I am trying to use WMI to query system information on some clients on our network. We have successfully used administrator users to accomplish this in C# but now we want to switch to users without admin permissions (just enough permissions to run wmi queries accross the network) due to security reasons.
I can successfully run wmi queries using powershell as a user without elevated admin permissions on a remote host using Get-WmiObject Win32_ComputerSystem -ComputerName pcname
I have an application trying to accomplish the same thing using C#:
The following snippet should use the user which runs the application without further authentication required:
CimSession session = CimSession.Create(hostname);
// A method called GetWMI(string query, string namespace) will then execute the wmi query on the remote machine
session.QueryInstances(namespace, "WQL", query)
I also tried using in-code authentication with dcomsettings (of course using the same user credentials which can perform the same request using powershell as seen above):
DComSessionOptions dComOptions = new DComSessionOptions();
dComOptions.Impersonation = ImpersonationType.Impersonate;
var password = new SecureString();
settings.WMIPassword.ToList().ForEach(x => password.AppendChar(x));
dComOptions.AddDestinationCredentials(new CimCredential(PasswordAuthenticationMechanism.Default, settings.WMIDomain, settings.WMIUsername, password));
CimSession session = CimSession.Create(hostname, dComOptions);
// A method called GetWMI(string query, string namespace) will then execute the wmi query on the remote machine
session.QueryInstances(namespace, "WQL", query)
Both of these ways end up throwing a CimException: Access Denied error.
Is there maybe another way to do this in C#? My research could not come up with anything that would work - maybe there is some way I don't know about yet.
We have sunk countless hours into research and debugging but nothing seems to work.
For future reference I have found some older posts regarding some similar issues (most information on the internet about wmi is over a decade old):
- WMI - Using a non admin account to query server
- The following is actually my own post regarding the same issue - it was resolved as we tried using administrator permissions on the remote machine which would work but we now need it to work with as little permissions as possible eg. no administrator Access Denied trying to gather WMI information using C# ASP.NET but works in powershell
- https://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines/1105113#1105113
- WMI access denied error when query remote computer from ASP.NET
- "get-wmiobject win32_process -computername" gets error "Access denied , code 0x80070005"
- Delphi Wmi Query on a Remote Machine
I have tried all the suggestions from these posts - some of them seemed promising but turned out to not be the solution of my problem.
Here is a summary of what we tried:
- We granted all permissions in "wmimgmt.msc" to the root namespace and applied them to "This namespace and subnamespaces"
- We added the user to the Local "Distributed COM Users" group
- We added the user to the "Performance Monitor Users" and the "Remote Management Users" groups
- We checked for any firewall issues and can assure that that should not be the problem
- We also granted remote launch and activation permissions
Here is our configuration in "wmimgmt.mcs" which should apply to the root namespace and all namespaces below (it's in German but shows that all permissions should apply to all namespaces):
Furthermore I found an old post in the microsoft docs stating that this is actually impossible (which is hard to believe as I already got it to work using powershell): https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771551(v=ws.11)?redirectedfrom=MSDN
To perform this task on the local computer, you must be logged on as a member of the local Administrators group.
To perform this task on a remote computer, the account with which you are logged on must be a member of the Administrators group of that computer.
If there is anything more I can provide to clear things up please let me know.
Any leads would be highly appreciated - if any of my points in this post help other people in the future it was at least worth the research.