Querying CCM_Application as LocalSystem RRS feed

  • Question

  • If I run the following query against WMI:

    Select * from CCM_Application where InstallState = "Installed"

    when run as a local account (elevated) I get back, say 26 results, when run as the LocalSystem account (from a Windows Service), I get back less.

    On some PCs it's just 1 less, on others it's say 10 results less, but no error or failure, just a different number of results. And it's always SYSTEM which has less, never the user query which has less.

    How can I resolve this so that running as SYSTEM gives me back all the data? Or is there another way to get this data which will give me all results as system?

    • Edited by adurrans Tuesday, November 10, 2020 1:58 PM
    Tuesday, November 10, 2020 1:35 PM


  • This was caused by some applications being targeted to the user instead of the machine.

    The only way I found to resolve this issue was to impersonate the currently logged in user in order to make this WMI call. I did this with a the following native windows APIs:
    in order to get a token to the currently logged in user (the user with the open console session on the machine). Then assuming these return okay then a call to :
    to impersonate that user token, then we call the WMI query under that impersonation. Once the WMI call comes back, we then call:
    So the service could continue and do other actions. Seems to work fine and give the same results as running as elevated user.
    • Marked as answer by adurrans Monday, November 23, 2020 11:31 AM
    Monday, November 23, 2020 11:31 AM