G
Guest
I am using a VBScript to query WMI and save a copy of the Security Event Log.
I am running this through a Scheduled Task running as SYSTEM. This works
correctly if an Administrator is logged in locally, or if no one is logged in
locally, but with a "normal" user account logged in interactively, the script
fails with security errors. I believe this is a bug in WMI - the use of
SYSTEM and the task scheduler works if I use a Perl script instead that calls
the Win32 Event Log API, only the WMI pieces are failing.
Below are detailed steps to reproduce:
Copy saveeventlog.vbs, run.cmd, and install.cmd to a folder on the local
computer.
Grant Everyone full control to this folder.
SaveEventLog.vbs content:
----
'usage: cscript saveeventlog.vbs <backup-filename>
strBackupFile=wscript.arguments.unnamed(0)
strComputer="."
strLog="Security"
Set objFSO=CreateObject("Scripting.FileSystemObject")
set objWMIService =
GetObject("winmgmts:{impersonationLevel=impersonate,(Backup,Security)}!\\" & _
strComputer & "\root\cimv2")
set colLogFiles=objWMIService.ExecQuery("Select * from Win32_NTEventLogFile
where LogFileName='" & strLog & "'")
wscript.echo "Found " & colLogFiles.count & " event logs"
for each objEvtLog in colLogFiles
objEvtLog.BackupEventLog(strBackupFile)
wscript.echo "Saved event log"
Next
-----
Install.cmd content: (uses XP schtasks.exe to create scheduled task)
schtasks /create /RU System /SC Daily /TN SaveEventLog /TR "%~dp0run.cmd"
/ST 00:15:00
-----
Run.cmd content: (Executes the vbscript and redirects output to log.txt)
%SYSTEMROOT%\system32\cscript.exe %~dp0saveeventlog.vbs
%~dp0security-log.evt >%~dp0log.txt 2>&1
----
TEST 1: Shows VBScript executes successfully as local admin user.
1) Log on with an Administrative account.
2) Execute run.cmd and verify it has saved a copy of the Security Event log
to c:\security-log.evt
3) Delete security-log.evt and log.txt
TEST 2: Shows VBScript executes from a Scheduled Task running as SYSTEM with
Admin User logged in:
1) Execute install.cmd to create a scheduled task which executes run.cmd.
2) Still logged in with Admin account, open Control Panel -> Scheduled Tasks
3) Execute the "SaveEventLog" scheduled task. Verify c:\security-log.evt
has been created.
4) Delete security-log.evt and log.txt
TEST 3: Shows the Scheduled Task executes with no one logged in locally.
1) Log off of the test computer.
2) From a remote computer, connect to \\testcomputer. Open Scheduled Tasks.
3) Execute the "SaveEventLog" Scheduled Task.
4) Verify the c:\security-log.evt was created on the test computer.
5) Delete security-log.evt and log.txt on the test computer.
TEST 4" Shows the "normal" failure condition where the normal user does not
have access to the security event log.
1) On the test computer, log on with a non-Admin account.
2) Execute the "run.cmd" script.
3) Verify no security-log.evt was created on the test computer.
4) Output "log.txt" indicates 0 event logs found.
5) Delete "log.txt"
TEST 5: Shows the "error" failure condition with a local non-Admin user
logged on.
1) On the test computer, log on with a non-Administrative account.
2) Execute the vbscript file. Verify an error occurs and no
security-log.evt is generated.
3) Remain logged on to the test computer with the non-admin account. On a
remote computer, log on with Admin rights.
4) From the remote computer, connect to \\testcomputer and open "Scheduled
Tasks"
5) Execute the "SaveEventLog" scheduled task.
6) Note that no security-log.evt has been generated.
