Two Minute Drill: WMIDiag and Namespace Security

Two Minute Drill: WMIDiag and Namespace Security

  • Comments 5
  • Likes

Hello AskPerf.  Happy New Year!  My name is Gangadharan Prashanth and we’re going to kick off 2009 with a quick look at WMI Namespace Security and a common error message that we see when running the WMI Diagnosis Utility (WMIDiag).  When running WMIDiag, we often see an alert that looks something like this:  WMIDIAG log may report default security on the WMI namespace has been changed.  Open up the WMIDiag logs, and towards the end look for a section marked WMI REPORT: BEGIN.  The section will look something like this:

44072 12:41:02 (0) ** ----------------------------------------------------------------------------------------------
44073 12:41:02 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------
44074 12:41:02 (0) ** ----------------------------------------------------------------------------------------------

If the default security on a namespace has been changed, then the following information will appear:

WMI namespace security for 'ROOT/RSOP': ............................................... MODIFIED.
47318 16:15:40 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match 
corresponding expected trustee rights (Actual->Default)

47319 16:15:40 (0) **        - ACTUAL ACE:

47320 16:15:40 (0) **          ACEType:  &h0
47321 16:15:40 (0) **                    ACCESS_ALLOWED_ACE_TYPE
47322 16:15:40 (0) **          ACEFlags: &h12
47323 16:15:40 (0) **                    CONTAINER_INHERIT_ACE
47324 16:15:40 (0) **                    INHERITED_ACE
47325 16:15:40 (0) **          ACEMask:  &h3F
47326 16:15:40 (0) **                    WBEM_ENABLE
47327 16:15:40 (0) **                    WBEM_METHOD_EXECUTE
47328 16:15:40 (0) **                    WBEM_FULL_WRITE_REP
47329 16:15:40 (0) **                    WBEM_PARTIAL_WRITE_REP
47330 16:15:40 (0) **                    WBEM_WRITE_PROVIDER
47331 16:15:40 (0) **                    WBEM_REMOTE_ACCESS

47332 16:15:40 (0) **        - EXPECTED ACE:

47333 16:15:40 (0) **          ACEType:  &h0
47334 16:15:40 (0) **                    ACCESS_ALLOWED_ACE_TYPE
47335 16:15:40 (0) **          ACEFlags: &h12
47336 16:15:40 (0) **                    CONTAINER_INHERIT_ACE
47337 16:15:40 (0) **                    INHERITED_ACE
47338 16:15:40 (0) **          ACEMask:  &h6003F
47339 16:15:40 (0) **                    WBEM_ENABLE
47340 16:15:40 (0) **                    WBEM_METHOD_EXECUTE
47341 16:15:40 (0) **                    WBEM_FULL_WRITE_REP
47342 16:15:40 (0) **                    WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) **                    WBEM_WRITE_PROVIDER
47344 16:15:40 (0) **                    WBEM_REMOTE_ACCESS
47345 16:15:40 (0) **                    WBEM_WRITE_DAC
47346 16:15:40 (0) **                    WBEM_READ_CONTROL
47347 16:15:40 (0) ** 
47348 16:15:40 (0) ** => The actual ACE has the right(s) '&h60000 WBEM_WRITE_DAC WBEM_READ_CONTROL' removed!
47349 16:15:40 (0) **    This will cause some operations to fail!
47350 16:15:40 (0) **    It is possible to fix this issue by editing the security descriptor and adding the removed right.
47351 16:15:40 (0) **    For WMI namespaces, this can be done with 'WMIMGMT.MSC'.

If there are multiple namespaces that have been identified by WMIDiag, then each one will have its own entry.  There are three main sections to consider in this error message.  The first section tells us which namespace has had its security modified.  The entry will begin with WMI namespace security for ‘ROOT/’.  After ‘ROOT/’, any one of the namespaces below ROOT or the ROOT namespace itself could be the one identified.  In our example above, the namespace in question is ‘ROOT/RSOP’.  In this first section, we are also provided the account name whose security rights differ from the expected defaults.  In this example, the account is the ‘NT AUTHORITY\NETWORK SERVICE’ account:

WMI namespace security for 'ROOT/RSOP': ........................................................... MODIFIED.
47318 16:15:40 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match 
corresponding expected trustee rights (Actual->Default)

The second section will tell us the current security settings on the server/machine for the user/account in question. This section will start with the line - ACTUAL ACE:

47319 16:15:40 (0) **        - ACTUAL ACE:

47320 16:15:40 (0) **          ACEType:  &h0
47321 16:15:40 (0) **                    ACCESS_ALLOWED_ACE_TYPE
47322 16:15:40 (0) **          ACEFlags: &h12
47323 16:15:40 (0) **                    CONTAINER_INHERIT_ACE
47324 16:15:40 (0) **                    INHERITED_ACE
47325 16:15:40 (0) **          ACEMask:  &h3F
47326 16:15:40 (0) **                    WBEM_ENABLE
47327 16:15:40 (0) **                    WBEM_METHOD_EXECUTE
47328 16:15:40 (0) **                    WBEM_FULL_WRITE_REP
47329 16:15:40 (0) **                    WBEM_PARTIAL_WRITE_REP
47330 16:15:40 (0) **                    WBEM_WRITE_PROVIDER
47331 16:15:40 (0) **                    WBEM_REMOTE_ACCESS

