EnablePrivileges = True not working in wmi connection

I'm trying to (programatically) backup and clear the security event log on
the local machine. I can do this manually through the event viewer and I am
logged on as an administrator. I can successfully connect to the local wmi
service. I can step through and list all the log files on the local computer
in a text box so I know I can get an System.Management.ManagementObject that
is the security log.

However when I try to execute the "BackupEventLog" method I get access
denied.

Here is my code for trying to execute the method:

logfileSearcher = New
System.Management.ManagementObjectSearcher(myManagementScope .Path.ToString,
"Select * from win32_NTEventLogFile WHERE LogFileName='security'")
'* execute query
'* Get Event Log Files
logfiles = logfileSearcher.Get()

For Each logfile In logfiles
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
Next

Here is the error detail:

Error Encountered: System.Management.ManagementException: Access denied
at
System.Management.ManagementException.ThrowWithExtendedInfo( ManagementStatus
errorCode)
at System.Management.ManagementObject.InvokeMethod(String methodName,
ManagementBaseObject inParameters, InvokeMethodOptions options)
at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
C:\Documents and Settings\1069317\Desktop\Desktop
Stuff\JTSecuAudit\wmitest\Form1.vb:line 75


I have checked around on google and found that several people have had
similar issues and it has to do with the privileges of the wmi connection. I
am logged onto the machine as an administrator, I have also set the
ConnectionOptions.EnablePrivileges = True

But it does not work...I have found threads online indicating that setting
EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
(I am using .NET Framework 2.0 SP1).

please help!

RE: EnablePrivileges = True not working in wmi connection

"JohnBates" wrote:

> I'm trying to (programatically) backup and clear the security event log on
> the local machine. I can do this manually through the event viewer and I am
> logged on as an administrator. I can successfully connect to the local wmi
> service. I can step through and list all the log files on the local computer
> in a text box so I know I can get an System.Management.ManagementObject that
> is the security log.
>
> However when I try to execute the "BackupEventLog" method I get access
> denied.
>
> Here is my code for trying to execute the method:
>
> logfileSearcher = New
> System.Management.ManagementObjectSearcher(myManagementScope .Path.ToString,
> "Select * from win32_NTEventLogFile WHERE LogFileName='security'")
> '* execute query
> '* Get Event Log Files
> logfiles = logfileSearcher.Get()
>
> For Each logfile In logfiles
> Dim inParams As Management.ManagementBaseObject =
> logfile.GetMethodParameters("BackupEventLog")
> inParams("ArchiveFileName") = "c:\testing.evt"
> Dim outParams As Management.ManagementBaseObject =
> logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> Next
>
> Here is the error detail:
>
> Error Encountered: System.Management.ManagementException: Access denied
> at
> System.Management.ManagementException.ThrowWithExtendedInfo( ManagementStatus
> errorCode)
> at System.Management.ManagementObject.InvokeMethod(String methodName,
> ManagementBaseObject inParameters, InvokeMethodOptions options)
> at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
> C:\Documents and Settings\1069317\Desktop\Desktop
> Stuff\JTSecuAudit\wmitest\Form1.vb:line 75
>
>
> I have checked around on google and found that several people have had
> similar issues and it has to do with the privileges of the wmi connection. I
> am logged onto the machine as an administrator, I have also set the
> ConnectionOptions.EnablePrivileges = True
>
> But it does not work...I have found threads online indicating that setting
> EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
> working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
> (I am using .NET Framework 2.0 SP1).
>
> please help!


This worked for me on .NET Framework 2.0:

Dim scope As New ManagementScope
scope.Options.EnablePrivileges = True

logfileSearcher = New
System.Management.ManagementObjectSearcher(scope, New
Management.ObjectQuery("Select * from win32_NTEventLogFile WHERE
LogFileName='security'"))
logfiles = logfileSearcher.Get()

For Each logfile In logfiles

Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
Console.WriteLine(outParams.Item("returnValue"))

Next


--
urkec

RE: EnablePrivileges = True not working in wmi connection

urkec - first off thank you so much for your help your code does work...let
me post my original connection code (which doesn't seem to work) I think the
difference was that I was attempting to create a connection using impersonate
and authentication...without those it works. based on the working wmi
vbsscript I had I thought I had to use impersonate and authentication.

My Connection Code:
===================BEGIN
With myConnectionOptions
.Impersonation = Management.ImpersonationLevel.Impersonate
.Authentication = System.Management.AuthenticationLevel.Packet
End With

If Not Me.txtUsername.Text = "" Then
myConnectionOptions.Username = Me.txtUsername.Text
Else
myConnectionOptions.Username = Nothing
End If
If Not Me.txtPassword.Text = "" Then
myConnectionOptions.Password = Me.txtPassword.Text
Else
myConnectionOptions.Password = Nothing
End If
If Me.CheckBox1.Checked = True Then
myConnectionOptions.EnablePrivileges = True
End If


'* Replace the "." with an actual servername for remote connection
'Dim myServerName As String = "."
Dim myServerName As String = Me.txtServer.Text
myManagementScope = New System.Management.ManagementScope("\\" &
myServerName & "\root\cimv2", myConnectionOptions)

'* connect to WMI namespace
myManagementScope.Connect()
If myManagementScope.IsConnected = False Then
rtbStatus.AppendText("Could not connect to WMI namespace on " &
myServerName & ControlChars.Cr)
Else
rtbStatus.AppendText("Connected to WMI namespace on " &
myServerName & ControlChars.Cr)
End If

===================END


I'm getting a little closer to my final end product - now I just can't seem
to get the ClearLogFile method to work. I tried using the Nothing keyword in
place of the options object but it choked on that. Any other ideas?

Here is what I am doing now:

===================BEGIN
Dim scope As New ManagementScope("\\" & Me.txtServer.Text &
"\root\cimv2")
Dim logfileSearcher As System.Management.ManagementObjectSearcher
Dim logfiles As System.Management.ManagementObjectCollection
Dim logfile As System.Management.ManagementObject
Dim logQuery As New Management.ObjectQuery("Select * from
win32_NTEventLogFile WHERE LogFileName='security'")

Me.rtbStatus.Clear()

Try

If Me.txtUsername.Text = "" Then
scope.Options.Username = Nothing
Else
scope.Options.Username = Me.txtUsername.Text
End If
If Me.txtPassword.Text = "" Then
scope.Options.Password = Nothing
Else
scope.Options.Password = Me.txtPassword.Text
End If
If Me.CheckBox1.Checked = True Then
scope.Options.EnablePrivileges = True
End If

scope.Connect()

If scope.IsConnected = False Then
rtbStatus.AppendText("Could not connect to WMI namespace on
" & Me.txtServer.Text & ControlChars.Cr)
Else
rtbStatus.AppendText("Connected to WMI namespace on " &
Me.txtServer.Text & ControlChars.Cr)
End If

logfileSearcher = New
System.Management.ManagementObjectSearcher(scope, logQuery)
logfiles = logfileSearcher.Get()

For Each logfile In logfiles
'Backup Log File
Dim inParams As Management.ManagementBaseObject =
logfile.GetMethodParameters("BackupEventLog")
inParams("ArchiveFileName") = "c:\testing.evt"
Dim outParams As Management.ManagementBaseObject =
logfile.InvokeMethod("BackupEventLog", inParams, Nothing)

'Backup Result
rtbStatus.AppendText("Backup Method Returned : " &
outParams.Item("returnValue").ToString & " ")
If outParams.Item("returnValue").ToString = 0 Then
rtbStatus.AppendText("The Security event log was backed
up." & ControlChars.Cr)
'Only execute ClearEventLog method upon successful Backup
outParams = logfile.InvokeMethod("ClearEventLog",
inParams, Nothing)
'Diplay Clear Result
rtbStatus.AppendText("Clear Method Returned : " &
outParams.Item("returnValue").ToString & ControlChars.Cr)
End If
If outParams.Item("returnValue").ToString = 8 Then
rtbStatus.AppendText("Privilege missing!" &
ControlChars.Cr)
End If
If outParams.Item("returnValue").ToString = 21 Then
rtbStatus.AppendText("Invalid Parameter in call" &
ControlChars.Cr)
End If

