• Home
  • Kb
  • WMI ACCESS DENIED for Asynchronous Calls

WMI ACCESS DENIED for Asynchronous Calls

On Asynchronous Callbacks for WMI Events to remote machines.

You might need to do the following.
Links:
http://stackoverflow.com/questions/2782317/exception-while-managementeventwatcherwmi-to-notify-events-from-remote-machine
https://msdn.microsoft.com/en-us/library/aa393266(v=vs.85).aspx

Text:
Setting DCOM Security to Allow a User to Access a Computer Remotely
Security in WMI is related to connecting to a WMI namespace. WMI uses DCOM to handle remote calls. One reason for failure to connect to a remote computer is due to a DCOM failure (error “DCOM Access Denied” decimal -2147024891 or hex 0x80070005). For more information about DCOM security in WMI for C++ applications, see Setting Client Application Process Security.
You can configure DCOM settings for WMI using the DCOM Config utility (DCOMCnfg.exe) found in Administrative Tools in Control Panel. This utility exposes the settings that enable certain users to connect to the computer remotely through DCOM. Members of the Administrators group are allowed to remotely connect to the computer by default. With this utility you can set the security to start, access, and configure the WMI service.
The following procedure describes how to grant DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.
Aa393266.wedge(en-us,VS.85).gifTo grant DCOM remote launch and activation permissions for a user or group
Click Start, click Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits.
In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
In the Launch Permission dialog box, click Add.
In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.
In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.
Aa393266.wedge(en-us,VS.85).gifTo grant DCOM remote access permissions
Click Start, click Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Access Permissions, click Edit Limits.
In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Setting up a Remote WMI Connection

Connecting to a WMI namespace on a remote computer may require that you change the settings for Windows Firewall, User Account Control (UAC), DCOM, or Common Information Model Object Manager (CIMOM).
The following sections are discussed in this topic:
Windows Firewall Settings
User Account Control Settings
DCOM Settings
CIMOM Settings
Related topics
Windows Firewall Settings
WMI settings for Windows Firewall settings enable only WMI connections, rather than other DCOM applications as well.
An exception must be set in the firewall for WMI on the remote target computer. The exception for WMI allows WMI to receive remote connections and asynchronous callbacks to Unsecapp.exe. For more information, see Setting Security on an Asynchronous Call.
If a client application creates its own sink, that sink must be explicitly added to the firewall exceptions to allow callbacks to succeed.
The exception for WMI also works if WMI has been started with a fixed port, using the winmgmt /standalonehost command. For more information, see Setting Up a Fixed Port for WMI.
You can enable or disable WMI traffic through the Windows Firewall UI.
Aa822854.wedge(en-us,VS.85).gifTo enable or disable WMI traffic using firewall UI
In the Control Panel, click Security and then click Windows Firewall.
Click Change Settings and then click the Exceptions tab.
In the Exceptions window, select the check box for Windows Management Instrumentation (WMI) to enable WMI traffic through the firewall. To disable WMI traffic, clear the check box.
You can enable or disable WMI traffic through the firewall at the command prompt.
Aa822854.wedge(en-us,VS.85).gifTo enable or disable WMI traffic at command prompt using WMI rule group
Use the following commands at a command prompt. Type the following to enable WMI traffic through the firewall.
netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes
Type the following command to disable WMI traffic through the firewall.
netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=no
Rather than using the single WMI rule group command, you also can use individual commands for each of the DCOM, WMI service, and sink.
Aa822854.wedge(en-us,VS.85).gifTo enable WMI traffic using separate rules for DCOM, WMI, callback sink and outgoing connections
To establish a firewall exception for DCOM port 135, use the following command.
netsh advfirewall firewall add rule dir=in name=”DCOM” program=%systemroot%\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135
To establish a firewall exception for the WMI service, use the following command.
netsh advfirewall firewall add rule dir=in name =”WMI” program=%systemroot%\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any
To establish a firewall exception for the sink that receives callbacks from a remote computer, use the following command.
netsh advfirewall firewall add rule dir=in name =”UnsecApp” program=%systemroot%\system32\wbem\unsecapp.exe action=allow
To establish a firewall exception for outgoing connections to a remote computer that the local computer is communicating with asynchronously, use the following command.
netsh advfirewall firewall add rule dir=out name =”WMI_OUT” program=%systemroot%\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any
To disable the firewall exceptions separately, use the following commands.
Aa822854.wedge(en-us,VS.85).gifTo disable WMI traffic using separate rules for DCOM, WMI, callback sink and outgoing connections
To disable the DCOM exception.
netsh advfirewall firewall delete rule name=”DCOM”
To disable the WMI service exception.
netsh advfirewall firewall delete rule name=”WMI”
To disable the sink exception.
netsh advfirewall firewall delete rule name=”UnsecApp”
To disable the outgoing exception.
netsh advfirewall firewall delete rule name=”WMI_OUT”
User Account Control Settings
User Account Control (UAC) access-token filtering can affect which operations are allowed in WMI namespaces or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering. An administrator account can run a script with an elevated privilege—”Run as Administrator”.
When you are not connecting to the built-in Administrator account, UAC affects connections to a remote computer differently depending on whether the two computers are in a domain or a workgroup. For more information about UAC and remote connections, see User Account Control and WMI.
DCOM Settings
For more information on DCOM settings, see Securing a Remote WMI Connection. However, UAC affects connections for nondomain user accounts. If you connect to a remote computer using a nondomain user account included in the local Administrators group of the remote computer, then you must explicitly grant remote DCOM access, activation, and launch rights to the account.
CIMOM Settings
The CIMOM settings need to be updated if the remote connection is between computers that do not have a trust relationship; otherwise, an asynchronous connection will fail. This setting should not be modified for computers in the same domain or in trusted domains.
The following registry entry needs to be modified to allow anonymous callbacks:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\AllowAnonymousCallback
Data type
REG_DWORD
If the AllowAnonymousCallback value is set to 0, the WMI service prevents anonymous callbacks to the client. If the value is set to 1, th