Note that the output log.txt shows "C:\eventlogtest\saveeventlog.vbs(17, 1)
SWbemObjectSet: Access denied " This is the line:
wscript.echo "Found " & colLogFiles.count & " event logs"
If this line is commented out from the script, we get the following output:
C:\eventlogtest\saveeventlog.vbs(19, 1) (null): 0x80041003
Which is from the line:
for each objEvtLog in colLogFiles
I am running this through a Scheduled Task running as SYSTEM. This works
correctly if an Administrator is logged in locally, or if no one is logged in
locally, but with a "normal" user account logged in interactively, the script
fails with security errors. I believe this is a bug in WMI - the use of
SYSTEM and the task scheduler works if I use a Perl script instead that calls
the Win32 Event Log API, only the WMI pieces are failing.
Below are detailed steps to reproduce:
Copy saveeventlog.vbs, run.cmd, and install.cmd to a folder on the local
computer.
Grant Everyone full control to this folder.
SaveEventLog.vbs content:
----
'usage: cscript saveeventlog.vbs <backup-filename>
strBackupFile=wscript.arguments.unnamed(0)
strComputer="."
strLog="Security"
Set objFSO=CreateObject("Scripting.FileSystemObject")
set objWMIService =
GetObject("winmgmts:{impersonationLevel=impersonate,(Backup,Security)}!\\" & _
strComputer & "\root\cimv2")
set colLogFiles=objWMIService.ExecQuery("Select * from Win32_NTEventLogFile
where LogFileName='" & strLog & "'")
wscript.echo "Found " & colLogFiles.count & " event logs"
for each objEvtLog in colLogFiles
objEvtLog.BackupEventLog(strBackupFile)
wscript.echo "Saved event log"
Next
-----
Install.cmd content: (uses XP schtasks.exe to create scheduled task)
schtasks /create /RU System /SC Daily /TN SaveEventLog /TR "%~dp0run.cmd"
/ST 00:15:00
-----
Run.cmd content: (Executes the vbscript and redirects output to log.txt)
%SYSTEMROOT%\system32\cscript.exe %~dp0saveeventlog.vbs
%~dp0security-log.evt >%~dp0log.txt 2>&1
----
TEST 1: Shows VBScript executes successfully as local admin user.
1) Log on with an Administrative account.
2) Execute run.cmd and verify it has saved a copy of the Security Event log
to c:\security-log.evt
3) Delete security-log.evt and log.txt
TEST 2: Shows VBScript executes from a Scheduled Task running as SYSTEM with
Admin User logged in:
1) Execute install.cmd to create a scheduled task which executes run.cmd.
2) Still logged in with Admin account, open Control Panel -> Scheduled Tasks
3) Execute the "SaveEventLog" scheduled task. Verify c:\security-log.evt
has been created.
4) Delete security-log.evt and log.txt
TEST 3: Shows the Scheduled Task executes with no one logged in locally.
1) Log off of the test computer.
2) From a remote computer, connect to \\testcomputer. Open Scheduled Tasks.
3) Execute the "SaveEventLog" Scheduled Task.
4) Verify the c:\security-log.evt was created on the test computer.
5) Delete security-log.evt and log.txt on the test computer.
TEST 4" Shows the "normal" failure condition where the normal user does not
have access to the security event log.
1) On the test computer, log on with a non-Admin account.
2) Execute the "run.cmd" script.
3) Verify no security-log.evt was created on the test computer.
4) Output "log.txt" indicates 0 event logs found.
5) Delete "log.txt"
TEST 5: Shows the "error" failure condition with a local non-Admin user
logged on.
1) On the test computer, log on with a non-Administrative account.
2) Execute the vbscript file. Verify an error occurs and no
security-log.evt is generated.
3) Remain logged on to the test computer with the non-admin account. On a
remote computer, log on with Admin rights.
4) From the remote computer, connect to \\testcomputer and open "Scheduled
Tasks"
5) Execute the "SaveEventLog" scheduled task.
6) Note that no security-log.evt has been generated.
Note that the output log.txt shows "C:\eventlogtest\saveeventlog.vbs(17, 1)
SWbemObjectSet: Access denied " This is the line:
wscript.echo "Found " & colLogFiles.count & " event logs"
If this line is commented out from the script, we get the following output:
C:\eventlogtest\saveeventlog.vbs(19, 1) (null): 0x80041003
Which is from the line:
for each objEvtLog in colLogFiles