If outParams.Item("returnValue").ToString = 183 Then
rtbStatus.AppendText("The archive file already exists."
& ControlChars.Cr)
End If

Next
Catch ex As Exception
rtbStatus.AppendText("Error Encountered: " & ex.ToString &
ControlChars.Cr)
End Try
===================END


"urkec" wrote:

> "JohnBates" wrote:
>
> > I'm trying to (programatically) backup and clear the security event log on
> > the local machine. I can do this manually through the event viewer and I am
> > logged on as an administrator. I can successfully connect to the local wmi
> > service. I can step through and list all the log files on the local computer
> > in a text box so I know I can get an System.Management.ManagementObject that
> > is the security log.
> >
> > However when I try to execute the "BackupEventLog" method I get access
> > denied.
> >
> > Here is my code for trying to execute the method:
> >
> > logfileSearcher = New
> > System.Management.ManagementObjectSearcher(myManagementScope .Path.ToString,
> > "Select * from win32_NTEventLogFile WHERE LogFileName='security'")
> > '* execute query
> > '* Get Event Log Files
> > logfiles = logfileSearcher.Get()
> >
> > For Each logfile In logfiles
> > Dim inParams As Management.ManagementBaseObject =
> > logfile.GetMethodParameters("BackupEventLog")
> > inParams("ArchiveFileName") = "c:\testing.evt"
> > Dim outParams As Management.ManagementBaseObject =
> > logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> > Next
> >
> > Here is the error detail:
> >
> > Error Encountered: System.Management.ManagementException: Access denied
> > at
> > System.Management.ManagementException.ThrowWithExtendedInfo( ManagementStatus
> > errorCode)
> > at System.Management.ManagementObject.InvokeMethod(String methodName,
> > ManagementBaseObject inParameters, InvokeMethodOptions options)
> > at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
> > C:\Documents and Settings\1069317\Desktop\Desktop
> > Stuff\JTSecuAudit\wmitest\Form1.vb:line 75
> >
> >
> > I have checked around on google and found that several people have had
> > similar issues and it has to do with the privileges of the wmi connection. I
> > am logged onto the machine as an administrator, I have also set the
> > ConnectionOptions.EnablePrivileges = True
> >
> > But it does not work...I have found threads online indicating that setting
> > EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
> > working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
> > (I am using .NET Framework 2.0 SP1).
> >
> > please help!
>
>
> This worked for me on .NET Framework 2.0:
>
> Dim scope As New ManagementScope
> scope.Options.EnablePrivileges = True
>
> logfileSearcher = New
> System.Management.ManagementObjectSearcher(scope, New
> Management.ObjectQuery("Select * from win32_NTEventLogFile WHERE
> LogFileName='security'"))
> logfiles = logfileSearcher.Get()
>
> For Each logfile In logfiles
>
> Dim inParams As Management.ManagementBaseObject =
> logfile.GetMethodParameters("BackupEventLog")
> inParams("ArchiveFileName") = "c:\testing.evt"
> Dim outParams As Management.ManagementBaseObject =
> logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> Console.WriteLine(outParams.Item("returnValue"))
>
> Next
>
>
> --
> urkec

RE: EnablePrivileges = True not working in wmi connection

Actually I got it to work...I have to reset the inParams object to the
parameters for the ClearLogFile method with:

inParams = logfile.GetMethodParameters("ClearEventLog")

before the line:

outParams = logfile.InvokeMethod("ClearEventLog", inParams, Nothing)

It just would not accept Nothing in place of the base object.

