WRITE_REP
47342 16:15:40 (0) ** WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) ** WBEM_WRITE_PROVIDER
47344 16:15:40 (0) ** WBEM_REMOTE_ACCESS
47345 16:15:40 (0) ** WBEM_WRITE_DAC
47346 16:15:40 (0) ** WBEM_READ_CONTROL
47347 16:15:40 (0) **
47348 16:15:40 (0) ** => The actual ACE has the right(s) '&h60000 WBEM_WRITE_DAC WBEM_READ_CONTROL' removed!
47349 16:15:40 (0) ** This will cause some operations to fail!
47350 16:15:40 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
47351 16:15:40 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.

If there are multiple namespaces that have been identified by WMIDiag, then each one will have its own entry.  There are three main sections to consider in this error message.  The first section tells us which namespace has had its security modified.  The entry will begin with WMI namespace security for ‘ROOT/’.  After ‘ROOT/’, any one of the namespaces below ROOT or the ROOT namespace itself could be the one identified.  In our example above, the namespace in question is ‘ROOT/RSOP’.  In this first section, we are also provided the account name whose security rights differ from the expected defaults.  In this example, the account is the ‘NT AUTHORITY\NETWORK SERVICE’ account:


WMI namespace security for 'ROOT/RSOP': ........................................................... MODIFIED.
47318 16:15:40 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match
corresponding expected trustee rights (Actual->Default)

The second section will tell us the current security settings on the server/machine for the user/account in question. This section will start with the line - ACTUAL ACE:


47319 16:15:40 (0) ** - ACTUAL ACE:

47320 16:15:40 (0) ** ACEType: &h0
47321 16:15:40 (0) ** ACCESS_ALLOWED_ACE_TYPE
47322 16:15:40 (0) ** ACEFlags: &h12
47323 16:15:40 (0) ** CONTAINER_INHERIT_ACE
47324 16:15:40 (0) ** INHERITED_ACE
47325 16:15:40 (0) ** ACEMask: &h3F
47326 16:15:40 (0) ** WBEM_ENABLE
47327 16:15:40 (0) ** WBEM_METHOD_EXECUTE
47328 16:15:40 (0) ** WBEM_FULL_WRITE_REP
47329 16:15:40 (0) ** WBEM_PARTIAL_WRITE_REP
47330 16:15:40 (0) ** WBEM_WRITE_PROVIDER
47331 16:15:40 (0) ** WBEM_REMOTE_ACCESS
<br/><br/><br/><br/></pre></div><br/><br/><p>the third section tells us what the expected security settings on the account are.  this section starts with the line – <font color="#ff0000">expected ace</font>:</p><br/><br/><div><br/> <pre style="border-bottom-style: none; padding-bottom: 0px; line-height: 12pt; border-right-style: none; background-color: #f4f4f4; margin: 0em; padding-left: 0px; width: 100%; padding-right: 0px; font-family: consolas, 'Courier New', courier, monospace; border-top-style: none; color: black; font-size: 8pt; border-left-style: none; overflow: visible; padding-top: 0px"><font color="#ff0000">47332 16:15:40 (0) ** - expected ace</font>:<br/><br/>47333 16:15:40 (0) ** acetype: &h0<br/>47334 16:15:40 (0) ** access_allowed_ace_type<br/>47335 16:15:40 (0) ** aceflags: &h12<br/>47336 16:15:40 (0) ** container_inherit_ace<br/>47337 16:15:40 (0) ** inherited_ace<br/>47338 16:15:40 (0) ** acemask: &h6003f<br/>47339 16:15:40 (0) ** wbem_enable<br/>47340 16:15:40 (0) ** wbem_method_execute<br/>47341 16:15:40 (0) ** wbem_full_write_rep<br/>47342 16:15:40 (0) ** wbem_partial_write_rep<br/>47343 16:15:40 (0) ** wbem_write_provider<br/>47344 16:15:40 (0) ** wbem_remote_access<br/>47345 16:15:40 (0) ** wbem_write_dac<br/>47346 16:15:40 (0) ** wbem_read_control<br/>47347 16:15:40 (0) ** <br/>47348 16:15:40 (0) ** =<span style="color: #0000ff">></span> the actual ace has the right(s) '&h60000 WBEM_WRITE_DAC WBEM_READ_CONTROL' removed!<br/>47349 16:15:40 (0) ** this will cause some operations to fail!<br/>47350 16:15:40 (0) ** it is possible to fix this issue by editing the security descriptor and adding the removed right.<br/>47351 16:15:40 (0) ** for wmi namespaces, this can be done with 'WMIMGMT.MSC'.</pre><br/></div><br/><br/><p>within the expected security settings section, there are some things to take note of.  the first part of this section describes whether or not the account specified is supposed to have access:</p><br/><br/><div><br/> <pre style="border-bottom-style: none; padding-bottom: 0px; line-height: 12pt; border-right-style: none; background-color: #f4f4f4; margin: 0em; padding-left: 0px; width: 100%; padding-right: 0px; font-family: consolas, 'Courier New', courier, monospace; border-top-style: none; color: black; font-size: 8pt; border-left-style: none; overflow: visible; padding-top: 0px"><p>47333 16:15:40 (0) ** acetype: &h0<br/>47334 16:15:40 (0) ** <font color="#ff0000">access_allowed_ace_type</font> </p></pre><br/></div><br/><br/><p>the second part of this section tells us if the security information is inherited from its parent object.</p><br/><br/><div><br/> <pre class="csharpcode">47335 16:15:40 (0) ** aceflags: &h12 <br/>47336 16:15:40 (0) ** container_inherit_ace<br/>47337 16:15:40 (0) ** <font color="#ff0000">inherited_ace</font></pre><br/> <style type="text/css"><br/><br/><br/><br/><br/><br/>.csharpcode, .csharpcode pre<br/>{<br/> font-size: small;<br/> color: black;<br/> font-family: consolas, "Courier New", courier, monospace;<br/> background-color: #ffffff;<br/> /*white-space: pre;*/<br/>}<br/>.csharpcode pre { margin: 0em; }<br/>.csharpcode .rem { color: #008000; }<br/>.csharpcode .kwrd { color: #0000ff; }<br/>.csharpcode .str { color: #006080; }<br/>.csharpcode .op { color: #0000c0; }<br/>.csharpcode .preproc { color: #cc6633; }<br/>.csharpcode .asp { background-color: #ffff00; }<br/>.csharpcode .html { color: #800000; }<br/>.csharpcode .attr { color: #ff0000; }<br/>.csharpcode .alt <br/>{<br/> background-color: #f4f4f4;<br/> width: 100%;<br/> margin: 0em;<br/>}<br/>.csharpcode .lnum { color: #606060; }

