This message was discovered on microsoft.public.dotnet.framework.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.
| Mark (VIP) |
I suspect that several others have seem the same program but here goes:
I have sets of code (C# and VB.Net) that both show the same problem.
Basically, the call to "ManagementEventWatcher.Start" fails with an access
denied since upgrading to SP1 for .Net 1.1 - the same code runs on non SP1
machines without a problem. Also, the code is basically the Microsoft
example code.
I have seen notes regarding STAThread and MTAThread, etc. Non of this seems
to make a difference. Has anyone got any more adviice/details?
Thanks,
Mark
Below is the VB.Net code (as the C# is still part of a larger program) -
console app calls GetEvents() - reference to the system.management.dll (the
new one from SP1).
--------------------------------------------------------------------------------------------
Imports System
Imports System.Management
' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample
Public Shared Sub GetEvents()
Dim sc As ManagementScope
Dim co As ConnectionOptions
co = New ConnectionOptions
co.Impersonation = ImpersonationLevel.Impersonate
co.EnablePrivileges = True
sc = New ManagementScope("\ROOT\CIMV2", co)
' Set up an event watcher and a handler for the event
Dim q As New WqlEventQuery("__InstanceCreationEvent",
"TargetInstance ISA 'Win32_NTLogEvent'")
Dim watcher As New ManagementEventWatcher(sc, q)
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived
' Start watching for events
watcher.Start()
System.Threading.Thread.Sleep(20000)
' Stop watching
watcher.Stop()
End Sub
End Class
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("OK")
End Sub
End Class
|
|
| |
| | |
| |
| Willy Denoyette [MVP] (VIP) |
Did you try to issue this command using 'WMI tools' studio?
I have the same problem using .NET and ManagementEventWatcher, but using WMI
studio seems to work as expected. That means the problem is related to .NET
only or due to security changes in consumer hosting in SP2.
Note also that this has nothing to do with .NET SP1 as the same error exists
with the Beta1 v2 framework.
Willy.
"Mark" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
|
|
| |
| |
| MarkD VIT@UK (VIP) |
I have tried the code using Win XP SP2 with .Net 1.1.4322 with and without
the .Net 1.1 SP1. The results are consistent across a series of systems.
The program only stops with the 1.1 SP1.
I have tested several other WMI queries and it seems to be related to the
EventLog class (I can use the ManagementEventWatcher type call with other
classes). The code below is a direct copy from the Microsoft site, and it
works (calling a __ClassDeletionEvent).
One other notes, I did read that an error sounding similar to this existed
in .NET 1.0 and was fixed.
Any pointers or ideas are most welcome.
Thanks,
Mark
Code
----------------------------------
Imports System
Imports System.Management
' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample2
Public Shared Sub GetEvents()
' For the example, we'll put a class into the repository, and watch
' for class deletion events when the class is deleted.
Dim newClass As New ManagementClass
newClass("__CLASS") = "TestDeletionClass"
newClass.Put()
' Set up an event watcher and a handler for the event
Dim watcher As _
New ManagementEventWatcher(New
WqlEventQuery("__ClassDeletionEvent"))
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived
' Start watching for events
watcher.Start()
' For the purpose of this sample, we delete the class to trigger the
event
' and wait for two seconds before terminating the consumer
newClass.Delete()
System.Threading.Thread.Sleep(2000)
' Stop watching
watcher.Stop()
End Sub
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("Class Deleted = " & _
CType(e.NewEvent("TargetClass"),
ManagementBaseObject)("__CLASS"))
End Sub
End Class
End Class
"Willy Denoyette [MVP]" wrote:
[Original message clipped]
|
|
| |
| |
| Willy Denoyette [MVP] (VIP) |
Right, the problem shows up with:
XP SP2 and .NET v1.1 SP1 and .NET v2 Beta1, or
XP SP1 and .NET v2 Beta1.
Didn't try W2K3 and .NET v1.1 SP1 yet.
The problems seems to relate to the 'Win32_NTLogEvent', if you take a look
at the wbem log files you will see that WMI refuses to register the consumer
for "security reasons".
Other WMI related problems I've found are: "Win32_OperatingSystem" class
methods - Win32shutdown, Shutdown, and Reboot , they fail with ...."Access
denied".
For "Win32Shutdow" it's even impossible to retrieve the method arguments
(Flags, Reserved), so this seems completely broken.
I will do some further reserch and keep you informed.
Willy.
"MarkD VIT@UK" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
|
|
| |
| |
| MarkD VIT@UK (VIP) |
Hi Willy,
I have done some more investigation and I have narrowed down my problems a
little more too ... the extra details are:
Event: __InstanceCreationEvent
TargetInstance: Win32_NTLogEvent (due to the Security log)
For example the following will fail:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" "
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Security"" "
But these work:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Application"" "
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and " & _
"TargetInstance.LogFile = ""Audit Failure"" "
So, I can use (if I do not need events from the security log):
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0, 5), _
"TargetInstance ISA ""Win32_NTLogEvent"" and (" & _
"TargetInstance.LogFile = ""Audit Success"" or " & _
"TargetInstance.LogFile = ""Audit Failure"" or " & _
"TargetInstance.LogFile = ""Application"" or " & _
"TargetInstance.LogFile = ""System"")")
Also, when I eliminate the security log from the query I can use the settings
co.EnablePrivileges = False
So, I have a "work around" provided I do not need the security log (which I
am not right now). Still, I would like to know what "changed" and whether it
is a bug or be deisgn.
