none
Access Denied - get-wmiobject win32_service (Powershell)

    Question

  • Getting this error when doing get-wmiobject win32_service on the local computer, but not on a remote computer.
    This happens only when running under Windows Task Scheduler and a domain account; works fine when I run it interactively.

    11/13/2013 11:35:37 TRCW1 using local computer 11/13/2013 11:35:37 TRCE1 System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()

    in PowerShell Code (the following is looping through a collection of servers and servicenames. 


    $error.clear()  #clear any prior errors, otherwise same error may repeat over-and-over in trace 
    if ($LocalServerName -eq $line.ServerName)
        {
           # see if not using -ComputerName on local computer avoids the "service not found" error 
           Add-Content $TraceFilename "$myDate TRCW1 using local computer " 
           $Service = (get-wmiobject win32_service -filter "name = '$($line.ServiceName)'")
        }
    else 
        {
           Add-Content $TraceFilename "$myDate TRCW2 using remote computer $($line.ServerName) not eq $LocalServerName" 
           $Service = (get-wmiobject win32_service -ComputerName $line.ServerName -filter "name = '$($line.ServiceName)'")
        }
    
    if ($error -ne $null) 
    {
        Write-Host "----> $($error[0].Exception) " 
        Add-Content $TraceFilename "$myDate TRCE1 $($error[0].Exception)" 
    }

    I'm reading a CSV of server names. I finally added the exception logic, to find I'm getting an "Access Denied". This was only happening on the local server. Seems almost backwards, the local server fails, whereas the remote servers work fine. I even changed logic to test to see if it was the local server, then tried leaving off the -ComputerName parms on the WMI (as shown in code above), and still getting error.

    So far, my research shows the answer may lie with

    set-item trustedhosts

    But my main question is whether trustedhosts is applicable to local servers, or only remote servers. Wouldn't a computer always trust itself? Does it still use remoting to talk to itself?

    This server apparently was part of a cluster a long time before I got here, and now it's not.

    I'm also suspicious of that.

    When I run interactively the script works fine, it's only when I schedule it and run it under a service account that it fails with the access denied. The Service Account is local Admin on that box.

    I'm using get-wmiobject win32_service instead of get-service because it returns extra info I need to lookup the process, and date/time the service was started using another WMI call.

    Running on Win 2008/R2. I have just verified that the problem happens on more than one server. [I took the scripts and ran them on another server.] My CSV input includes a list of servers to monitor. The ones outside of my own server always return results. The ones to my own server, that omit the -ComputerName fail. (I have tried with and without the -ComputerName parm for the local server).


    Thanks,
    Neal Walters



    • Edited by Neal Walters Thursday, November 14, 2013 4:19 PM
    Thursday, November 14, 2013 4:18 PM

Answers

All replies

  • Hi,

    Based on my understanding, this issue should be caused by the account that used to run the schedule task, I would like to suggest you choose another admin account and then check the result, it the issue persists then how about chosing run with highest privileges under security options for the schedule task?

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Friday, November 15, 2013 2:29 AM
    Moderator
  • You can use the WMIDiag utility to troubleshoot the issue further.

    http://www.microsoft.com/en-us/download/details.aspx?id=7684

    Hope this helps


    Knowledge is Power{Shell}.

    Friday, November 15, 2013 8:42 AM
  • Hi,

    Any update about the issue, please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Monday, November 18, 2013 6:58 AM
    Moderator
  • I am running with "Highest Privileges" box checked.

    What access to I need to grant to this userid (service account) to get it to work?

    Thanks,
    Neal

    Wednesday, November 20, 2013 5:40 PM
  • Hi,

    Since the issue is related to permission,please try performing the steps as below:

    1.Check running PowerShell with elevated privileges

    2. EnableAllPrivileges

    3.add the permission to the corresponding registries

    http://msmvps.com/blogs/richardsiddaway/archive/2011/08/04/authentication-impersonation-and-privileges.aspx

    Thanks,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Thursday, November 28, 2013 4:54 PM
  • Hi,

    It has been some days, would you please let me know how is going on your side?

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 13, 2013 5:32 AM