EnablePrivileges = True not working in wmi connection

[JohnBates]

I'm trying to (programatically) backup and clear the security event log on
the local machine. I can do this manually through the event viewer and I am
logged on as an administrator. I can successfully connect to the local wmi
service. I can step through and list all the log files on the local computer
in a text box so I know I can get an System.Management.ManagementObject that
is the security log.

However when I try to execute the "BackupEventLog" method I get access
denied.

Here is my code for trying to execute the method:

logfileSearcher = New
System.Management.ManagementObjectSearcher(myManagementScope.Path.ToString,
"Select * from win32_NTEventLogFile WHERE LogFileName='security'")
'* execute query
'* Get Event Log Files
logfiles = logfileSearcher.Get()

For Each logfile In logfiles
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
Next

Here is the error detail:

Error Encountered: System.Management.ManagementException: Access denied
at
System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode)
at System.Management.ManagementObject.InvokeMethod(String methodName,
ManagementBaseObject inParameters, InvokeMethodOptions options)
at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
C:\Documents and Settings\1069317\Desktop\Desktop
Stuff\JTSecuAudit\wmitest\Form1.vb:line 75


I have checked around on google and found that several people have had
similar issues and it has to do with the privileges of the wmi connection. I
am logged onto the machine as an administrator, I have also set the
ConnectionOptions.EnablePrivileges = True

But it does not work...I have found threads online indicating that setting
EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
(I am using .NET Framework 2.0 SP1).

please help!

 

[urkec]

I'm trying to (programatically) backup and clear the security event log on
the local machine. I can do this manually through the event viewer and I am
logged on as an administrator. I can successfully connect to the local wmi
service. I can step through and list all the log files on the local computer
in a text box so I know I can get an System.Management.ManagementObject that
is the security log.

However when I try to execute the "BackupEventLog" method I get access
denied.

Here is my code for trying to execute the method:

logfileSearcher = New
System.Management.ManagementObjectSearcher(myManagementScope.Path.ToString,
"Select * from win32_NTEventLogFile WHERE LogFileName='security'")
'* execute query
'* Get Event Log Files
logfiles = logfileSearcher.Get()

For Each logfile In logfiles
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
Next

Here is the error detail:

Error Encountered: System.Management.ManagementException: Access denied
at
System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
errorCode)
at System.Management.ManagementObject.InvokeMethod(String methodName,
ManagementBaseObject inParameters, InvokeMethodOptions options)
at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
C:\Documents and Settings\1069317\Desktop\Desktop
Stuff\JTSecuAudit\wmitest\Form1.vb:line 75


I have checked around on google and found that several people have had
similar issues and it has to do with the privileges of the wmi connection. I
am logged onto the machine as an administrator, I have also set the
ConnectionOptions.EnablePrivileges = True

But it does not work...I have found threads online indicating that setting
EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
(I am using .NET Framework 2.0 SP1).

please help!

This worked for me on .NET Framework 2.0:

Dim scope As New ManagementScope
scope.Options.EnablePrivileges = True

logfileSearcher = New
System.Management.ManagementObjectSearcher(scope, New
Management.ObjectQuery("Select * from win32_NTEventLogFile WHERE
LogFileName='security'"))
logfiles = logfileSearcher.Get()

For Each logfile In logfiles

Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
Console.WriteLine(outParams.Item("returnValue"))

Next

 

[JohnBates]

urkec - first off thank you so much for your help your code does work...let
me post my original connection code (which doesn't seem to work) I think the
difference was that I was attempting to create a connection using impersonate
and authentication...without those it works. based on the working wmi
vbsscript I had I thought I had to use impersonate and authentication.

