none
local WMI "Access Denied" RRS feed

  • Question

  • Im trying to query MSFT classes under non-admin user

    Windows PowerShell Copyright (C) 2014 Microsoft Corporation. All rights reserved.
    
    PS C:\Users\john.doe> Get-WmiObject -Query "SELECT * FROM MSFT_Disk" 
    -Namespace Root/Microsoft/Windows/Storage Get-WmiObject : Access denied At line:1 char:1
    + Get-WmiObject -Query "SELECT * FROM MSFT_Disk"  -Namespace Root/Microsoft/Window ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
    
    PS C:\Users\john.doe>
    1. I did all the steps mentioned in https://social.technet.microsoft.com/Forums/lync/en-US/4f33837b-1cb1-4648-85b1-3ba87cbfe93e/wmi-remote-quotaccess-deniedquot?forum=winserverManagement answer.

    2. I can query other namespaces like CIMv2

    3. I verified that 'Root/Microsoft/Windows/Storage' namespace security has all the checkboxes set for john.doe user (domain user)

    It looks like Root/Microsoft/Windows/* namespace requires some additional permissions (I get access denied for MSFT_SmbConnection too for example) but I cannot figure out what permissions

    Friday, August 16, 2019 2:04 PM

All replies

  • Discovered that querying MSFT_Volume works fine, but  MSFT_Disk causes Access Denied


    Tuesday, August 20, 2019 2:23 PM
  • Hi Igor,

    I'm working on a similar topic since few weeks.

    I've encountered same issue on MFST_SMBConnection class under Root/Microsoft/Windows/SMB.

    1. Check using compmgmt > WMI panel if your account is allowed on Microsoft WMI namespace (you can choose to allow account on Root/Microsoft/Windows/Storage namespace or more generally Root/Microsoft namespace & subnamespace).

    2. Sometime, WMI class will requiere SeTcbPrivilege (Act as part of operating system). You can check in you security event log if any SeTcbPrivilege were requiered by your non-admin account. This can be set by local GPO.

    3. More funny : in some case, SDDL is just not present in the registry into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\SecuredHostProviders. To check if operating system is looking for any security descriptor without success, download sysinternals process explorer (available on Microsoft Website), and trace system events during command line execution (keep in mind it will be really verbose).

    Tuesday, August 27, 2019 4:41 PM
  • I tried to use Process Monitor to trace what happen when I execute 

    Get-WmiObject -Query "SELECT * FROM MSFT_Disk"

    I found only 1 access denied , I have granted access and still getting access denied. No Denies in Process Monitor

    Friday, September 6, 2019 3:16 PM
    1. From the Start Menu, choose "Run"
    2. Enter wmimgmt.msc
    3. Right-click "WMI-Control (Local)" and choose Properties
    4. Go to "Security" tab.
    5. Navigate to: root/microsoft/windows/storage/
    6. Check permissions at this level by clicking to highlight "Storage", and then click "Security" button in the lower right. Dig deeper if needed. I didn't find a sub-item for MSFT_Disk on the machine I'm working on at the moment.
    Monday, September 9, 2019 3:22 AM
  • That is what I did as first step. 
    Monday, September 9, 2019 7:58 AM
  • Ok. I see. Do you get the same error with this command/query?
    Get-WmiObject -Namespace root/Microsoft/Windows/Storage -Class MSFT_Disk

    Monday, September 9, 2019 12:43 PM
  • Same error, as expected.

    Setting SeTcbPrivilege privilege for for user solves the problem in Windows 2016, but not in 2012

    Monday, September 9, 2019 1:54 PM
  • This post may be helpful: https://helpdesk.kaseya.com/hc/en-gb/articles/229043428-Configuring-a-regular-non-admin-user-account-for-WMI-monitoring
    Tuesday, September 10, 2019 3:43 AM
  • Unfortunately it didn't help (and all the steps except the last one were done by me already). 

