I'm running into this issue wrt enabling WMI to query Service status on a remote server for a non-admin user (domain account). Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 2/19/2008 Time: 1:23:20 PM User: <domain\user> Computer: <machine> Description: Object Open: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: - Operation ID: {0,740776537} Process ID: 460 Image File Name: C:\WINDOWS\system32\services.exe Primary User Name: <machine> Primary Domain: <domain> Primary Logon ID: (0x0,0x3E7) Client User Name: <user> Client Domain: <domain> Client Logon ID: (0x0,0x2C275796) Accesses: READ_CONTROL Connect to service controller Enumerate services Query service database lock state Privileges: - Restricted Sid Count: 0 Access Mask: 0x20015 The problem i'm trying to solve is to determine when a particular service deployed on a server goes down. The client app (.Net 2.0) is running in the context of a regular non-admin domain user & is using WMI to query the service status. Configuration: Server: Windows Server 2003 SP2 (SP1 exhibits similar behavior as well) Client: Windows XP SP2 [Btw, http://www.poweradmin.com/help/enableWMI.aspx lists the steps required on how to enable WMI for non-admin users] Specifically, this query fails: SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Service\" and TargetInstance.Name = \"FooService\""); But this one succeeds: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" and TargetInstance.Name = \"FooService.exe\""); What permissions/privileges are required to enumerate and/or query service status for a non-admin user? While i can work around the issue by listening for __InstanceCreationEvent & __InstanceDeletionEvent events, it doesn't sound right especially if the process hosts more than one svc. Can anyone shed more light on this? TIA. chen
