Problem with remote WMI call RRS feed

  • Question

  • Hello, could you please help me with my problem?

    Problem is that I have Windows Server 2016 with Hyper-V feature and I'm trying to call WMI queries from my Win Service application which works under LocalSystem user.

    I have user on server with Server Administrator and Hyoer-V Administrator privileges. I created same user with same password on my client-side computer where I want to run my Win Service as Agent (according to some documentation and forums). If I run PowerShell as that user I can call WMI queries to that server, say "select * from Win32_Process" and it will return correct result. If I run PowerShell as local administrator it will return Access Dined error.

    Same situation with my service code. If I run it as same user I have on server it will work fine and it won't work under local administrator. 

    Problem is that I want to make Agent to monitor remote Hyper-V hosts, different servers, and scheme that asks me to create as many users as I have hosts is stupid for my situation. Moreover, I need to run my application as service under local administrator. Maybe there is some approach to authorize my application on different servers with different credentials?



    Friday, April 24, 2020 12:52 PM

All replies

  • Hi VictorTiamat,

    If I run PowerShell as local administrator it will return Access Dined error.

    Yes, from User Account Control Settings,

    User Account Control (UAC) access-token filtering can affect which operations are allowed in WMI namespaces or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering. An administrator account can run a script with an elevated privilege—"Run as Administrator".

    You can follow the doc to hand remote connections under UAC.

    Whether you are connecting to a remote computer in a domain or in a workgroup determines whether UAC filtering occurs.

    If your computer is part of a domain, connect to the target computer using a domain account that is in the local Administrators group of the remote computer. Then UAC access token filtering will not affect the domain accounts in the local Administrators group. Do not use a local, nondomain account on the remote computer, even if the account is in the Administrators group.

    In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. A best practice is to create a dedicated local user group or user account on the target computer specifically for remote connections.

    The security must be adjusted to be able to use this account because the account never has had administrative privileges. Give the local user:

    • Remote launch and activate rights to access DCOM. For more information, see Connecting to WMI on a Remote Computer.
    • Rights to access the WMI namespace remotely (Remote Enable). For more information, see Access to WMI Namespaces.
    • Right to access the specific securable object, depending on the security required by the object.

    If you use a local account, either because you are in a workgroup or it is a local computer account, you may be forced to give specific tasks to a local user. For example, you can grant the user the right to stop or start a specific service through the SC.exe command, the GetSecurityDescriptor and SetSecurityDescriptor methods of Win32_Service, or through Group Policy using Gpedit.msc. Some securable objects may not allow a standard user to perform tasks and offer no means to alter the default security. In this case, you may need to disable UAC so that the local user account is not filtered and instead becomes a full administrator. Be aware that for security reasons, disabling UAC should be a last resort.

    Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup. The registry entry is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.

    Hope to help you.

    Best regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, April 27, 2020 9:37 AM