Cannot query Win32_NTLogEvent in Remote WMI using C++ from a Winsows 2008R2 to a Windows 2008 R2 wit

Trips

Well-known member
Joined
Aug 7, 2010
Messages
2,788
Ive followed step by step the <a title="User Account Control And WMI http://msdn.microsoft.com/en-us/library/aa826699%28VS.85%29.aspx" title="User Account Control And WMI
article it works fine for differents configurations (ill talk you about later).
Ive followed this one also http://msdn.microsoft.com/en-us/library/bb219447%28VS.85%29.aspx.<br/>
<br/>
<br/>
However, we have a configuration that is not wortking for event logs query.<br/>
<br/>
We built a test environement (fresh install on hyper-v) with a DOMAIN named FLA.LOCAL with a DC named FLADC in Windows 2008 R2 64Bits Standard Edition.
We set up a c++ wmi client on a Windows 2008 R2 64Bits Standard Edition named CLI . this machine belong to the domain FLA.
We have also configured a Windows 2008 R2 64Bits Standard Edition named NSI on which we will run WMI query. this machine belong to the domain FLA.
On NSI we add a domain user WMIUSER in the local administrators group as the article told us (in order not be filtered by uac).<br/>
<br/>
the c++ wmi client succeed to connect and query SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE ( TargetInstance ISA Win32_LogicalDisk ) AND ( TargetInstance.Name = "C:" using ExecNotificationQuery.<br/>
But Not SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA Win32_NTLogEvent ExecNotificationQuery return access denied.
Ive tried several things (see below). Its working fine but regarding the customer (a bank with 320 Windows Server 2003 and 2008) it is not acceptable for security reason.<br/>
Running the c++ client from a Windows 2003 server enterprise works fine.<br/>
Disabling remote uac like the article says (but last resort) work fine.<br/>
<br/>
<br/>
Ive change a little bit a sample code you provide in order to reproduce easily the issue.<br/>
There is something strange when i expand local administrators group on the NSI server i dont see my domain user WMIUSER, but if i try to add FLAWMIUSER the OS claims that the user already exist.<br/>
<br/>
Voila Ive red most of the post and i did not find an anwser.<br/>
<br/>
Here is the c++ test code.<br/>
<br/>

<div style="color:black; background-color:white
<pre><span style="color:green // testwmiii.cpp : Defines the entry point for the console application.
<br/>
<span style="color:green //
<br/>
<br/>
#include <span style="color:#a31515 "stdafx.h"
<br/>
<br/>
<br/>
#define _WIN32_DCOM<br/>
#define UNICODE<br/>
#include <iostream><br/>
<span style="color:blue using
<span style="color:blue namespace
std;<br/>
#include <comdef.h><br/>
#include <Wbemidl.h><br/>
# pragma comment(lib, <span style="color:#a31515 "wbemuuid.lib"
)<br/>
# pragma comment(lib, <span style="color:#a31515 "credui.lib"
)<br/>
# pragma comment(lib, <span style="color:#a31515 "comsuppw.lib"
)<br/>
#include <wincred.h><br/>
#include <strsafe.h><br/>
<br/>
<span style="color:blue int
__cdecl main(<span style="color:blue int
argc, <span style="color:blue char
**argv)<br/>
{<br/>
HRESULT hres;<br/>
<br/>
<span style="color:green // Step 1: --------------------------------------------------
<br/>
<span style="color:green // Initialize COM. ------------------------------------------
<br/>
<br/>
hres = CoInitializeEx(0, COINIT_MULTITHREADED); <br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Failed to initialize COM library. Error code = 0x"
<br/>
<< hex << hres << endl;<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
MessageBox(NULL,L<span style="color:#a31515 "s"
,L<span style="color:#a31515 "s"
,MB_OK);<br/>
<br/>
<span style="color:green // Step 2: --------------------------------------------------
<br/>
<span style="color:green // Set general COM security levels --------------------------
<br/>
<br/>
hres = CoInitializeSecurity(<br/>
NULL, <br/>
-1, <span style="color:green // COM authentication
<br/>
NULL, <span style="color:green // Authentication services
<br/>
NULL, <span style="color:green // Reserved
<br/>
RPC_C_AUTHN_LEVEL_DEFAULT, <span style="color:green // Default authentication
<br/>
RPC_C_IMP_LEVEL_IDENTIFY, <span style="color:green // Default Impersonation
<br/>
NULL, <span style="color:green // Authentication info
<br/>
EOAC_NONE, <span style="color:green // Additional capabilities
<br/>
NULL <span style="color:green // Reserved
<br/>
);<br/>
<br/>
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Failed to initialize security. Error code = 0x"
<br/>
<< hex << hres << endl;<br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
<span style="color:green // Step 3: ---------------------------------------------------
<br/>
<span style="color:green // Obtain the initial locator to WMI -------------------------
<br/>
<br/>
IWbemLocator *pLoc = NULL;<br/>
<br/>
hres = CoCreateInstance(<br/>
CLSID_WbemLocator, <br/>
0, <br/>
CLSCTX_INPROC_SERVER, <br/>
IID_IWbemLocator, (LPVOID *) &pLoc);<br/>
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Failed to create IWbemLocator object."
