Cannot query Win32_NTLogEvent in Remote WMI using C++ from a Winsows 2008R2 to a Windows 2008 R2 wit

Trips · Nov 25, 2010

Ive followed step by step the <a title="User Account Control And WMI http://msdn.microsoft.com/en-us/library/aa826699%28VS.85%29.aspx" title="User Account Control And WMI
article it works fine for differents configurations (ill talk you about later).
Ive followed this one also http://msdn.microsoft.com/en-us/library/bb219447%28VS.85%29.aspx. 
 
 
However, we have a configuration that is not wortking for event logs query. 
 
We built a test environement (fresh install on hyper-v) with a DOMAIN named FLA.LOCAL with a DC named FLADC in Windows 2008 R2 64Bits Standard Edition.
We set up a c++ wmi client on a Windows 2008 R2 64Bits Standard Edition named CLI . this machine belong to the domain FLA.
We have also configured a Windows 2008 R2 64Bits Standard Edition named NSI on which we will run WMI query. this machine belong to the domain FLA.
On NSI we add a domain user WMIUSER in the local administrators group as the article told us (in order not be filtered by uac). 
 
the c++ wmi client succeed to connect and query SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE ( TargetInstance ISA Win32_LogicalDisk ) AND ( TargetInstance.Name = "C:" using ExecNotificationQuery. 
But Not SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA Win32_NTLogEvent ExecNotificationQuery return access denied.
Ive tried several things (see below). Its working fine but regarding the customer (a bank with 320 Windows Server 2003 and 2008) it is not acceptable for security reason. 
Running the c++ client from a Windows 2003 server enterprise works fine. 
Disabling remote uac like the article says (but last resort) work fine. 
 
 
Ive change a little bit a sample code you provide in order to reproduce easily the issue. 
There is something strange when i expand local administrators group on the NSI server i dont see my domain user WMIUSER, but if i try to add FLAWMIUSER the OS claims that the user already exist. 
 
Voila Ive red most of the post and i did not find an anwser. 
 
Here is the c++ test code. 
 

<div style="color:black; background-color:white
<pre>

 
#include 
 
 
#define _WIN32_DCOM 
#define UNICODE 
#include <iostream> 

#include <comdef.h> 
#include <Wbemidl.h> 
# pragma comment(lib, 
# pragma comment(lib, 
# pragma comment(lib, 
#include <wincred.h> 
#include <strsafe.h> 
 

{ 
HRESULT hres; 
 


 
hres = CoInitializeEx(0, COINIT_MULTITHREADED); 

{ 
cout << 
<< hex << hres << endl; 

} 
 
MessageBox(NULL,L
 


 
hres = CoInitializeSecurity( 
NULL, 
-1, 
NULL, 
NULL, 
RPC_C_AUTHN_LEVEL_DEFAULT, 
RPC_C_IMP_LEVEL_IDENTIFY, 
NULL, 
EOAC_NONE, 
NULL 
); 
 
 

{ 
cout << 
<< hex << hres << endl; 
CoUninitialize(); 

} 
 


 
IWbemLocator *pLoc = NULL; 
 
hres = CoCreateInstance( 
CLSID_WbemLocator, 
0, 
CLSCTX_INPROC_SERVER, 
IID_IWbemLocator, (LPVOID *) &pLoc); 
 

{ 
cout << 
<< 
<< hex << hres << endl; 
CoUninitialize(); 

} 
 


 
IWbemServices *pSvc = NULL; 
 

CREDUI_INFO cui; 







BOOL fSave; 
DWORD dwErr; 
 
memset(&cui,0,
cui.cbSize = 
cui.hwndParent = NULL; 


cui.pszMessageText = TEXT(
cui.pszCaptionText = TEXT(
cui.hbmBanner = NULL; 
fSave = FALSE; 
 

dwErr = CredUIPromptForCredentials( 
&cui, // CREDUI_INFO structure 
TEXT(""), // Target for credentials 
NULL, // Reserved 
0, // Reason 
pszName, // User name 
CREDUI_MAX_USERNAME_LENGTH+1, // Max number for user name 
pszPwd, // Password 
CREDUI_MAX_PASSWORD_LENGTH+1, // Max number for password 
&fSave, // State of save check box 
CREDUI_FLAGS_GENERIC_CREDENTIALS |// flags 
CREDUI_FLAGS_ALWAYS_SHOW_UI | 
CREDUI_FLAGS_DO_NOT_PERSIST); 
 
if(dwErr == ERROR_CANCELLED) 
{ 
useToken = true; 
} 
else if (dwErr) 
{ 
cout << "Did not get credentials " << dwErr << endl; 
pLoc->Release(); 
CoUninitialize(); 
return 1; 
} 
*/
 
wcscpy(pszName,L
wcscpy(pszPwd,L
 
 
 