Again thank you so much for your help.
"JohnBates" wrote:

> urkec - first off thank you so much for your help your code does work...let
> me post my original connection code (which doesn't seem to work) I think the
> difference was that I was attempting to create a connection using impersonate
> and authentication...without those it works. based on the working wmi
> vbsscript I had I thought I had to use impersonate and authentication.
>
> My Connection Code:
> ===================BEGIN
> With myConnectionOptions
> .Impersonation = Management.ImpersonationLevel.Impersonate
> .Authentication = System.Management.AuthenticationLevel.Packet
> End With
>
> If Not Me.txtUsername.Text = "" Then
> myConnectionOptions.Username = Me.txtUsername.Text
> Else
> myConnectionOptions.Username = Nothing
> End If
> If Not Me.txtPassword.Text = "" Then
> myConnectionOptions.Password = Me.txtPassword.Text
> Else
> myConnectionOptions.Password = Nothing
> End If
> If Me.CheckBox1.Checked = True Then
> myConnectionOptions.EnablePrivileges = True
> End If
>
>
> '* Replace the "." with an actual servername for remote connection
> 'Dim myServerName As String = "."
> Dim myServerName As String = Me.txtServer.Text
> myManagementScope = New System.Management.ManagementScope("\\" &
> myServerName & "\root\cimv2", myConnectionOptions)
>
> '* connect to WMI namespace
> myManagementScope.Connect()
> If myManagementScope.IsConnected = False Then
> rtbStatus.AppendText("Could not connect to WMI namespace on " &
> myServerName & ControlChars.Cr)
> Else
> rtbStatus.AppendText("Connected to WMI namespace on " &
> myServerName & ControlChars.Cr)
> End If
>
> ===================END
>
>
> I'm getting a little closer to my final end product - now I just can't seem
> to get the ClearLogFile method to work. I tried using the Nothing keyword in
> place of the options object but it choked on that. Any other ideas?
>
> Here is what I am doing now:
>
> ===================BEGIN
> Dim scope As New ManagementScope("\\" & Me.txtServer.Text &
> "\root\cimv2")
> Dim logfileSearcher As System.Management.ManagementObjectSearcher
> Dim logfiles As System.Management.ManagementObjectCollection
> Dim logfile As System.Management.ManagementObject
> Dim logQuery As New Management.ObjectQuery("Select * from
> win32_NTEventLogFile WHERE LogFileName='security'")
>
> Me.rtbStatus.Clear()
>
> Try
>
> If Me.txtUsername.Text = "" Then
> scope.Options.Username = Nothing
> Else
> scope.Options.Username = Me.txtUsername.Text
> End If
> If Me.txtPassword.Text = "" Then
> scope.Options.Password = Nothing
> Else
> scope.Options.Password = Me.txtPassword.Text
> End If
> If Me.CheckBox1.Checked = True Then
> scope.Options.EnablePrivileges = True
> End If
>
> scope.Connect()
>
> If scope.IsConnected = False Then
> rtbStatus.AppendText("Could not connect to WMI namespace on
> " & Me.txtServer.Text & ControlChars.Cr)
> Else
> rtbStatus.AppendText("Connected to WMI namespace on " &
> Me.txtServer.Text & ControlChars.Cr)
> End If
>
> logfileSearcher = New
> System.Management.ManagementObjectSearcher(scope, logQuery)
> logfiles = logfileSearcher.Get()
>
> For Each logfile In logfiles
> 'Backup Log File
> Dim inParams As Management.ManagementBaseObject =
> logfile.GetMethodParameters("BackupEventLog")
> inParams("ArchiveFileName") = "c:\testing.evt"
> Dim outParams As Management.ManagementBaseObject =
> logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
>
> 'Backup Result
> rtbStatus.AppendText("Backup Method Returned : " &
> outParams.Item("returnValue").ToString & " ")
> If outParams.Item("returnValue").ToString = 0 Then
> rtbStatus.AppendText("The Security event log was backed
> up." & ControlChars.Cr)
> 'Only execute ClearEventLog method upon successful Backup
> outParams = logfile.InvokeMethod("ClearEventLog",
> inParams, Nothing)
> 'Diplay Clear Result