The third section tells us what the expected security settings on the account are.  this section starts with the line – EXPECTED ACE:

47332 16:15:40 (0) ** - EXPECTED ACE:

47333 16:15:40 (0) ** ACEType: &h0
47334 16:15:40 (0) ** ACCESS_ALLOWED_ACE_TYPE
47335 16:15:40 (0) ** ACEFlags: &h12
47336 16:15:40 (0) ** CONTAINER_INHERIT_ACE
47337 16:15:40 (0) ** INHERITED_ACE
47338 16:15:40 (0) ** ACEMask: &h6003F
47339 16:15:40 (0) ** WBEM_ENABLE
47340 16:15:40 (0) ** WBEM_METHOD_EXECUTE
47341 16:15:40 (0) ** WBEM_FULL_WRITE_REP
47342 16:15:40 (0) ** WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) ** WBEM_WRITE_PROVIDER
47344 16:15:40 (0) ** WBEM_REMOTE_ACCESS
47345 16:15:40 (0) ** WBEM_WRITE_DAC
47346 16:15:40 (0) ** WBEM_READ_CONTROL
47347 16:15:40 (0) **

Within the expected security settings section, there are some things to take note of.  the first part of this section describes whether or not the account specified is supposed to have access:

47333 16:15:40 (0) ** ACEType: &h0
47334 16:15:40 (0) ** ACCESS_ALLOWED_ACE_TYPE

The second part of this section tells us if the security information is inherited from its parent object:

47335 16:15:40 (0) ** ACEFlags: &h12
47336 16:15:40 (0) ** CONTAINER_INHERIT_ACE
47337 16:15:40 (0) ** INHERITED_ACE

The last part of this section enumerates the expected permissions:

47338 16:15:40 (0) ** ACEMask: &h6003F
47339 16:15:40 (0) ** WBEM_ENABLE
47340 16:15:40 (0) ** WBEM_METHOD_EXECUTE
47341 16:15:40 (0) ** WBEM_FULL_WRITE_REP
47342 16:15:40 (0) ** WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) ** WBEM_WRITE_PROVIDER
47344 16:15:40 (0) ** WBEM_REMOTE_ACCESS
47345 16:15:40 (0) ** WBEM_WRITE_DAC
47346 16:15:40 (0) ** WBEM_READ_CONTROL

So now that we know what exactly how to interpret the data in our logs, let’s quickly go over what these permissions mean (this info is documented in the MSDN Article: Access to WMI Namespaces (Windows)


WMI Nomenclature GUI “Friendly Name” Description
WBEM_ENABLE Enable Account Permits read access to WMI Classes
WBEM_METHOD_EXECUTE Execute Methods Permits the user to execute methods defined on WMI classes
WBEM_FULL_WRITE_REP Full Write Permits full read, write and delete access to WMI classes and class instances, both static and dynamic
WBEM_PARTIAL_WRITE_REP Partial Write Permits write access to static WMI class instances
WBEM_WRITE_PROVIDER Provider Write Permits write access to dynamic WMI class instances
WBEM_REMOTE_ACCESS Remote Enable Permits access to the namespace by remote computers
WBEM_WRITE_DAC Edit Security Permits write access to DACL settings
WBEM_READ_CONTROL Read Security Permits read-only access to DACL settings

Let’s assume for a moment, that we haven’t deliberately altered the permissions on this namespace and that we want to change the permissions to match what WMIDiag reports as the expected permissions.  The process is outlined in Microsoft KB Article 325353 .  Once you have made the requisite changes, re-run the WMI Diagnosis Utility to verify that the changes have taken effect.


And that brings us to the end of this post.  Thanks for stopping by, and once again – HAPPY NEW YEAR!


Additional Resources:



- Gangadharan Prashanth






Share this post :











0 Likes
Like
Version history
Last update:
‎Mar 15 2019 07:54 PM
Updated by:
Labels