RE: VB.net WMI Win32_NtlogEvent problem, please help
From: MarkD VIT_at_UK (VIT_at_UK)
Date: 09/11/04
- Next message: sunrat: "Re: .NET Framwork SP1 (Version 1.1.4322) Bug?"
- Previous message: Jason80: "VB.net WMI Win32_NtlogEvent problem, please help"
- In reply to: Jason80: "VB.net WMI Win32_NtlogEvent problem, please help"
- Next in thread: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Reply: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Reply: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 11 Sep 2004 04:57:04 -0700
Hello Jason,
I am not an expert on this but I have written some vb.net code to do
something similar. My understanding is the even if you run this with an
administravtive level account some security permissions are not enabled
unless you explicitly do so.
The line "watcher.Scope.Options.EnablePrivileges = True" allows me to do the
same type of thing.
I have bene running this code on Win XP SP1, Win XP SP2, Win2003, Win2000
Server under .Net 1.1 without any problems. I have upgraded a few test
machines for .Net 1.1 SP1 and I now have security related problems (access
denied on the watcher start command).
The access deinied is driven by trying to access the "security" logfile.
This may be the case for you. I have used the command
Dim q As New WqlEventQuery( _
"__InstanceCreationEvent", _
New TimeSpan(0, 0, 10), _
"TargetInstance ISA ""Win32_NTLogEvent"" " & _
"and (" & _
"TargetInstance.LogFile = ""Audit Success"" or " & _
"TargetInstance.LogFile = ""Audit Failure"" or " & _
"TargetInstance.LogFile = ""Application"" or " & _
"TargetInstance.LogFile = ""System"" " & _
")")
which explicitly identifies the logfiles of interest (and does not require
EnabledPrivilages to be set to true).
I hope this helps,
Mark
"Jason80" wrote:
> First I wrote some _VBScript to get info from OS, and now I wrote some code
> in VB.Net, and I have a problem now.
>
>
>
> Look at this script in vbs
>
> List1.vbs:
>
> strComputer = "."
>
> Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
>
> strWQL="SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE
> TargetInstance ISA ""Win32_NTLogEvent"" "
>
> Set objEventSource = objWMIService.ExecNotificationQuery(strWQL)
>
> Do
>
> Set objLatestEvent = colMonitoredEvents.NextEvent
>
> Wscript.Echo "OK"
>
> Loop
>
>
>
> I use it to register the Win32_ntlogEvent , so that i can get some info
> where a new log written into the logfiles. List1 works very well on Windows
> 2003 Server, but when I try it on Windows 2000 Server, it echoed the
> connection was refused .
>
>
>
> So I edited it into List2,
>
>
>
> strComputer = "."
>
> Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=
> impersonate, (Security)}!\\" & strComputer & "\root\cimv2")
>
> Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
>
> ("Select * from __instancecreationevent WITHIN 5 where TargetInstance
> isa 'Win32_NTLogEvent' ")
>
> Do
>
> Set objLatestEvent = colMonitoredEvents.NextEvent
>
> Wscript.Echo "OK"
>
> Loop
>
>
>
> and list2 works well on Window2000. i noticed the security setting so when I
> wrote the code(List3) in vb.net, I added
>
> " watcher.Scope.Options.Impersonation = ImpersonationLevel.Impersonate
>
> watcher.Scope.Options.Authentication = AuthenticationLevel.Default
>
> " options in the vb.net code, but the bin still can not run on windows2000,
> while it works well on Server2003.
>
>
>
> i am puzzled! : ( ,
>
>
>
> List3:
>
>
> Imports System.management
>
> Module Module1
>
> Sub main()
>
> Dim eventQuery As New EventQuery("SELECT * FROM
> __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' ")
>
>
>
> 'Initialize an event watcher object with this query
>
> Dim watcher As New ManagementEventWatcher
>
> watcher.Scope.Path.Server = "."
>
> watcher.Scope.Path.Path = "\\.\root\CIMV2"
>
> watcher.Scope.Path.NamespacePath = "root\CIMV2"
>
> watcher.Scope.Options.Impersonation = ImpersonationLevel.Impersonate
>
> watcher.Scope.Options.Authentication = AuthenticationLevel.Default
>
> watcher.Scope.Options.EnablePrivileges = False
>
> watcher.Query = eventQuery
>
>
>
> watcher.Start()
>
> MsgBox("Listening started!")
>
>
>
> Dim handler As New EventHandler
>
> AddHandler watcher.EventArrived, AddressOf handler.HandleEvent
>
>
>
> System.Threading.Thread.Sleep(-1)
>
>
>
> End Sub
>
> End Module
>
>
>
> Public Class EventHandler
>
> Public Sub HandleEvent(ByVal sender As Object, ByVal e As
> EventArrivedEventArgs)
>
> Console.Write("OK")
>
> End Sub
>
> End Class
>
>
>
> but after I changed the Query String to :
>
> 'Dim eventQuery As New EventQuery("SELECT * FROM __InstanceCreationEvent
> WHERE TargetInstance ISA 'Win32_NTLogEvent' and TargetInstance ='Application'
> ")
>
>
>
> The bin could run well under windows2000 too, but if you change the
> targetinstance to Security, you get the access denied message again.
>
>
>
> So finally i have two questions:
>
>
>
> Why can not i register to the Win32_NtlogEvent, bu t i can register to the
> application part in Win32_ntlogevent?
>
> Is that a security problem?
>
>
>
> Thank you for you time.
>
>
>
- Next message: sunrat: "Re: .NET Framwork SP1 (Version 1.1.4322) Bug?"
- Previous message: Jason80: "VB.net WMI Win32_NtlogEvent problem, please help"
- In reply to: Jason80: "VB.net WMI Win32_NtlogEvent problem, please help"
- Next in thread: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Reply: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Reply: Jason80: "RE: VB.net WMI Win32_NtlogEvent problem, please help"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
