WMIWin32_Process.Create失败，权限不足-WMIWin32_Process.CreatefailswithInsufficientPrivs

I'm trying to run a simple cmd utility on a remote Windows server from within a Vbscript by invoking the Win32_Process class, like so:

我试图通过调用Win32_Process类在Vbscript中的远程Windows服务器上运行一个简单的cmd实用程序,如下所示:

serverIP = "10.0.0.3"
Set oWMI = GetObject("winmgmts:{impersOnationLevel=impersonate}!\\" & serverIP & "\root\cimv2:Win32_Process")
RunCommand = "cmd.exe /c echo hello >c:\hello.txt"
wscript.echo RunCommand
intReturn = oWMI.Create(RunCommand, Null, Null, intProcessID)  
wscript.echo intReturn
Select Case intReturn
        Case 0 Wscript.Echo "Successful"
        Case 2 Wscript.Echo "Access denied"
        Case 3 Wscript.Echo "Insufficient privilege"
        Case 8 Wscript.Echo "Unknown failure"
        Case 9 Wscript.Echo "Path not found"
        Case 21 Wscript.Echo "Invalid parameter"
        Case Else Wscript.Echo "Unable to execute for unknown reason"
End Select

This always fails with insufficient privs (return code 3).

这总是因为privs不足而失败(返回码3)。

Can anyone see what I'm doing wrong? The script is running from a cmd session invoked as a domain admin, so it should work fine, unless there's something about WMI security that I don't fully understand.

谁能看到我做错了什么?该脚本是从作为域管理员调用的cmd会话运行的,因此它应该可以正常工作,除非有一些我不完全理解的WMI安全性。

There will probably be people who suggest PSEXEC. I am aware of it and may fall back to it. But this seems like a solvable problem as is, and I'd rather not create dependencies on outside executables for this script.

可能会有人建议PSEXEC。我知道它,可能会回到它。但这似乎是一个可解决的问题,我宁愿不为此脚本创建外部可执行文件的依赖项。

I'll mention a few things I've tried.

我会提到一些我尝试过的东西。

• This fellow says there can be an issue if the profile is not loaded. I have the same problem even if the calling user (a domain admin) is logged into both systems.

这位研究员表示如果未加载配置文件可能会出现问题。即使主叫用户(域管理员)登录到两个系统,我也有同样的问题。

• In this thread, Richard Mueller notes that one should specify both impersOnationlevel=impersonate and authenticatiOnlevel=Pkt. I tried that. Still no go.

在这个主题中,Richard Mueller指出应该指定impersOnationlevel= impersonate和authenticatiOnlevel= Pkt。我试过了。仍然没有去。

• On this page it seems that one should specify the NT rights needed within the moniker. I have tried specifying SeInteractiveLogonRight, SeNetworkLogonRight, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, and SeChangeNotifyPrivilege. Nothing worked.

在这个页面上,似乎应该指定名字对象中所需的NT权限。我已经尝试指定SeInteractiveLogonRight,SeNetworkLogonRight,SeBackupPrivilege,SeRestorePrivilege,SeDebugPrivilege和SeChangeNotifyPrivilege。没有任何效果。

A common thread I have noticed in googling this, is that people are seeing this issue with some target computers but not others. So it seems to me that what's fundamentally missing is a full breakdown of the security privs one would need to accomplish this task. A lollipop will be gratefully sent to whomever can provide such a breakdown definitively!

我在谷歌搜索中注意到的一个共同点是人们看到这个问题与一些目标计算机而不是其他人。因此,在我看来,根本上缺少的是完成此任务所需的安全权限的完全分解。棒棒糖将被感激地发送给任何能够明确提供此类故障的人!

In vain hopes it will increase viewership, I'm going to add the .net tag here, since .net folks often deal with the same WMI issues and may have insight.

徒劳地希望它会增加收视率,我将在这里添加.net标签,因为.net人经常处理相同的WMI问题并且可能有洞察力。

Awww. Bump, this isn't going to become a tumbleweed is it?

噢。凹凸不平,这不会成为风滚草吗?

4 个解决方案

(Mon Jun 01 16:57:19 2009.2x) : ***************************************
(Mon Jun 01 16:57:19 2009.2x) : Could not get pointer to binary resource for file:
(Mon Jun 01 16:57:19 2009.2x) : C:\WINNT\system32\DRIVERS\wmiacpi.sys[MofResource](Mon Jun 01 16:57:19 2009.2x) : 
(Mon Jun 01 16:57:19 2009.2x) : ***************************************