My Connection Code:
===================BEGIN
With myConnectionOptions
.Impersonation = Management.ImpersonationLevel.Impersonate
.Authentication = System.Management.AuthenticationLevel.Packet
End With

If Not Me.txtUsername.Text = "" Then
myConnectionOptions.Username = Me.txtUsername.Text
Else
myConnectionOptions.Username = Nothing
End If
If Not Me.txtPassword.Text = "" Then
myConnectionOptions.Password = Me.txtPassword.Text
Else
myConnectionOptions.Password = Nothing
End If
If Me.CheckBox1.Checked = True Then
myConnectionOptions.EnablePrivileges = True
End If


'* Replace the "." with an actual servername for remote connection
'Dim myServerName As String = "."
Dim myServerName As String = Me.txtServer.Text
myManagementScope = New System.Management.ManagementScope("\\" &
myServerName & "\root\cimv2", myConnectionOptions)

'* connect to WMI namespace
myManagementScope.Connect()
If myManagementScope.IsConnected = False Then
rtbStatus.AppendText("Could not connect to WMI namespace on " &
myServerName & ControlChars.Cr)
Else
rtbStatus.AppendText("Connected to WMI namespace on " &
myServerName & ControlChars.Cr)
End If

===================END


I'm getting a little closer to my final end product - now I just can't seem
to get the ClearLogFile method to work. I tried using the Nothing keyword in
place of the options object but it choked on that. Any other ideas?

Here is what I am doing now:

===================BEGIN
Dim scope As New ManagementScope("\\" & Me.txtServer.Text &
"\root\cimv2")
Dim logfileSearcher As System.Management.ManagementObjectSearcher
Dim logfiles As System.Management.ManagementObjectCollection
Dim logfile As System.Management.ManagementObject
Dim logQuery As New Management.ObjectQuery("Select * from
win32_NTEventLogFile WHERE LogFileName='security'")

Me.rtbStatus.Clear()

Try

If Me.txtUsername.Text = "" Then
scope.Options.Username = Nothing
Else
scope.Options.Username = Me.txtUsername.Text
End If
If Me.txtPassword.Text = "" Then
scope.Options.Password = Nothing
Else
scope.Options.Password = Me.txtPassword.Text
End If
If Me.CheckBox1.Checked = True Then
scope.Options.EnablePrivileges = True
End If

scope.Connect()

If scope.IsConnected = False Then
rtbStatus.AppendText("Could not connect to WMI namespace on
" & Me.txtServer.Text & ControlChars.Cr)
Else
rtbStatus.AppendText("Connected to WMI namespace on " &
Me.txtServer.Text & ControlChars.Cr)
End If

logfileSearcher = New
System.Management.ManagementObjectSearcher(scope, logQuery)
logfiles = logfileSearcher.Get()

For Each logfile In logfiles
'Backup Log File
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)

'Backup Result
rtbStatus.AppendText("Backup Method Returned : " &
outParams.Item("returnValue").ToString & " ")
If outParams.Item("returnValue").ToString = 0 Then
rtbStatus.AppendText("The Security event log was backed
up." & ControlChars.Cr)
'Only execute ClearEventLog method upon successful Backup
outParams = logfile.InvokeMethod("ClearEventLog",
inParams, Nothing)
'Diplay Clear Result
rtbStatus.AppendText("Clear Method Returned : " &
outParams.Item("returnValue").ToString & ControlChars.Cr)
End If
If outParams.Item("returnValue").ToString = 8 Then
rtbStatus.AppendText("Privilege missing!" &
ControlChars.Cr)
End If
If outParams.Item("returnValue").ToString = 21 Then
rtbStatus.AppendText("Invalid Parameter in call" &
ControlChars.Cr)
End If

If outParams.Item("returnValue").ToString = 183 Then
rtbStatus.AppendText("The archive file already exists."
& ControlChars.Cr)
End If

Next
Catch ex As Exception
rtbStatus.AppendText("Error Encountered: " & ex.ToString &
ControlChars.Cr)
End Try
===================END

 

[JohnBates]

Actually I got it to work...I have to reset the inParams object to the
parameters for the ClearLogFile method with:

inParams = logfile.GetMethodParameters("ClearEventLog")

before the line:

outParams = logfile.InvokeMethod("ClearEventLog", inParams, Nothing)

It just would not accept Nothing in place of the base object.

Again thank you so much for your help.