Decrypt my World : WMI

WMI Diag won't work well in non-English Windows

alejacma — Tue, 10 Jun 2008 13:40:00 GMT

Hi all,

If you ever use WMI Diag script (The WMI Diagnosis Utility -- Version 2.0) on a non-English version of Windows (i.e. Spanish, French, Italian, German...), you will get tons of errors when the script checks out default permissions on WMI namespaces or DCOM components related to WMI, for instance.

The cause is simple: the script checks permissions for groups of users which name is language-dependant.

If we use WMI Diag in i.e. a Spanish Windows, we will have to edit the script and replace:

- "BUILTIN\Administrators" with "BUILTIN\Administradores",

- "Everyone" with "Todos",

- "NT AUTHORITY\NETWORK SERVICE" with "NT AUTHORITY\Servicio de red",

- "NT AUTHORITY\LOCAL SERVICE" with "NT AUTHORITY\SERVICIO LOCAL",

- "NT AUTHORITY\Authenticated Users" with "NT AUTHORITY\Usuarios autentificados",

Now you can run the script and find out if your WMI is really broken.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to get Antivirus information with WMI (VBScript)

alejacma — Mon, 12 May 2008 12:23:00 GMT

Hi all, welcome back,

As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.

The following script shows how to get some information from those solutions:

strComputer = "."
    
Set oWMI = GetObject( _
  "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
  
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem in colItems
  With objItem
    WScript.Echo .companyName
    WScript.Echo .displayName
    WScript.Echo .instanceGuid
    WScript.Echo .onAccessScanningEnabled
    WScript.Echo .pathToSignedProductExe
    WScript.Echo .productHasNotifiedUser
    WScript.Echo .productState
    WScript.Echo .productUptoDate
    WScript.Echo .productWantsWscNotifications
    WScript.Echo .versionNumber  
  End With
Next

Cheers,

Alex (Alejandro Campos Magencio)

Win32_Process.Create fails if user profile is not loaded

alejacma — Wed, 09 Apr 2008 14:03:00 GMT

Hi all, welcome back,

The other day I worked on an issue which happened when using WMI method Win32_Process.Create to spawn a process from an ASP.NET application. This method was returning an ERROR_NOT_ENOUGH_MEMORY (8) and the new process wasn't created. The application was running as Network Service and WMI was impersonating a special user when launching the new process.

We could also reproduce the issue with a VBScript that we launched as the special user with runas command and its /noprofile option. When we used /profile option instead, the script worked fine, and so did the ASP.NET app! So it seems that this WMI method is dependant of the user profile being loaded.

After some tests and some debugging, I confirmed this:

Win32_Process.Create always tries to access the registry of the user which will launch the process (the one we are impersonating). This behavior is by design and can't be modified.

If the user profile is loaded, there is no problem as Create can access the registry keys it needs. But if the profile is not loaded, it will try to load the registry hive of the user (NTUSER.DAT file) into the registry. For doing that it uses RegLoadKey API, which in our case is failing with ERROR_PRIVILEGE_NOT_HELD error. This internal error will cause the misleading ERROR_NOT_ENOUGH_MEMORY that we get from Create method.
I verified the privileges this API requires in its documentation: "The calling process must have the SE_RESTORE_NAME and SE_BACKUP_NAME privileges on the computer in which the registry resides."

Summing up, Win32_Process.Create will work if the user we are impersonating has SE_RESTORE_NAME (a.k.a. SeRestorePrivilege a.k.a. "Restore files and directories") and SE_BACKUP_NAME (a.k.a. SeBackupPrivilege a.k.a."Backup files and directories") privileges in the local machine where the WMI code is running. This way it can load the registry hive if the profile for that user is not loaded.

An alternate solution may be to load the profile before calling Create. IIS won’t load it automatically, and WMI neither. We may load it by calling LoadUserProfile API, for instance. But the user calling this API needs high privileges. So if we know the user we are impersonating, we may have an easier way to load the profile: Service Control Manager (SCM) automatically loads the user profile of the user running a Windows service. We may create a dummy service which does nothing but always stay alive and which runs as our special user, so its profile gets loaded. Once the profile of the user gets loaded by SCM, every other app which requires it will have access to it, like a web app or a web service.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)

How to change the Security Descriptor of WMI objects

alejacma — Fri, 14 Mar 2008 05:51:00 GMT

Hi all, welcome back,

You may want to give users or groups access to perform read/modify WMI operations on WMI objects, and for that you need to change the Security Descriptor (SD) for WMI objects. There are several ways to achieve this:

1) Manually with wmimgmt.msc: 325353 HOW TO: Set WMI Namespace Security in Windows Server 2003.