    So far I found that following classes are not accessible in Windows 2012 for some reason

    MSFT_Disk
    MSFT_DiskToPartition
    MSFT_Partition
    MSFT_PartitionToVolume
    MSFT_SmbConnection

    Tuesday, September 10, 2019 2:03 PM
  • Have you tried the same changes with a different, non-admin, account?
    Wednesday, September 11, 2019 1:09 AM
  • Yes, I tried to recreate non-admin account several times.
    Wednesday, September 11, 2019 1:32 PM
  • Running the first command below on my machine revealed that MSFT_DISK is accessible in two locations; see 1 & 2 below.

    Get-WmiObject -Namespace root\microsoft\windows\storage -List -Recurse | Sort-Object Name
    
    1. root\microsoft\windows\storage\providers_v2
    2. root\microsoft\windows\storage

    Try this command instead with your non-admin account:

    Get-WmiObject -Namespace root\microsoft\windows\storage\providers_v2 -Query "SELECT * FROM MSFT_Disk
    Thursday, September 12, 2019 2:53 AM
  • the result is 

    Get-WmiObject : Invalid class "MSFT_Disk"

    here is the result of first command execution https://pastebin.com/Nr2Gck1U

    Thursday, September 12, 2019 6:26 AM
  • Ok. Thanks for the update. Try adding the -EnableAllPrivileges switch parameter to the query:

    Get-WmiObject -Namespace root\microsoft\windows\storage -Query "SELECT * FROM MSFT_Disk" -EnableAllPrivileges

    '

    -EnableAllPrivileges

    Enables all the privileges of the current user before the command makes the WMI call.

    ' (source:  https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1)

    Thursday, September 12, 2019 12:38 PM
  • Thursday, September 12, 2019 12:48 PM
  • Hmmm... This is quite a mystery... Although the cimv2 queries are working, I'm wondering if there are additional permissions required at that level that affect the .../storage queries. Do the root/cimv2 permissions match for both admin and non-admin accounts.

    I've been searching for a way to query all wmi permissions via PowerShell to make this comparison quicker & easier, but it does not look like there is a straightforward way to do that :(

    Thursday, September 12, 2019 12:57 PM
  • Some classes from the same namespaces are accessible 

    Thursday, September 12, 2019 1:02 PM
  • Maybe we need the access denied response to provide more information to guide our investigation... Wrap the command in a try block, and catch the exception. 

    try {

    Get-WmiObject -Namespace root\microsoft\windows\storage -Query "SELECT * from msft_disk" -ErrorAction Stop

    }

    catch {

    Write-host $_.Exception.Message

    }


    • Edited by PremiumSource Thursday, September 12, 2019 1:22 PM Formattiing
    Thursday, September 12, 2019 1:19 PM
  • System.Management.ManagementException: Access denied 
       at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
       at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
       at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()
    Thursday, September 12, 2019 1:31 PM
  • Thank you. Unfortunately, didn't provide more info, but we can make a minor adjustment to force more details. Modify the catch block to this:

    catch [Exception]

    {

    Write-output $_.Exception | format-list -force

    }

    This will print out all of the $_Exception object's properties.

    Thursday, September 12, 2019 2:18 PM
  • ErrorInformation : System.Management.ManagementBaseObject
    ErrorCode        : AccessDenied
    Message          : Access denied 
    Data             : {}
    InnerException   : 
    TargetSite       : Void ThrowWithExtendedInfo(System.Management.ManagementStatus)
    StackTrace       :    at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
                          at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
                          at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()
    HelpLink         : 
    Source           : System.Management
    HResult          : -2146233087

    -2146233087 is 0x80131501‬

    Thursday, September 12, 2019 2:29 PM
  • I'm not at my computer, but when configuring security on the 'storage' namespace in the advanced settings, is there an option to recurse the permissions to sub-namespaces?
    Sunday, September 29, 2019 6:46 PM