WMI Troubleshooting: Permissions

WMI Troubleshooting: Permissions

  • Comments 3
  • Likes

Back in June, we published our post on Basic WMI Testing.  Today we're going to go over some common issues and ways that you can troubleshoot and recover from them - specifically rights and permissions.  We're not going to get into troubleshooting scripts - what we're looking at is troubleshooting WMI itself.  So without further ado, let's dive right in ...

The first thing we're going to look at is ensuring that the COM Security settings are configured correctly.  Oftentimes the default COM permissions may have been modified by application installations or GPO settings.  We covered the security aspects of COM / DCOM in an earlier post, titled COM and DCOM for Administrators.  Incorrectly configured permissions can cause WMI to fail.  We can use the built-in DCOMCNFG utility to verify the permissions as shown below:

Windows 2000 Windows XP, Windows 2003
  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Click the Default Security tab (shown below):

 

  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Expand the Component Services node
  3. Expand the Computers node
  4. Right-click the My Computer node and then click Properties
  5. Click the COM Security tab (shown below:)

 

W2K-DCOMCNFG-01

WXP-DCOMCNFG-01

Under the Default Launch Permissions you need to make sure that the following users / groups have the Allow Launch permission:  INTERACTIVE, SYSTEM and Administrators.  Under the Default Access Permissions ensure only the following accounts are listed:

OS Account
Windows 2000 none
Windows XP RTM & SP1 SYSTEM
Windows XP SP2 & Windows Server 2003 SELF
SYSTEM

If these Access Permissions settings have been modified, then you need to ensure that the following users / groups have been explicitly granted Access Permission: INTERACTIVE, SYSTEM and Administrators.  As a shortcut, you can export the following registry key (so that you have a backup), and then delete the key & reboot, so that you restore the original default values:  HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission.  On Windows XP and Windows Server 2003, you can also export the following keys (again, so you have backups) and then delete the key & reboot so that the original default limits are restored: HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction & HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction.

In addition, the WMI DCOM settings should also be checked - again, using the DCOMCNFG utility as before:

Windows 2000 Windows XP, Windows 2003
  1. Within DCOMCNFG, click the Applications tab. 
  2. Double-click the Windows Management Instrumentation tab (shown below):

 

  1. Within DCOMCNFG, expand the Computers node
  2. Expand the My Computer node
  3. Expand the DCOM Config node
  4. Right-click the Windows Management and Instrumentation object, and select Properties (shown below:)

 

W2K-DCOMCNFG-02

WXP-DCOMCNFG-02

Verify the settings below against what is configured on the system:

Setting Windows 2000 Windows XP / Windows Server 2003
Authentication Level Default Default
Launch Permissions Use Default Everyone
Access Permissions Use Default Use Default

And that brings us to the end of this post.  There's much more to come on WMI, so stay tuned!

- Axel Rivera

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://www.ditii.com/2007/08/14/wmi-permissions-troubleshooting/

  • actually, after the access permissions is the configuration permissions.......

  • We r having Server 2008.  Wile running VB-6, we get error

    "Automation Error : Error accessing OLE registry".

    Is there any way to resolve the issue.

    Thanks