locked
Powershell in windows service not able to get results from WMI objects RRS feed

  • Question

  • We have a windows service which is running under a account that is not part of local admin. With in the service we call a powershell file using processstartinfo. With in powershell file we call the WMI class

    "$AVGCPU = Get-WmiObject  win32_processor | Measure-Object -property LoadPercentage -Average | Select-object -expand Average"

    The above code always returns 0. When i make the user as local admin then the cpu usage value is returned. Also when i run the same code in powershell launched under the same user account (without giving local admin privileges), i am able to get the value for CPU usage. Its only when the cmdlets is called from windows service i am getting this problem. Due to security restriction, i cannot make the user as local administrator. Any idea what rights should be given to the user that WMI class return value when called from windows service. Service is running in windows 2008 R2 server 

    Friday, October 12, 2018 7:41 AM

Answers

  • Close but not the best.  Add user to the "Performance Monitor Users" group.  The WMI call also makes a call to the perf subsystem to read the performance values.  By default interactive users can read perf stats but non-interactive users must be granted this privilege. 

    Yes - debug will also grant this but it also allows an account to manage other processes and is a security risk.

    I had to test this to figure it out so my answer has been tested.  Without this group the results are always zero.


    \_(ツ)_/

    Friday, October 12, 2018 7:17 PM

All replies

  • In addition, if i run the windows service as system user, i am getting the CPU usage value. This has to be something related to access rights. Does any have any idea on this
    Friday, October 12, 2018 6:10 PM
  • Certainly not the best way, but try giving the account "debug programs" permission in the local security policy. The downside of this is that it gives that account the ability to invade other processes.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Friday, October 12, 2018 7:00 PM
  • Close but not the best.  Add user to the "Performance Monitor Users" group.  The WMI call also makes a call to the perf subsystem to read the performance values.  By default interactive users can read perf stats but non-interactive users must be granted this privilege. 

    Yes - debug will also grant this but it also allows an account to manage other processes and is a security risk.

    I had to test this to figure it out so my answer has been tested.  Without this group the results are always zero.


    \_(ツ)_/

    Friday, October 12, 2018 7:17 PM
  • Thanks a lot and you have saved my day. 
    Monday, October 15, 2018 2:52 PM