Wednesday, November 19, 2014

HOW TO FIX THE WMI OR REGISTRY ACCESS DENIED ERROR

Starting from Windows Visa and beyond, Microsoft included the concept of User Access Control (UAC). For domain accounts, ensuring the service account is added to the local administrators group on the remote machine should still be sufficient. For machines that are not on a domain (Workgroup machines) or other situations requiring the use of pass-through security, additional configuration may be necessary.

The problem that arises now is with UAC. When a remote connection is made using pass-through security the machine is unable to resolve elevated permissions under UAC, and for WMI and registry purposes the account is treated as a regular (non-admin) user even if the account exists in the local administrators group.

More information can be found at the following URL under the section entitled “Handling Remote Connections Under UAC”: http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx

Make the following configuration changes to support

1.) Change the authentication level for WMI in DCOM (using DCOMCNFG.exe) to 'Packet' from 'Connect'.

As with any registry modification and/or change to security there are associated risks. These are outlined in the Microsoft article, and it should be reviewed prior to making any changes.

Finally, because of these security issues and the risks associated with the changes needed to support this configuration, make sure you evaluate the changes for your environment.




Here is an additional link listing the DCOM impersonation and authentication setting requirements:http://msdn.microsoft.com/en-us/library/aa389284(v=VS.85).aspx

If the connection is remote then you need to make following registry change

2.) Disable remote UAC as specified in the URL mentioned above: “Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup.

The registry entry: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system/LocalAccountTokenFilterPolicy.

When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.”

This is a REG_DWORD value, and you will likely need to create the new value as it is not there by default.

Reboot the machine and both local and remote wmi queries should start to work
If it still does not work in remote connect scenario then check your windows firewall settings.


Some other useful tools to debug wmi issues:

wbemtest
wmidiag.exe - WMI Diagnosis Utility’

Monday, November 10, 2014

If Task Scheduler does not wake your computer

I had to waste half an hour to make this simple schedule task to work. I thought I should document this here.

Steps 1: Make sure your power settings are set to allow sleep timer.

Go to power options -> plan settings -> change advance power setting -> sleep -> allow sleep timers. (Do this for all power options).



Set the task to run with highest privileges and wake the computer to run this task under conditions.


"Run whether user is logged on or not":  If this radio button is selected, tasks will not run interactively.  To make a task run interactively, select the Run only when user is logged on radio button." I  guess the concept here is that a task requiring a user interface is simply not going to be allowed to present that user interface to a different user (or to someone passing by the computer when no user is logged-on).

See below screen snapshots: