WMI: can't run Notification Query to read Event logs with non-admin user from wbemtest tool - 0x80041003 access denied

  • Thread starter PRAKASH KUMAR TIWARY
  • Start date
P

PRAKASH KUMAR TIWARY

I'm testing various Event logs queries to remote Windows Server 2016 with wbemtest.exe.

The user connected to the server is non-admin domain user but it has all the permissions
according to Securing a Remote WMI Connection - Win32 apps :

1) It is a member of "Distributed COM Users" and "Event Log Readers" groups
2) It was granted "Remote Enable" for WMI root\cimv2 namespace.

When I run the following Notification Query to Event logs:

SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'
AND TargetInstance.Logfile = 'Security' AND (TargetInstance.EventIdentifier = 672
OR TargetInstance.EventIdentifier = 673 OR TargetInstance.EventIdentifier = 680 OR
TargetInstance.EventIdentifier = 4768 OR TargetInstance.EventIdentifier = 4769 OR
TargetInstance.EventIdentifier = 4776)


the query fails with 0x80041003 access denied error.

A regular query (identical to the previous one) to Event logs successes:
SELECT * FROM Win32_PerfRawData_PerfOS_Processor WHERE Name="_Total"



Other Notification queries (not to Event logs), like:
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
success too.

Please advice.

Continue reading...
 
You must log in or register to reply here.

Similar threads

M
User permissions for remote event watcher
Replies
0
Views
207
mikael.lindsten@gmail.com
M
M
User permissions for remote event watcher
Replies
0
Views
132
mikael.lindsten@gmail.com
M
T
WinMgmt event 10, failure to reactivate event filter
Replies
0
Views
192
Tony Hinkle
T
Back
Top Bottom