> rtbStatus.AppendText("Clear Method Returned : " &
> outParams.Item("returnValue").ToString & ControlChars.Cr)
> End If
> If outParams.Item("returnValue").ToString = 8 Then
> rtbStatus.AppendText("Privilege missing!" &
> ControlChars.Cr)
> End If
> If outParams.Item("returnValue").ToString = 21 Then
> rtbStatus.AppendText("Invalid Parameter in call" &
> ControlChars.Cr)
> End If
>
> If outParams.Item("returnValue").ToString = 183 Then
> rtbStatus.AppendText("The archive file already exists."
> & ControlChars.Cr)
> End If
>
> Next
> Catch ex As Exception
> rtbStatus.AppendText("Error Encountered: " & ex.ToString &
> ControlChars.Cr)
> End Try
> ===================END
>
>
> "urkec" wrote:
>
> > "JohnBates" wrote:
> >
> > > I'm trying to (programatically) backup and clear the security event log on
> > > the local machine. I can do this manually through the event viewer and I am
> > > logged on as an administrator. I can successfully connect to the local wmi
> > > service. I can step through and list all the log files on the local computer
> > > in a text box so I know I can get an System.Management.ManagementObject that
> > > is the security log.
> > >
> > > However when I try to execute the "BackupEventLog" method I get access
> > > denied.
> > >
> > > Here is my code for trying to execute the method:
> > >
> > > logfileSearcher = New
> > > System.Management.ManagementObjectSearcher(myManagementScope .Path.ToString,
> > > "Select * from win32_NTEventLogFile WHERE LogFileName='security'")
> > > '* execute query
> > > '* Get Event Log Files
> > > logfiles = logfileSearcher.Get()
> > >
> > > For Each logfile In logfiles
> > > Dim inParams As Management.ManagementBaseObject =
> > > logfile.GetMethodParameters("BackupEventLog")
> > > inParams("ArchiveFileName") = "c:\testing.evt"
> > > Dim outParams As Management.ManagementBaseObject =
> > > logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> > > Next
> > >
> > > Here is the error detail:
> > >
> > > Error Encountered: System.Management.ManagementException: Access denied
> > > at
> > > System.Management.ManagementException.ThrowWithExtendedInfo( ManagementStatus
> > > errorCode)
> > > at System.Management.ManagementObject.InvokeMethod(String methodName,
> > > ManagementBaseObject inParameters, InvokeMethodOptions options)
> > > at wmitest.Form1.Button3_Click(Object sender, EventArgs e) in
> > > C:\Documents and Settings\1069317\Desktop\Desktop
> > > Stuff\JTSecuAudit\wmitest\Form1.vb:line 75
> > >
> > >
> > > I have checked around on google and found that several people have had
> > > similar issues and it has to do with the privileges of the wmi connection. I
> > > am logged onto the machine as an administrator, I have also set the
> > > ConnectionOptions.EnablePrivileges = True
> > >
> > > But it does not work...I have found threads online indicating that setting
> > > EnablePrivileges to True worked on .NET framework 1.0 but it "stopped"
> > > working on 1.1 and I assume doesn't work on 2.0 as I am having this issue.
> > > (I am using .NET Framework 2.0 SP1).
> > >
> > > please help!
> >
> >
> > This worked for me on .NET Framework 2.0:
> >
> > Dim scope As New ManagementScope
> > scope.Options.EnablePrivileges = True
> >
> > logfileSearcher = New
> > System.Management.ManagementObjectSearcher(scope, New
> > Management.ObjectQuery("Select * from win32_NTEventLogFile WHERE
> > LogFileName='security'"))
> > logfiles = logfileSearcher.Get()
> >
> > For Each logfile In logfiles
> >
> > Dim inParams As Management.ManagementBaseObject =
> > logfile.GetMethodParameters("BackupEventLog")
> > inParams("ArchiveFileName") = "c:\testing.evt"
> > Dim outParams As Management.ManagementBaseObject =
> > logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> > Console.WriteLine(outParams.Item("returnValue"))
> >
> > Next
> >
> >
> > --
> > urkec