2) Using third-party tools like WMI Namespace Security.

3) Programmatically, the easy way:

We could manually set the SD on one box, then save it to a text file with GetSD method of the __SystemSecurity class, read the SD from the text file and reapply it to new boxes with SetSD method.

The following VBScript shows how to use GetSD to obtain the current SD for the Root\Cimv2 namespace and change it to the byte array shown in strDisplaySD.

' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")

' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")

' Get the namespace security.
'
nReturn = objSecurity.GetSD(arrSD)
If Err <> 0 Then
    WScript.Echo "Return value =  " & nReturn
Else
    ' Show it
    '
    strDisplaySD = "SD = {"
    For I = Lbound(arrSD) To Ubound(arrSD)
        strDisplaySD = strDisplaySD & arrSD(I)
        If I <> Ubound(arrSD) Then    
            strDisplaySD = DisplaySD & ","
        End If
    Next
    strDisplaySD = strDisplaySD & "}"
    WScript.Echo strDisplaySD
End If

The following script shows how to use SetSD to set the namespace SD for the root namespace and change it to the byte array shown in arrSD.

' Hard-coded security descriptor
'
arrSD = array( 1, 0, 4,129,72, 0, 0, 0, _ 
    88, 0, 0, 0, 0, 0, 0, 0, _
    20, 0, 0, 0, 2, 0,52, 0, _
    2, 0, 0, 0, 0, 2,24, 0, _
    63, 0, 6, 0, 1, 2, 0, 0, _
    0, 0, 0, 5,32, 0, 0, 0, _
    32, 2, 0, 0, 0, 2,20, 0, _
    63, 0, 6, 0, 1, 1, 0, 0, _
    0, 0, 0, 1, 0, 0, 0, 0, _
    1, 2, 0, 0, 0, 0, 0, 5, _
    32, 0, 0, 0,32, 2, 0, 0, _
    1, 2, 0, 0, 0, 0, 0, 5, _
    32, 0, 0, 0,32, 2, 0, 0)

' Connect to WMI and the root namespace.
'
Set objWMI = GetObject("winmgmts:root\cimv2")

' Get the single __SystemSecurity object in this namespace.
'
Set objSecurity = objWMI.Get("__SystemSecurity=@")

' Change the namespace security.
'
nReturn = objSecurity.SetSD(arrSD)
WScript.Echo "Return value = " & nReturn

4) Programmatically, the hard way:

We can write our own WMI script using the following sample found at http://www.lissware.net/:

vol 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf, using a series of subfunctions:

Sample 4.02 to 4.13 - WMIManageSD.Wsf
Sample 4.14 to 4.24 - GetSDFunction.vbs
Sample 4.25 - CreateDefaultSDFunction.vbs
Sample 4.26 to 4.27 - ADSIHelper.exp
Sample 4.28 - DecipherWMISDFunction.vbs
Sample 4.29 - DecipherADSISDFunction.vbs
Sample 4.30 - DecipherSDControlFlagsFunction.vbs
Sample 4.31 - CalculateSDControlFlagsFunction.vbs
Sample 4.32 to 4.40 - ActiveDirectory.CMD
Sample 4.41 - SetSDOwnerFunction.vbs
Sample 4.42 - CreateTrusteeFunction.vbs
Sample 4.43 - SetSDGroupFunction.vbs
Sample 4.44 - SetSDControlFlagsFunction.vbs
Sample 4.45 to 4.46 - AddACEFunction.vbs
Sample 4.47 to 4.48 - DelACEFunction.vbs
Sample 4.49 to 4.50 - ReOrderACEFunction.vbs
Sample 4.51 to 4.61 - SetSDFunction.vbs

The script actually reads the binary SD with __SystemSecurity class and converts it with Sample 4.14 to 4.24 - GetSDFunction.vbs at line 283.
The object used to convert the SD is defined at line 189 in Sample 4.02 to 4.13 - WMIManageSD.Wsf.
Under XP and 2003, it uses the IADsSecurityUtility::ConvertSecurityDescriptor.
Before XP, it uses a COM component especially written for the purpose of the bin array conversion to an ADSI SD representation (located in the resources folder coming with the ZIP that must be REGSVR32).

The sample given there manages the security not only on WMI namespaces, but also on Files, Folders, Shares, AD objects, Exchange Mailboxes and Registry keys.

Everything is explained in greater details in the book related to this sample as the full coverage of the details for the management of all SD supported above required 220 pages of texts and tables.
This is not a trivial task even if it is fairly achievable.

I hope this helps.

Cheers,

Alex (Alejandro Campos Magencio)