<br/>
<< <span style="color:#a31515 " Err code = 0x"
<br/>
<< hex << hres << endl;<br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
<span style="color:green // Step 4: -----------------------------------------------------
<br/>
<span style="color:green // Connect to WMI through the IWbemLocator::ConnectServer method
<br/>
<br/>
IWbemServices *pSvc = NULL;<br/>
<br/>
<span style="color:green // Get the user name and password for the remote computer
<br/>
CREDUI_INFO cui;<br/>
<span style="color:blue bool
useToken = <span style="color:blue false
;<br/>
<span style="color:blue bool
useNTLM = <span style="color:blue false
;<br/>
<span style="color:blue wchar_t
pszName[CREDUI_MAX_USERNAME_LENGTH+1] = {0};<br/>
<span style="color:blue wchar_t
pszPwd[CREDUI_MAX_PASSWORD_LENGTH+1] = {0};<br/>
<span style="color:blue wchar_t
pszDomain[CREDUI_MAX_USERNAME_LENGTH+1];<br/>
<span style="color:blue wchar_t
pszUserName[CREDUI_MAX_USERNAME_LENGTH+1];<br/>
<span style="color:blue wchar_t
pszAuthority[CREDUI_MAX_USERNAME_LENGTH+1];<br/>
BOOL fSave;<br/>
DWORD dwErr;<br/>
<br/>
memset(&cui,0,<span style="color:blue sizeof
(CREDUI_INFO));<br/>
cui.cbSize = <span style="color:blue sizeof
(CREDUI_INFO);<br/>
cui.hwndParent = NULL;<br/>
<span style="color:green // Ensure that MessageText and CaptionText identify
<br/>
<span style="color:green // what credentials to use and which application requires them.
<br/>
cui.pszMessageText = TEXT(<span style="color:#a31515 "Press cancel to use process token"
);<br/>
cui.pszCaptionText = TEXT(<span style="color:#a31515 "Enter Account Information"
);<br/>
cui.hbmBanner = NULL;<br/>
fSave = FALSE;<br/>
<br/>
<span style="color:green /*<br/>
dwErr = CredUIPromptForCredentials( <br/>
&cui, // CREDUI_INFO structure<br/>
TEXT(""), // Target for credentials<br/>
NULL, // Reserved<br/>
0, // Reason<br/>
pszName, // User name<br/>
CREDUI_MAX_USERNAME_LENGTH+1, // Max number for user name<br/>
pszPwd, // Password<br/>
CREDUI_MAX_PASSWORD_LENGTH+1, // Max number for password<br/>
&fSave, // State of save check box<br/>
CREDUI_FLAGS_GENERIC_CREDENTIALS |// flags<br/>
CREDUI_FLAGS_ALWAYS_SHOW_UI |<br/>
CREDUI_FLAGS_DO_NOT_PERSIST); <br/>
<br/>
if(dwErr == ERROR_CANCELLED)<br/>
{<br/>
useToken = true;<br/>
}<br/>
else if (dwErr)<br/>
{<br/>
cout << "Did not get credentials " << dwErr << endl;<br/>
pLoc->Release(); <br/>
CoUninitialize();<br/>
return 1; <br/>
}<br/>
*/
<br/>
wcscpy(pszName,L<span style="color:#a31515 "FLA\WMIUSER"
);<br/>
wcscpy(pszPwd,L<span style="color:#a31515 "XXXXXXXXXXXXX"
);<br/>
<br/>
<br/>
<br/>
<span style="color:green // change the computerName strings below to the full computer name
<br/>
<span style="color:green // of the remote computer
<br/>
<span style="color:blue if
(!useNTLM)<br/>
{<br/>
StringCchPrintf(pszAuthority, CREDUI_MAX_USERNAME_LENGTH+1, L<span style="color:#a31515 "kERBEROS:%s"
, L<span style="color:#a31515 "NSI"
);<br/>
<span style="color:green //StringCchPrintf(pszAuthority, CREDUI_MAX_USERNAME_LENGTH+1, L"ntlmdomain:%s", L"FLA");
<br/>
}<br/>
<br/>
<span style="color:green // Connect to the remote rootcimv2 namespace
<br/>
<span style="color:green // and obtain pointer pSvc to make IWbemServices calls.
