WMI Permissions Troubleshooting

Tish post covers some common issues and ways that you can troubleshoot and recover from them - specifically rights and permissions.  We're not going to get into troubleshooting scripts - what we're looking at is troubleshooting WMI itself.  So without further ado, let's dive right in ... The first thing we're going to look at is […]

Tish post covers some common issues and ways that you can troubleshoot and recover from them - specifically rights and permissions.  We're not going to get into troubleshooting scripts - what we're looking at is troubleshooting WMI itself.  So without further ado, let's dive right in ...

The first thing we're going to look at is ensuring that the COM Security settings are configured correctly.  Oftentimes the default COM permissions may have been modified by application installations or GPO settings.  We covered the security aspects of COM / DCOM in an earlier post, titled COM and DCOM for Administrators.  Incorrectly configured permissions can cause WMI to fail.  We can use the built-in DCOMCNFG utility to verify the permissions as shown below:

W2K-DCOMCNFG-01 WXP-DCOMCNFG-01

Under the Default Launch Permissions you need to make sure that the following users / groups have the Allow Launch permission:  INTERACTIVE, SYSTEM and Administrators.  Under the Default Access Permissions ensure only the following accounts are listed:

Windows 2000Windows XP, Windows 2003
  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Click the Default Security tab (shown below):

 

  1. Click Start, click Run, type dcomcnfg then click OK.
  2. Expand the Component Services node
  3. Expand the Computers node
  4. Right-click the My Computer node and then click Properties
  5. Click the COM Security tab (shown below:)

 

OSAccount
Windows 2000none
Windows XP RTM & SP1SYSTEM
Windows XP SP2 & Windows Server 2003SELF
SYSTEM

If these Access Permissions settings have been modified, then you need to ensure that the following users / groups have been explicitly granted Access Permission: INTERACTIVE, SYSTEM and Administrators.  As a shortcut, you can export the following registry key (so that you have a backup), and then delete the key & reboot, so that you restore the original default values:  HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission.  On Windows XP and Windows Server 2003, you can also export the following keys (again, so you have backups) and then delete the key & reboot so that the original default limits are restored: HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction & HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction.

In addition, the WMI DCOM settings should also be checked - again, using the DCOMCNFG utility as before:

W2K-DCOMCNFG-02 WXP-DCOMCNFG-02

Verify the settings below against what is configured on the system:

Windows 2000Windows XP, Windows 2003
  1. Within DCOMCNFG, click the Applications tab. 
  2. Double-click the Windows Management Instrumentation tab (shown below):

 

  1. Within DCOMCNFG, expand the Computers node
  2. Expand the My Computer node
  3. Expand the DCOM Config node
  4. Right-click the Windows Management and Instrumentation object, and select Properties (shown below:)
SettingWindows 2000Windows XP / Windows Server 2003
Authentication LevelDefaultDefault
Launch PermissionsUse DefaultEveryone
Access PermissionsUse DefaultUse Default
Microsoft, Windows, Windows XP, Windows 2000, Windows 2003, WMI, Troubleshooting, Knowledgebase

Source:→ Performance Team Blog