授予远程用户(非管理员)使用WMI& amp;枚举名称空间cimv2中Win32_Service中的服务的能力.C# [英] Granting remote user (non admin) the ability to enumerate services in Win32_Service in namespace cimv2 using WMI & C#

问题描述

我正在创建一个监视程序服务，它将监视各种远程服务器(都在同一域中)上的其他服务.我用来连接到远程服务器的用户不是管理员.当我尝试枚举Win32_Service类中的服务时，出现访问被拒绝错误.

I'm creating a watch dog service that will be monitoring other services on various remote servers (all in the same domain). The user that I'm using to connect to the remote servers is not an admin. When I try to enumerate the services in the Win32_Service class, I get an access denied error.

我已经给用户'Remote Enable'&对WMI控件中的Root \ CIMV2命名空间的启用帐户"权限.

I've given the user 'Remote Enable' & 'Enable Account' persmissions to the Root\CIMV2 namespace in the WMI Control.

我可以使用以下代码连接到服务器.对象ServiceListItem只是一个简单的类，其中包含服务器名称和服务名称:

I am able to connect to the server with the following code. The object ServiceListItem is just a simple class that contains the server name and the service name:

SecureString secureString = new SecureString();

foreach ( char c in "password" )
{
    secureString.AppendChar( c );
}

ConnectionOptions connectionOptions = new ConnectionOptions();

connectionOptions.Username = "domain\\user";
connectionOptions.SecurePassword = secureString;

foreach ( ServiceListItem service in _serviceList )
{
     ManagementScope managementScope = new ManagementScope();
     managementScope = new ManagementScope( String.Format( @"\\{0}\root\cimv2", service.ServerName ), connectionOptions );
     managementScope.Connect();

     //RelatedObjectQuery relatedObjectQuery = new RelatedObjectQuery( String.Format( "Win32_Service.Name='{0}'", service.ServiceName ) );
     //ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, relatedObjectQuery );

     ObjectQuery objectQuery = new ObjectQuery( "SELECT * FROM Win32_Service WHERE Name = '" + service.ServiceName + "'" );
     ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, objectQuery );

     ManagementObjectCollection objectCollection = objectSearcher.Get();

     foreach ( ManagementObject managementObject in objectCollection )
     {
          serviceStatus = managementObject.Properties["State"].Value.ToString();
          Debug.Print(service.ServiceName + " - " + serviceStatus);
          //break;
     }
}

managementScope.Connect()运行正常，这意味着正确设置了cimv2上的wmi安全性.但是，当我尝试枚举objectCollection时，出现访问被拒绝"异常.这告诉我(我认为)该用户没有权限枚举Win32_Service类(SC_MANAGER_ENUMERATE_SERVICE).

The managementScope.Connect() runs fine, which means the wmi security on cimv2 is set up correctly. However, when I try to enumerate the objectCollection, I get the 'Access Denied' exception. This tells me (I think) that the user doesn't have permissions to enumerate the Win32_Service class (SC_MANAGER_ENUMERATE_SERVICE).

关于如何为远程用户启用该权限，我只是找不到任何好的示例.我对使用Windows api进行编码不是很有经验，所以请在您的答案中尽可能详细:)

I just haven't been able to find any good examples on how to enable that permission for a remote user. I'm not very experienced when it comes to coding with Windows api's, so please be as detailed as possible in your answers :)

推荐答案

今天，我想尝试找到相同的答案，所以我一直在进行大量的谷歌搜索.经过一个半小时的咒骂，我发现此MSDN文章(907460)其中使用 sc sdet .即使安全描述符是针对Windows Server 2003的，到目前为止，它似乎也能正常工作.我发现您可以执行 sc sdshow SCMANAGER 来获取当前值，因此明天回到办公室时，我将正在进行对比，以确保我没有将某些东西我不应该锁定:-)

Trying to find the same answer myself today, I've been doing a lot of googling. After a good half hour of incantations, I found this MSDN article (907460) which uses sc sdet. It seems to work so far, even though the security descriptor is for Windows Server 2003. I've found you can do sc sdshow SCMANAGER to get the current value so when back in the office tomorrow I'll be comparing an contrasting to make sure I've not locked something out I shouldn't have :-)

为完整起见，KB907460中的注释(如果它移开/移开):

For completeness, the notes in KB907460 (in case it moves/goes away):

症状::安装Microsoft Windows Server 2003 Service Pack 1(SP1)后，非管理员无法远程访问服务控制管理器.

Symptoms: After you install Microsoft Windows Server 2003 Service Pack 1 (SP1), non-administrators cannot remotely access the Service Control Manager.

原因::Windows Server 2003 SP1更改了服务控制管理器的默认安全设置.

Cause: Windows Server 2003 SP1 changes the Service Control Manager default security settings.

解决方案:要解决此问题，请使用Sc.exe工具的5.2.3790.1830版本.该工具位于％windir％\ System32文件夹中.去做这个，请按照以下步骤操作:

Resolution: To resolve this issue, use version 5.2.3790.1830 of the Sc.exe tool. This tool is located in the %windir%\System32 folder. To do this, follow these steps:

• 单击开始"，单击运行"，键入cmd，然后单击确定".

• 在命令提示符处键入以下命令，然后按Enter:

• Click Start, click Run, type cmd, and then click OK.

• Type the following command at the command prompt, and then press ENTER:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

这篇关于授予远程用户(非管理员)使用WMI& amp;枚举名称空间cimv2中Win32_Service中的服务的能力.C#的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！