Next thing to learn is how to pass security information correctly. It is
possible that Microsoft disabled or ignored the enabledprivilages call for
some security reasons.
I suspect this is the cause of the shutdown issue you noted. That DOES
require the enableprivilages to be set to true. So, if the call is now
ignoring it the call will fail.
If I hear or learn more I will post to this thread.
Thanks,
Mark
"Willy Denoyette [MVP]" wrote:
[Original message clipped]
|
|
| |
| |
| Willy Denoyette [MVP] (VIP) |
See inline ***
Willy.
"MarkD VIT@UK" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
security subsystem.
Looking at you code, I guess you are no longer using a
ManagementEventWatcher , so now you aren't using asynch callbacks .
The problem when using asynch callbacks, is that the consumer (your
application event sink) can't be registered by WMI simply because the client
(now the WMI service) fails to authenticate with the server (your
application).
Asynch callbacks are sinds long considered dangerous, MSFT included a
program unsecapp.exe that can host consumers to serve as a proxy that takes
care of authentication when using callbacks (event sinks in WMI).
If you run following script (using cscript <thisscript.vbs>), you will see
in taskman a new process unsecapp.exe, that process now hosts script and
tkaes care of event sink authentication and delegates the events to the sink
implemented in script (SINK_OnObjectReady):
Sub SINK_OnObjectReady(objObject, objAsyncContext)
WScript.Echo (objObject.TargetInstance.Message)
End Sub
Set objWMIServices = GetObject( _
"WinMgmts:{impersonationLevel=impersonate, (security)}")
' Create the event sink object that receives the events
Set sink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
' Set up the event selection. SINK_OnObjectReady is called when
' a Win32_NTLogEvent event occurs
objWMIServices.ExecNotificationQueryAsync sink,"SELECT * FROM
__InstanceCreationEvent " & _
"WHERE TargetInstance ISA 'Win32_NTLogEvent'"
WScript.Echo "Waiting for events"
While (TRUE)
WScript.Sleep (1000)
Wend
This procedure works without problems. That means WMI isn't the cause of the
problem, but it is .NET.
*** End
[Original message clipped]
security system.
[Original message clipped]
eventlog (security events) after having enabled security auditing.
[Original message clipped]
it to true. And the call is not ignoring it.
|
|
| |
| | |
| |
| MarkD VIT@UK (VIP) |
Hi Willy,
Thanks for the details - maybe I have consuded the issue but I am still do
not understand why it stopped working unless MS has "pulled" the plug on this
functionality for security reasons. Let me show you the code that works
pre-SP1 and now fails. It is using the managementEventWatcher call.
A copy of the code is shown below. Now, if I change the value of "q" to
limit the call to include "TargetInstance.LogFile = ""Application"" the
routine works (regardless of the EnablePrivileges flag) with SP1. A change
to the .NET framework as stopped the security log from being read using this
code. I know you can still read the security log using VBScript code with
async callbacks (although I would prefer to use the .NET framework).
So, what I do know is that I can not longer access the Security log using
the constructs I have here. Is there a way to access the security log via
the .NET framework using the managementEventWatcher?
Thanks for the pointers and information,
Mark
Imports System
Imports System.Management
' This example demonstrates how to subscribe an event using the
ManagementEventWatcher object.
Class Sample1
Public Shared Sub GetEvents()
Dim sc As ManagementScope
Dim co As ConnectionOptions
co = New ConnectionOptions
co.Impersonation = ImpersonationLevel.Impersonate
co.EnablePrivileges = True
sc = New ManagementScope("\ROOT\CIMV2", co)
' Set up an event watcher and a handler for the event
Dim q As New WqlEventQuery("__InstanceCreationEvent", New
TimeSpan(0, 0, 10), _
"TargetInstance ISA ""Win32_NTLogEvent"" " & _
Dim watcher As New ManagementEventWatcher(sc, q)
Dim handler As New MyHandler
AddHandler watcher.EventArrived, AddressOf handler.Arrived
' Start watching for events
watcher.Start()
Console.WriteLine("Started")
System.Threading.Thread.Sleep(20000)
' Stop watching
watcher.Stop()
End Sub
End Class
Public Class MyHandler
Public Sub Arrived(ByVal sender As Object, ByVal e As
EventArrivedEventArgs)
Console.WriteLine("OK")
End Sub
End Class
"Willy Denoyette [MVP]" wrote:
[Original message clipped]
|
|
| |
| |
| Willy Denoyette [MVP] (VIP) |
"MarkD VIT@UK" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
It looks like a bug in System.Management .NET v1.1 SP1 and v2.0 Beta1.
It fails to set the privileges required to execute some of the provider
methods using InvokeMethod.
Note that NONE of the privileges can be set. So the problem is not
restricted to ManagementEventWatcher but also "InvokeMethod" calls that need
privileges to be set (EnablePrivileges) will fail.
This is realy bad. I'll file a bug.
Willy.
|
|
| |
|
|
|
|
|
| |
| MarkD VIT@UK (VIP) |
Just to give an example: changing the WqlEventQuery
Works for:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0,
10), "TargetInstance ISA ""Win32_Process"" ")
Does not work for:
Dim q As New WqlEventQuery("__InstanceCreationEvent", New TimeSpan(0, 0,
10), "TargetInstance ISA ""Win32_NTLogEvent"" ")
"MarkD VIT@UK" wrote:
[Original message clipped]
|
|
| |
|
|
|
|
|
|
|
