none
Connect to WMI of remote machine when running as a service

    Question

  • I already asked the question on stackoverflow, however I didn't get any reply. So I am trying to see if I could get some advice here:

    I am writing some code to do wmi query and method execution on remote machine. My login credential is a domain admin. When I run in application mode, every works fine. When I run as service, it won't work which is expected since the default account service uses isLocal System. When I set the service to run as my credential, the remote wmi is working fine as well.  

    However it is not desirable, so I am trying to connect to remote wmi at service by supplying the user name and password at IWbemLocator.ConnectServer. I am able to get a IWbemServices object back successfully. However when I tried to Get the class object from the IWbemServices object, I got error:

        //IWbemServices *pSvc
        const bstr_t objectPath("stdRegProv");
        const bstr_t methodName("GetStringValue");
        IWbemClassObject *pClass = NULL;
        HRESULT hr = pSvc->GetObject(objectPath, 0, NULL, &pClass, NULL);

    The returned hr is 0x80041003 which is "access is denied" from this link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559%28v=vs.85%29.aspx.

    Generally if I supplied the wrong user name and password, I would get the access denied at the IWbemLocator.ConnectServer. So I am a little puzzled here why connection is good however I am not able to get the IWbemClassObject object. Since it is working if I use my domain credential as the service account, there must be some security difference. My WMI connection code is based on this sample code at MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa390418%28v=vs.85%29.aspx
        

    From the related topics, I do see one related post: http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/3d5dc2ac-129f-4c13-8c49-b31e3ec1fd24, however it was a little different from my case there connection was denied while for me the connection is fine.

    Thanks in advance for any suggestion.

    Wednesday, May 23, 2012 8:00 PM

All replies

  • There are some WMI providers filtered by UAC, check http://msdn.microsoft.com/en-us/library/windows/desktop/aa826699(v=vs.85).aspx.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

    Wednesday, May 23, 2012 10:00 PM
  • Thanks for the information. Based on your suggestion and my search, I did the following:

    1. current the impersonation level is RPC_C_IMP_LEVEL_IMPERSONATE, I tried to use RPC_C_IMP_LEVEL_DELEGATE, I got an error code (didn't have the error code handy), the error text is like "A security package specific error occurred". I didn't pursuit this further since I would have to change setting at AD to enable the delegation which we won't be able to ask customer to do (see this link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686632%28v=vs.85%29.aspx)

    2. I tried to disable the UAC filtering on the remote machine by setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy as 1 by following the link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa826699%28v=vs.85%29.aspx. I also reboot the remote machine, it doesn't help either.

    3. I also set the authentication level from RPC_C_AUTHN_LEVEL_CALL to RPC_C_AUTHN_LEVEL_PKT_PRIVACY at the call CoSetProxyBlanket (per this link http://msdn.microsoft.com/en-us/library/windows/desktop/aa394603%28v=vs.85%29.aspx for error code 0x80041003), It would work if I run as application. Still won't work if running as service as LocalSystem by providing user name and password to the IWbemLocator.ConnectServer call.

    4. I found out this link: for WMI troubleshooting and it said that there is an event view trace for wmi activity, however it won't add any trace for error apparently on remote machine. I didn't find a way to find detailed logging for stdRegProv provider.

    5. next I am trying to execute driveled operation by following this link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa390429%28v=vs.85%29.aspx, however it said the following:

    =====================

      a. Obtain permissions for the client process to execute the privileged operation. Typically, an administrator sets the permissions using system administrative tools—prior to running the process.
       

    b. Obtain permission for the provider process to enable the privileged operation. Typically, you can set provider permissions with a call to the AdjustTokenPrivileges function.
       

    c. Obtain permission for the client process to enable the privileged operation.

        This step is necessary only if the provider is local to the client. If the client and provider exist on the same computer, the client must specifically enable the privileged operation by using one of the following techniques:
            If the client owns the process, the client can use AdjustTokenPrivileges to adjust the process token before calling WMI. In this case, you do not need to code any further.
            If the client is running on Windows 2000 or later and cannot access the client token, the client can use the following procedure to create a thread token and use AdjustTokenPrivileges on that token.
    ======================

    Obviously I can not change the permission on provider class, so option b is out. Also provider is not local to client, so option c is out. So it only leaves option a. I am not sure how to do it. Even I can do it and I am not sure if we could ask customer to do so. For understanding, I am also trying option c to call AdjustTokenPrivileges  my service process which is running as LocalSystem and I am not sure how it would affect my domain account to access wmi class on remote machine though. Unfortunately right I got access denied error on that call.

    It would be highly appreciated if more lights are shed on this.

    Thursday, May 24, 2012 10:22 PM
  • Do you get the error on all providers? Check the sever's security log as well as the WMI namespace's security permissions.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

    Thursday, May 24, 2012 10:38 PM
  • I also tried to Win32_Process Create method and I would get same error. I also tried the run the query "Select * from Win32_Processor" on remote machine and I would get the same error code on execution of the query. 

    As for privilege, I found out that service as LocalSystem has much more privileges as service running my domain account. I could paste those detailed privilege here if it helps, however it would mean that the privilege of the process probably doesn't matter unless I miss something here since I supply my domain credential for connection to remote wmi.

    As for the WMI namespace security, I guess I don't have problem to connect to the namespace on the remote machine, however I have problem in executing and query wmi classes.  Based on the link you sent, I turn on the Audit for accessing wmi namespace and I got the audit entries on the Event viewer security logs with category as "Special Logon". I ran my code as service (LocalSystem, by supplying my domain credential for wmi connection) and also as application. To my surprise, I got same set of privilege on both runs and here is a snippet:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          5/25/2012 11:44:18 AM
    Event ID:      4672
    Task Category: Special Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      xxxx
    Description:
    Special privileges assigned to new logon.
    
    Subject:
    	Security ID:		xxx
    	Account Name:		xxx
    	Account Domain:		
    	Logon ID:		0x39d732
    
    Privileges:		SeSecurityPrivilege
    			SeBackupPrivilege
    			SeRestorePrivilege
    			SeTakeOwnershipPrivilege
    			SeDebugPrivilege
    			SeSystemEnvironmentPrivilege
    			SeLoadDriverPrivilege
    			SeImpersonatePrivilege
    However I won't see any other error on security logs when my remote wmi is failed. I guess that there is no audit entry and tracing logs for WMI provider which is really the issue here.

    I am thinking that I am running out of things to try here. I really wish Microsoft could make this a little easier to debug for developer here.



    Friday, May 25, 2012 4:03 PM
  • Just want to isolate the problem between your code and your permission... can you run WMIC scripts in your service and redirect the result to your service process?

    For example start a process whose command line is WMIC /NODE:"computername" /USER:"domainname\username" /PASSWORD:"userpassword" CPU GET 

    If this line fails like what your code does you probably want to visit http://social.technet.microsoft.com/Forums/en-US/ITCG/threads and ask the WMI script folks there, they are programming WMI providers much more often than C++ programmers, and they are probably more experienced in WMI permission issues.



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP



    Friday, May 25, 2012 8:13 PM
  • also follow this link wmi namespace audit  , I add the audit for it, however I could only see audit for the namespace connectServer, and I could not see audit for provider. Here is the event looks like for that audit and I got the same AccessList and AccessMark at as service (LocalSystem, by supplying my domain credential for wmi connection) and also as application:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4662</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12804</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2012-05-25T20:05:11.379716700Z" />
        <EventRecordID>18872</EventRecordID>
        <Correlation />
        <Execution ProcessID="452" ThreadID="500" />
        <Channel>Security</Channel>
        <Computer>xxxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">xxxx</Data>
        <Data Name="SubjectUserName">xxx</Data>
        <Data Name="SubjectDomainName">xxx</Data>
        <Data Name="SubjectLogonId">0x4b14c8</Data>
        <Data Name="ObjectServer">WMI</Data>
        <Data Name="ObjectType">WMI Namespace</Data>
        <Data Name="ObjectName">root\CIMV2</Data>
        <Data Name="OperationType">Object Access</Data>
        <Data Name="HandleId">0x0</Data>
        <Data Name="AccessList">%%1552
    				%%1557
    				</Data>
        <Data Name="AccessMask">0x21</Data>
        <Data Name="Properties">-</Data>
        <Data Name="AdditionalInfo">Remote Read (ConnectServer)</Data>
        <Data Name="AdditionalInfo2">root\CIMV2</Data>
      </EventData>
    </Event>

    so it won't help either. I didn't find a way to turn on audit for provider level and I also didn't find a way to turn on detailed trace for provider. I am starting to think that maybe WMI doesn't really have adequate debug support here. Event if we could get it working on my testing machine, it would be very hard for us to debug on customer machine in case that there is some issue. It would be really appreciated for any feedback.

    Friday, May 25, 2012 8:19 PM
  • Thanks very much for the information.  I put the wmic into my service code and run it by using the CreateProcess. The cmd line I used is: WMIC /NODE:"computername" /USER:"domainname\username" /PASSWORD:"userpassword" /output:c:\temp\wmicout.txt /trace:on CPU GET. I also turned on the trace option, unfortunately there is no way to direct the trace into a log file.

    Nevertheless I was able to get the output at the service and also able to get the trace when I run wmic on cmd line (hope that it would be same as running at cmd line). To my surprise, wmic would work at my service code. Based on the trace code, however it has no big difference to my C++ code, however I still tried to match my C++ code as much as possible with the trace code, however it is still not working running as service (same error code 0x80041003 at line:

    pSvc->ExecQuery(L"WQL", L"SELECT * FROM WIN32_PROCESSOR", 0,NULL,&pobjResults);)

     Based on what we see here, so it is not really a permission issue, it is code issue, however I just don't know where the code is wrong since it is just standard WMI code. I also make sure the CoSetProxyBlanket is using the exactly same parameter, however it is still not working, and this method is the only one which I could think of which would make a difference here. Am I missing something here?

    Here is my C++ code:

        HRESULT hres;
        FIB::tstringex errStr;
        // Initialize COM.
        hres =  CoInitializeEx(0, COINIT_MULTITHREADED);
        if (FAILED(hres))
        {
            errStr.Format(_T("Failed to initialize COM library 0x%x" ), hres);
            LOG_ERROR(errStr);

            return 1;              // Program has failed.
        }

    IWbemLocator *pLoc = 0; hres = CoCreateInstance( CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLoc); if (FAILED(hres)) { errStr.Format(_T("Failed to create IWbemLocator object with error code 0x%x"),hres); LOG_ERROR(errStr); CoUninitialize(); return 1; // Program has failed. } IWbemServices *pSvc = 0; // Connect to the root\cimv2 namespace with the // current user and obtain pointer pSvc // to make IWbemServices calls. hres = pLoc->ConnectServer( _bstr_t(L"\\\\xx\\ROOT\\CIMV2"), // WMI namespace _bstr_t(L"xxDomain\\xxUser"), // User name _bstr_t(L"xxPwd!"), // User password L"ms_409", // Locale NULL, // Security flags 0, // Authority NULL, // Context object &pSvc // IWbemServices proxy ); if (FAILED(hres)) { errStr.Format(_T("Failed to connect to wmi server, error code 0x%x"),hres); LOG_ERROR(errStr); pLoc->Release(); CoUninitialize(); return 1; // Program has failed. } LOG_DEBUG(_T("Connected to ROOT\\CIMV2 WMI namespace")); // Set the IWbemServices proxy so that impersonation // of the user (client) occurs. hres = CoSetProxyBlanket( pSvc, // the proxy to set RPC_C_AUTHN_DEFAULT, // authentication service RPC_C_AUTHZ_NONE, // authorization service NULL, // Server principal name RPC_C_AUTHN_LEVEL_PKT_PRIVACY, // authentication level RPC_C_IMP_LEVEL_IMPERSONATE, // impersonation level NULL, // client identity EOAC_NONE // proxy capabilities ); if (FAILED(hres)) { errStr.Format(_T("Failed to set proxy blanket, error code 0x%x"),hres); LOG_ERROR(errStr); pSvc->Release(); pLoc->Release(); CoUninitialize(); return 1; // Program has failed. } IEnumWbemClassObject* pobjResults; hres = pSvc->ExecQuery(L"WQL", L"SELECT * FROM WIN32_PROCESSOR", 0,NULL,&pobjResults); if (FAILED(hres)) { errStr.Format(_T("Failed to do wmi QUERY, error code 0x%x"),hres); LOG_ERROR(errStr); pSvc->Release(); pLoc->Release(); CoUninitialize(); return 1; // Program has failed. } else { LOG_DEBUG(_T("WMI query is successful")); } pSvc->Release(); pLoc->Release(); CoUninitialize(); return 0;


    Here is trace for WMIC /NODE:"computername" /USER:"domainname\username" /PASSWORD:"userpassword" /output:c:\temp\wmicout.txt /trace:on CPU GET (note the wmic issues much more wmi calls under the hood, the real call starts at line:

    SUCCESS: IWbemLocator::ConnectServer(L"\\xxx\ROOT\CIMV2", L"xxDomain\xxxUser", *, L"ms_409", 0L, L"<null>", NULL, -)
    Line:   2607 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp

    =================================================

    Detailed Trace:

    SUCCESS: IWbemLocator::ConnectServer(L"root\cli", NULL, NULL, L"ms_409", 0L, L"<null>", NULL, -)
    Line:    143 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_NONE, NULL, 6, 3, -, EOAC_NONE)
    Line:    162 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: IWbemLocator::ConnectServer(L"root\cli\ms_409", NULL, NULL, L"ms_409", 0L, L"<null>", NULL, -)
    Line:   2524 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_NONE, NULL, 6,   3, -, EOAC_NONE)
    Line:   2538 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: IWbemServices::GetObject(L"MSFT_CliAlias.FriendlyName='CPU'", 0, NULL, -)
    Line:    239 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: IWbemClassObject::Get(L"Target", 0, -, 0, 0)
    Line:    258 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  Select * from WIN32_PROCESSOR
    
    SUCCESS: IWbemClassObject::Get(L"PWhere", 0, -,0, 0)
    Line:    286 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  Where DeviceID='#'
    
    SUCCESS: IWbemClassObject::Get(L"Connection",0, -, 0, 0)
    Line:    314 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  <Embeded Object>
    
    SUCCESS: QueryInterface(IID_IWbemClassObject, -)
    Line:    330 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: IWbemClassObject::Get(L"Namespace", 0, -,0, 0)
    Line:    430 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  ROOT\CIMV2
    
    SUCCESS: IWbemClassObject::Get(L"Locale", 0,-, 0, 0)
    Line:    460 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  ms_409
    
    SUCCESS: IWbemClassObject::Get(L"Server", 0, -, 0, 0)
    Line:    556 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  .
    
    SUCCESS: IWbemClassObject::Get(L"Authority", 0, -, 0, 0)
    Line:    587 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  <null>
    
    SUCCESS: IWbemClassObject::Get(L"__RELPATH", 0,-, 0, 0)
    Line:   1943 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  MSFT_CliAlias.FriendlyName="CPU"
    
    SUCCESS: IWbemServices::GetObject(L"MSFT_LocalizablePropertyValue.ObjectLocator="",PropertyName="Description",RelPath="MSFT_CliAlias.FriendlyName=\"CPU\""", 0, NULL, -)
    Line:   2610 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    
    SUCCESS: IWbemClassObject::Get(L"Text", 0, -, 0, 0)
    Line:   2621 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\cmdalias.cpp
    Result:  <Array>
    
    SUCCESS: CoCreateInstance(CLSID_WbemObjectTextSrc, NULL,CLSCTX_INPROC_SERVER, IID_IWbemObjectTextSrc, -)
    Line:   2697 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IWbemLocator::ConnectServer(L"\\xxx\ROOT\CIMV2", L"xxDomain\xxxUser", *, L"ms_409", 0L, L"<null>", NULL, -)
    Line:   2607 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_NONE,NULL, 6,   3, -, EOAC_NONE)
    Line:   2650 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: CoCreateInstanceEx(CLSID_WbemContext, NULL,CLSCTX_INPROC_SERVER, 0, 1, -)
    Line:   2748 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IWbemServices::ExecQuery(L"WQL", L"SELECT * FROM WIN32_PROCESSOR", 0, NULL, -)
    Line:    315 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IWbemContext::SetValue(L"ExcludeSystemProperties",0, -)
    Line:    334 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: CoSetProxyBlanket(-, RPC_C_AUTHN_DEFAULT,RPC_C_AUTHZ_NONE, NULL, 6,   3, -, EOAC_NONE)
    Line:    381 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IEnumWbemClassObject->Next(WBEM_INFINITE, 1, -, -)
    Line:    392 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IWbemObjectTextSrc::GetText(0, -, WMI_OBJECT_TEXT_CIM_DTD_2_0, -, -)
    Line:    409 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: IEnumWbemClassObject->Next(WBEM_INFINITE, 1, -, -)
    Line:    442 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\execengine.cpp
    