{ 
StringCchPrintf(pszAuthority, CREDUI_MAX_USERNAME_LENGTH+1, L

} 
 



 
hres = pLoc->ConnectServer( 
_bstr_t(L
_bstr_t(useToken?NULL

szName), 
_bstr_t(useToken?NULL

szPwd), 
NULL, 
NULL, 
_bstr_t(useNTLM?NULL

szAuthority),
NULL, 
&pSvc 
); 
 

{ 
cout << 
pLoc->Release(); 
CoUninitialize(); 

} 
 
cout << 
 
 


 
COAUTHIDENTITY *userAcct = NULL ; 
COAUTHIDENTITY authIdent; 
 

{ 
memset(&authIdent, 0, 
authIdent.PasswordLength = wcslen (pszPwd); 
authIdent.Password = (USHORT*)pszPwd; 
 
LPWSTR slash = wcschr (pszName, L\); 

{ 
cout << 
pSvc->Release(); 
pLoc->Release(); 
CoUninitialize(); 

} 
 
StringCchCopy(pszUserName, CREDUI_MAX_USERNAME_LENGTH+1, slash+1); 
authIdent.User = (USHORT*)pszUserName; 
authIdent.UserLength = wcslen(pszUserName); 
 
StringCchCopyN(pszDomain, CREDUI_MAX_USERNAME_LENGTH+1, pszName, slash - pszName); 
authIdent.Domain = (USHORT*)pszDomain; 
authIdent.DomainLength = slash - pszName; 
authIdent.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; 
 
userAcct = &authIdent; 
 
} 
 


 
hres = CoSetProxyBlanket( 
pSvc, 
RPC_C_AUTHN_DEFAULT, 
RPC_C_AUTHZ_DEFAULT, 
COLE_DEFAULT_PRINCIPAL, 
RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 
RPC_C_IMP_LEVEL_IMPERSONATE, 
userAcct, 
EOAC_NONE 
); 
 

{ 
cout << 
<< hex << hres << endl; 
pSvc->Release(); 
pLoc->Release(); 
CoUninitialize(); 

} 
 


 

IEnumWbemClassObject* pEnumerator = NULL; 
 
hres = pSvc->ExecNotificationQuery 
( 
L

L
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
NULL, &pEnumerator 
); 
 
 

hres = pSvc->ExecQuery( 
bstr_t("WQL"), 
bstr_t("Select * from Win32_OperatingSystem"), 
WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
NULL, 
&pEnumerator); 
*/
 

{ 
cout << 
<< 
<< hex << hres << endl; 
pSvc->Release(); 
pLoc->Release(); 
CoUninitialize(); 

} 
 
 


hres = CoSetProxyBlanket( 
pEnumerator, 
RPC_C_AUTHN_DEFAULT, 
RPC_C_AUTHZ_DEFAULT, 
COLE_DEFAULT_PRINCIPAL, 
RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 
RPC_C_IMP_LEVEL_IMPERSONATE, 
userAcct, 
EOAC_NONE 
); 
 

{ 
cout << 
<< hex << hres << endl; 
pEnumerator->Release(); 
pSvc->Release(); 
pLoc->Release(); 
CoUninitialize(); 

} 
 


SecureZeroMemory(pszName, 
SecureZeroMemory(pszPwd, 
SecureZeroMemory(pszUserName, 
SecureZeroMemory(pszDomain, 
 
 


 
IWbemClassObject *pclsObj = NULL; 
ULONG uReturn = 0; 

 

{ 
ULONG retcnt = 0L; 
Next( WBEM_INFINITE, 1L, &pclsObj, &uReturn ) ) == WBEM_S_TIMEDOUT ); 

{ 
 0 ) 
{ 
count ++; 
cout << 
 
} 
 
} 
 
 
pclsObj->Release(); 
pclsObj = NULL; 
} 

 


 
pSvc->Release(); 
pLoc->Release(); 
pEnumerator->Release(); 

{ 
pclsObj->Release(); 
} 
 
CoUninitialize(); 
 

 
} 
 
 
[/code]

 
Thank you in advance. 
Best Regards 
LUC. 
 
 
<
Luc Alquier<hr class="sig Luc Alquier

View the full article

Cannot query Win32_NTLogEvent in Remote WMI using C++ from a Winsows 2008R2 to a Windows 2008 R2 wit

Trips

Well-known member

Similar threads