The third section tells us what the expected security settings on the account are.  this section starts with the line – EXPECTED ACE:

47332 16:15:40 (0) **        - EXPECTED ACE:

47333 16:15:40 (0) **          ACEType:  &h0
47334 16:15:40 (0) **                    ACCESS_ALLOWED_ACE_TYPE 
47335 16:15:40 (0) **          ACEFlags: &h12
47336 16:15:40 (0) **                    CONTAINER_INHERIT_ACE
47337 16:15:40 (0) **                    INHERITED_ACE
47338 16:15:40 (0) **          ACEMask:  &h6003F
47339 16:15:40 (0) **                    WBEM_ENABLE
47340 16:15:40 (0) **                    WBEM_METHOD_EXECUTE
47341 16:15:40 (0) **                    WBEM_FULL_WRITE_REP
47342 16:15:40 (0) **                    WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) **                    WBEM_WRITE_PROVIDER
47344 16:15:40 (0) **                    WBEM_REMOTE_ACCESS
47345 16:15:40 (0) **                    WBEM_WRITE_DAC
47346 16:15:40 (0) **                    WBEM_READ_CONTROL
47347 16:15:40 (0) ** 

Within the expected security settings section, there are some things to take note of.  the first part of this section describes whether or not the account specified is supposed to have access:

47333 16:15:40 (0) **          ACEType:  &h0 
47334 16:15:40 (0) **                    ACCESS_ALLOWED_ACE_TYPE 

The second part of this section tells us if the security information is inherited from its parent object:

47335 16:15:40 (0) **          ACEFlags: &h12 
47336 16:15:40 (0) **                    CONTAINER_INHERIT_ACE
47337 16:15:40 (0) **                    INHERITED_ACE

The last part of this section enumerates the expected permissions:

47338 16:15:40 (0) **          ACEMask:  &h6003F
47339 16:15:40 (0) **                    WBEM_ENABLE
47340 16:15:40 (0) **                    WBEM_METHOD_EXECUTE
47341 16:15:40 (0) **                    WBEM_FULL_WRITE_REP
47342 16:15:40 (0) **                    WBEM_PARTIAL_WRITE_REP
47343 16:15:40 (0) **                    WBEM_WRITE_PROVIDER
47344 16:15:40 (0) **                    WBEM_REMOTE_ACCESS
47345 16:15:40 (0) **                    WBEM_WRITE_DAC
47346 16:15:40 (0) **                    WBEM_READ_CONTROL

So now that we know what exactly how to interpret the data in our logs, let’s quickly go over what these permissions mean (this info is documented in the MSDN Article: Access to WMI Namespaces (Windows) 

WMI Nomenclature GUI “Friendly Name” Description
WBEM_ENABLE Enable Account Permits read access to WMI Classes
WBEM_METHOD_EXECUTE Execute Methods Permits the user to execute methods defined on WMI classes
WBEM_FULL_WRITE_REP Full Write Permits full read, write and delete access to WMI classes and class instances, both static and dynamic
WBEM_PARTIAL_WRITE_REP Partial Write Permits write access to static WMI class instances
WBEM_WRITE_PROVIDER Provider Write Permits write access to dynamic WMI class instances
WBEM_REMOTE_ACCESS Remote Enable Permits access to the namespace by remote computers
WBEM_WRITE_DAC Edit Security Permits write access to DACL settings
WBEM_READ_CONTROL Read Security Permits read-only access to DACL settings

Let’s assume for a moment, that we haven’t deliberately altered the permissions on this namespace and that we want to change the permissions to match what WMIDiag reports as the expected permissions.  The process is outlined in Microsoft KB Article 325353.  Once you have made the requisite changes, re-run the WMI Diagnosis Utility to verify that the changes have taken effect.

And that brings us to the end of this post.  Thanks for stopping by, and once again – HAPPY NEW YEAR!

Additional Resources:

- Gangadharan Prashanth

Share this post :
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Does WMIDiag run on Windows 2003 and later? The link points to a download that doesn't mention Windows 2003 or later.

  • Jim, WMIDiag definitely runs of server 2003! Have run it many a times in my course of troubleshooting. Need to check if it can be run on Server 2008 or not! WIll update shortly.

  • You guys are way above my head, but this is the only place I've seen that seems to really know WMI.  My machine Gateway M6881 laptop) has problem with WMI...

    WMI service does start.

    No instances show in processes (used to be 1 or more)

    CPU usage at idle down to 0-1 %;  was 3-11%

    Some things not working right, but minor so far (like the CPU usage widget).

    All restore points fail.

    Have run WMIdiag; don't know what to do with results.

    Did reregister the WMI dlls and exe's in wbem.  No help.

    No clue what to do next.

    Don't know if I can even get back to here.

    mail at fm_msdnblog  AT  xemaps DOT com

    Have mercy on a literate but non-programmer!

  • WMIDiag 2.0 is coming for Vista+.

  • WMIDiag 2.1 is now available!

    www.microsoft.com/.../details.aspx

    Supported Operating Systems: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP