Convery WMI script into .NET (using VB.NET 2005)


J

JohnBates

Problem:
I need to backup and clear the security event log. I have this working via
a vbsscript which I will post below. However while I can use this script
manually it is not user friendly and my end users who have to perform the
backup and clear chore weekly are the "where is the button" types.

I have written a vb.net 2005 gui as a front end that can launch my script
and run it ok but the problem is since it is a script running in a shell
object I have no way to return status to my vb.net program saying it succeded
or failed or even to know when the shell exits.

So I decided to look into writing performing the steps via vb.net code. I
can successfully create a WMI connection and (on the local machine) I can
even list out all log files by code shown below. What I cannot do is execute
the BackupEventLog method via WMI. I get access denied, which I have
researched and I feel the reason is that the WMI connection does not have the
privileges enabled for backup and security. If you look at the vbs script
below you will see where it addes (Backup, security) into the moniker for the
object and I believe allows the execution of the method.

I did find out there that you are supposed to use the ".EnablePrivileges =
True" option but I also found that .NET 1.1 messed that option up. Someone
please help!

CREATE CONNECTION CODE:
===================BEGIN
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

With myConnectionOptions
.Impersonation = Management.ImpersonationLevel.Impersonate

'* Use next line for XP
.Authentication = System.Management.AuthenticationLevel.Packet
.EnablePrivileges = True

'Cannot specify username/password for local connections
'.Username = Me.txtUsername.Text
'.Password = Me.txtPassword.Text
End With

'* "." is the string for a local connection
Dim myServerName As String = Me.txtServer.Text

myManagementScope = New System.Management.ManagementScope("\\" &
myServerName & "\root\cimv2", myConnectionOptions)

'* connect to WMI namespace
myManagementScope.Connect()
If myManagementScope.IsConnected = False Then
rtbStatus.AppendText("Could not connect to WMI namespace on " &
myServerName & ControlChars.Cr)
Else
rtbStatus.AppendText("Connected to WMI namespace on " &
myServerName & ControlChars.Cr)
End If
End Sub
===================END

LIST ALL LOG FILES CODE:
===================BEGIN
Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button3.Click
Dim logfileSearcher As System.Management.ManagementObjectSearcher
Dim logfiles As System.Management.ManagementObjectCollection
Dim logfile As System.Management.ManagementObject

logfileSearcher = New
System.Management.ManagementObjectSearcher(myManagementScope.Path.ToString,
"Select * from win32_NTEventLogFile")

'* execute query
logfiles = logfileSearcher.Get()

Try

For Each logfile In logfiles

rtbStatus.AppendText("Found logfile " &
logfile.GetPropertyValue("FileName").ToString & " which is the " &
logfile.GetPropertyValue("LogfileName").ToString & " event log" &
ControlChars.Cr)

'INSERT BACKUP CODE HERE (SHOWN BELOW)

Next

Catch ex As Exception
rtbStatus.AppendText("Error Encountered: " & ex.ToString &
ControlChars.Cr)
End Try
End Sub
===================END


FAILING BACKUP METHOD INVOCATION
===================BEGIN
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")

inParams("ArchiveFileName") = "c:\testing.evt"

Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
===================END


WORKING VBS SCRIPT
===================BEGIN
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"

'NOTE: for this to work on a normal user account they must have following
rights
'Manage Auditing and Secuirty
'Generate Security Audits

strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")


For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)

If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If

If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
===================END
 
Ad

Advertisements

G

Gerry Hickman

Hi,

You may be better of with

microsoft.public.dotnet.framework.wmi

in future for this type of thing.

I can't help with the .NET side, as I don't use it, but a couple of
things jump out at me from your post.

1. If the user is the "where the button" type, why are they allowed
anywhere NEAR a security log. They'd need full admin rights for a start,
and you've just lost your audit trail.

2. If the old version was working, and they just need a "button", why
can't they just have shortcut to click on?

3. If it's for lots of users, why not just have a button on an intranet
page where they click, and based on valid user authentication, this
would start a new process in a new security context that would clear the
log.

4. Why not just have a scheduled job to backup the log and then clear it?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top