    SUCCESS: CoCreateInstance(CLSID_FreeThreadedDOMDocument, NULL, CLSCTX_INPROC_SERVER, IID_IXMLDOMDocument2, -)
    Line:    197 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXMLDOMDocument::loadXML(-, -)
    Line:    228 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: CoCreateInstance(CLSID_XSLTemplate, NULL, CLSCTX_SERVER, IID_IXSLTemplate, -)
    Line:   3220 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: CoCreateInstance(CLSID_FreeThreadedDOMDocument, NULL, CLSCTX_SERVER,IID_IXMLDOMDocument2, -)
    Line:   3243 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSLDOMDocument2::put_async(VARIANT_FALSE)
    Line:   3255 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSLDOMDocument2::load(L"C:\Windows\system32\wbem\\texttable.xsl", -)
    Line:   3270 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSTemplate::putref_stylesheet(-)
    Line:   3284 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSTemplate::createProcessor(-)
    Line:   3296 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSProcessor::put_input(-)
    Line:   3333 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSProcessor::put_output(-)
    Line:   3360 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSProcessor::tranform(-)
    Line:   3374 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSProcessor::tranform(-)
    Line:   3399 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp
    
    SUCCESS: IXSProcessor::get_output(-)
    Line:   3414 File: d:\w7rtm\admin\wmi\wbem\tools\wmic\formatengine.cpp








    Tuesday, May 29, 2012 2:22 AM
  • I modified my code to have redirection on the CreateProcess call which is used to launch the wmic command and I also got the trace logs on service mode and it seems that it is making same those WMI call as running at cmd line.
    Tuesday, May 29, 2012 2:03 PM
  • Looks like you did not call CoInitializeSecurity. Try the same code at http://support.microsoft.com/kb/948829


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

    Tuesday, May 29, 2012 7:50 PM
  • Thanks. My code is an ATL service, so actually CoInitializeSecurity is called at beginning of my code. However I did move my wmi test code right after where CoInitializeSecurity is called, unfortunately it is still same error.

    I also tried both RPC_C_AUTHN_LEVEL_DEFAULT and RPC_C_AUTHN_LEVEL_PKT_PRIVACY which doesn't make any difference.  Since it is working when I am running as application and running seivice as my domain account, it would be reasonable to think that COM should be initialized correctly in normal case. Apparently when running service as local system, something is not right.

    Tuesday, May 29, 2012 8:49 PM
  • Although I got a lot of help from Sheng and my understanding of wmi is going deeper, however this issue is still there and it is not fully resolved yet. The marked answer was not really the answer. so I unmark it.
    Tuesday, June 05, 2012 12:58 PM
  • Although we don't have WMIC's source code, we do have .Net's source code as a reference. Try write a WMI app in C# and debug into .Net sources to see how it handles impersonation and write down the Windows APIs calls in the process. Then try call the same set of APIs in the same order in your C++ code.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP

    Wednesday, June 06, 2012 8:37 PM
  • Thanks a lot. Sheng. I will give a try to see what we could find there.
    Thursday, June 07, 2012 3:18 PM
  • Hello,

    I'm very interested in hearing more about your issue, did you solve your problem?
    If yes, please mark the answers and close the post; If not, please feel free to post your doubt.
    Thanks for your active participation in the MSDN Forum.

    Regards,
    Elegentin


    Elegentin Xie [MSFT]
    MSDN Community Support | Feedback to us

    Thursday, June 28, 2012 7:47 AM
  • Actually I would like to know the answer as well after spending so much time on this. At this point, the priority for this is lowered and we would revisited some time later. At this point, due to priority and time constraint, I have not tried out Sheng's suggestion yet. If that didn't work, I would think that our only choice to get help directly from MS.
    Thursday, June 28, 2012 2:17 PM