WMI Troubleshooting: Permissions
Back in June, we published our post on Basic WMI Testing. Today we're going to go over some common issues and ways that you can troubleshoot and recover from them - specifically rights and permissions. We're not going to get into troubleshooting scripts - what we're looking at is troubleshooting WMI itself. So without further ado, let's dive right in ...
The first thing we're going to look at is ensuring that the COM Security settings are configured correctly. Oftentimes the default COM permissions may have been modified by application installations or GPO settings. We covered the security aspects of COM / DCOM in an earlier post, titled COM and DCOM for Administrators. Incorrectly configured permissions can cause WMI to fail. We can use the built-in DCOMCNFG utility to verify the permissions as shown below:
| Windows 2000 | Windows XP, Windows 2003 |
- Click Start, click Run, type dcomcnfg then click OK.
- Click the Default Security tab (shown below):
| - Click Start, click Run, type dcomcnfg then click OK.
- Expand the Component Services node
- Expand the Computers node
- Right-click the My Computer node and then click Properties
- Click the COM Security tab (shown below:)
|
| 
|  |
Under the Default Launch Permissions you need to make sure that the following users / groups have the Allow Launch permission: INTERACTIVE, SYSTEM and Administrators. Under the Default Access Permissions ensure only the following accounts are listed:
| OS | Account |
| Windows 2000 | none |
| Windows XP RTM & SP1 | SYSTEM |
| Windows XP SP2 & Windows Server 2003 | SELF
SYSTEM |
If these Access Permissions settings have been modified, then you need to ensure that the following users / groups have been explicitly granted Access Permission: INTERACTIVE, SYSTEM and Administrators. As a shortcut, you can export the following registry key (so that you have a backup), and then delete the key & reboot, so that you restore the original default values: HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission. On Windows XP and Windows Server 2003, you can also export the following keys (again, so you have backups) and then delete the key & reboot so that the original default limits are restored: HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction & HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction.
In addition, the WMI DCOM settings should also be checked - again, using the DCOMCNFG utility as before:
| Windows 2000 | Windows XP, Windows 2003 |
- Within DCOMCNFG, click the Applications tab.
- Double-click the Windows Management Instrumentation tab (shown below):
| - Within DCOMCNFG, expand the Computers node
- Expand the My Computer node
- Expand the DCOM Config node
- Right-click the Windows Management and Instrumentation object, and select Properties (shown below:)
|
| 
|  |
Verify the settings below against what is configured on the system:
| Setting | Windows 2000 | Windows XP / Windows Server 2003 |
| Authentication Level | Default | Default |
| Launch Permissions | Use Default | Everyone |
| Access Permissions | Use Default | Use Default |
And that brings us to the end of this post. There's much more to come on WMI, so stay tuned!
- Axel Rivera
I joined Microsoft as a Support Engineer on the Performance team in September 2005. Prior to that I spent a couple of years working the late night shift on our Platforms 24x7 team. Working for Microsoft was always a dream job - so I am living the dream! I was on the Windows Vista Beta team in 2006, which was one of the coolest projects I have ever worked on, until I took on the task of driving the AskPerf Blog.
As you can tell by my logo, I am a huge Manchester United fan and I have successfully managed to brainwash my two daughters into sharing my passion for the Red Devils much to the dismay of their mother! I also coach both my daughters' soccer teams. In addition I am an avid MMO gamer, and have an extensive DVD movie collection.