<br/>
<span style="color:green //---------------------------------------------------------
<br/>
<br/>
hres = pLoc->ConnectServer(<br/>
_bstr_t(L<span style="color:#a31515 "\\192.168.0.76\root\cimv2"
),<br/>
_bstr_t(useToken?NULL:pszName), <span style="color:green // User name
<br/>
_bstr_t(useToken?NULL:pszPwd), <span style="color:green // User password
<br/>
NULL, <span style="color:green // Locale
<br/>
NULL, <span style="color:green // Security flags
<br/>
_bstr_t(useNTLM?NULL:pszAuthority),<span style="color:green // Authority
<br/>
NULL, <span style="color:green // Context object
<br/>
&pSvc <span style="color:green // IWbemServices proxy
<br/>
);<br/>
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Could not connect. Error code = 0x"
<< hex << hres << endl;<br/>
pLoc->Release(); <br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
cout << <span style="color:#a31515 "Connected to ROOT\CIMV2 WMI namespace"
<< endl;<br/>
<br/>
<br/>
<span style="color:green // step 5: --------------------------------------------------
<br/>
<span style="color:green // Create COAUTHIDENTITY that can be used for setting security on proxy
<br/>
<br/>
COAUTHIDENTITY *userAcct = NULL ;<br/>
COAUTHIDENTITY authIdent;<br/>
<br/>
<span style="color:blue if
( !useToken )<br/>
{<br/>
memset(&authIdent, 0, <span style="color:blue sizeof
(COAUTHIDENTITY));<br/>
authIdent.PasswordLength = wcslen (pszPwd);<br/>
authIdent.Password = (USHORT*)pszPwd;<br/>
<br/>
LPWSTR slash = wcschr (pszName, L\);<br/>
<span style="color:blue if
( slash == NULL )<br/>
{<br/>
cout << <span style="color:#a31515 "Could not create Auth identity. No domain specifiedn"
;<br/>
pSvc->Release();<br/>
pLoc->Release(); <br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
StringCchCopy(pszUserName, CREDUI_MAX_USERNAME_LENGTH+1, slash+1);<br/>
authIdent.User = (USHORT*)pszUserName;<br/>
authIdent.UserLength = wcslen(pszUserName);<br/>
<br/>
StringCchCopyN(pszDomain, CREDUI_MAX_USERNAME_LENGTH+1, pszName, slash - pszName);<br/>
authIdent.Domain = (USHORT*)pszDomain;<br/>
authIdent.DomainLength = slash - pszName;<br/>
authIdent.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;<br/>
<br/>
userAcct = &authIdent;<br/>
<br/>
}<br/>
<br/>
<span style="color:green // Step 6: --------------------------------------------------
<br/>
<span style="color:green // Set security levels on a WMI connection ------------------
<br/>
<br/>
hres = CoSetProxyBlanket(<br/>
pSvc, <span style="color:green // Indicates the proxy to set
<br/>
RPC_C_AUTHN_DEFAULT, <span style="color:green // RPC_C_AUTHN_xxx
<br/>
RPC_C_AUTHZ_DEFAULT, <span style="color:green // RPC_C_AUTHZ_xxx
<br/>
COLE_DEFAULT_PRINCIPAL, <span style="color:green // Server principal name
<br/>
RPC_C_AUTHN_LEVEL_PKT_PRIVACY, <span style="color:green // RPC_C_AUTHN_LEVEL_xxx
<br/>
RPC_C_IMP_LEVEL_IMPERSONATE, <span style="color:green // RPC_C_IMP_LEVEL_xxx
<br/>
userAcct, <span style="color:green // client identity
<br/>
EOAC_NONE <span style="color:green // proxy capabilities
<br/>
);<br/>
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Could not set proxy blanket. Error code = 0x"
<br/>
<< hex << hres << endl;<br/>
pSvc->Release();<br/>
pLoc->Release(); <br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
<span style="color:green // Step 7: --------------------------------------------------
<br/>
<span style="color:green // Use the IWbemServices pointer to make requests of WMI ----
<br/>
<br/>
<span style="color:green // For example, get the name of the operating system
<br/>
IEnumWbemClassObject* pEnumerator = NULL;<br/>
<br/>
hres = pSvc->ExecNotificationQuery<br/>
(<br/>
L<span style="color:#a31515 "WQL"
, <br/>
<span style="color:green //L"SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE ( TargetInstance ISA Win32_LogicalDisk ) AND ( TargetInstance.Name = "C:" ) ",
<br/>
L<span style="color:#a31515 "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA Win32_NTLogEvent"
,<br/>
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, <br/>
NULL, &pEnumerator <br/>
);<br/>
<br/>
<br/>
<span style="color:green /*<br/>
hres = pSvc->ExecQuery(<br/>
bstr_t("WQL"), <br/>
bstr_t("Select * from Win32_OperatingSystem"),<br/>
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, <br/>
NULL,<br/>
&pEnumerator);<br/>
*/
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Query for operating system name failed."
<br/>
<< <span style="color:#a31515 " Error code = 0x"
<br/>
<< hex << hres << endl;<br/>
pSvc->Release();<br/>
pLoc->Release();<br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
<br/>
<span style="color:green // Step 8: -------------------------------------------------
<br/>
<span style="color:green // Secure the enumerator proxy
<br/>
hres = CoSetProxyBlanket(<br/>
pEnumerator, <span style="color:green // Indicates the proxy to set
<br/>
RPC_C_AUTHN_DEFAULT, <span style="color:green // RPC_C_AUTHN_xxx
<br/>
RPC_C_AUTHZ_DEFAULT, <span style="color:green // RPC_C_AUTHZ_xxx
<br/>
COLE_DEFAULT_PRINCIPAL, <span style="color:green // Server principal name
<br/>
RPC_C_AUTHN_LEVEL_PKT_PRIVACY, <span style="color:green // RPC_C_AUTHN_LEVEL_xxx
<br/>
RPC_C_IMP_LEVEL_IMPERSONATE, <span style="color:green // RPC_C_IMP_LEVEL_xxx
<br/>
userAcct, <span style="color:green // client identity
<br/>
EOAC_NONE <span style="color:green // proxy capabilities
<br/>
);<br/>
<br/>
<span style="color:blue if
(FAILED(hres))<br/>
{<br/>
cout << <span style="color:#a31515 "Could not set proxy blanket on enumerator. Error code = 0x"
<br/>
<< hex << hres << endl;<br/>
pEnumerator->Release();<br/>
pSvc->Release();<br/>
pLoc->Release(); <br/>
CoUninitialize();<br/>
<span style="color:blue return
1; <span style="color:green // Program has failed.
<br/>
}<br/>
<br/>
<span style="color:green // When you have finished using the credentials,
<br/>
<span style="color:green // erase them from memory.
<br/>
SecureZeroMemory(pszName, <span style="color:blue sizeof
(pszName));<br/>
SecureZeroMemory(pszPwd, <span style="color:blue sizeof
(pszPwd));<br/>
SecureZeroMemory(pszUserName, <span style="color:blue sizeof
(pszUserName));<br/>
SecureZeroMemory(pszDomain, <span style="color:blue sizeof
(pszDomain));<br/>
<br/>
<br/>
<span style="color:green // Step 9: -------------------------------------------------
<br/>
<span style="color:green // Get the data from the query in step 7 -------------------
<br/>
<br/>
IWbemClassObject *pclsObj = NULL;<br/>
ULONG uReturn = 0;<br/>
<span style="color:blue int
count = 0;<br/>
<br/>
<span style="color:blue do
<br/>
{<br/>
ULONG retcnt = 0L;<br/>
<span style="color:blue while
( ( hres = pEnumerator->Next( WBEM_INFINITE, 1L, &pclsObj, &uReturn ) ) == WBEM_S_TIMEDOUT );<br/>
<span style="color:blue if
( SUCCEEDED( hres ) && ( hres != WBEM_S_FALSE ) )<br/>
{<br/>
<span style="color:blue if
( uReturn > 0 )<br/>
{<br/>
count ++;<br/>
cout << <span style="color:#a31515 "Modif on c:"
<< endl;<br/>
<br/>
}<br/>
<br/>
}<br/>
<br/>
<br/>
pclsObj->Release();<br/>
pclsObj = NULL;<br/>
}<br/>
<span style="color:blue while
(count < 2);<br/>
<br/>
<span style="color:green // Cleanup
<br/>
<span style="color:green // ========
<br/>
<br/>
pSvc->Release();<br/>
pLoc->Release();<br/>
pEnumerator->Release();<br/>
<span style="color:blue if
( pclsObj )<br/>
{<br/>
pclsObj->Release();<br/>
}<br/>
<br/>
CoUninitialize();<br/>
<br/>
<span style="color:blue return
0; <span style="color:green // Program successfully completed.
<br/>
<br/>
}<br/>
<br/>
<br/>
[/code]

<br/>
Thank you in advance.<br/>
Best Regards <br/>
LUC.<br/>
<br/>
<br/>
<
Luc Alquier<hr class="sig Luc Alquier

View the full article
 
Back
Top