Q
Quintin Willison
Guest
This is starting to get very frustrating. I first tried a manual update
after several months of not updating on 14th October. Since that day I've
not been able to update with a WMI error coming up. Initially it seemed that
Microsoft would allow all the high priority updates to install together. Now
it inists on the first entry being installed solo [Microsoft .NET Framework
3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0
through 3.5 (KB951847) x86] but still fails!!
Screen shot here: http://www.twitpic.com/lh94t/full
Another here: http://www.twitpic.com/lh9g5/full
After reading a suggestion elsewhere I tried running WMIDiag v2.0 as
downloaded from Microsoft. It seems to spot 'problems' with WMI but offers
no suggestion as to how to fix them:
26290 06:43:32 (0)
----------------------------------------------------------------------------------------------------------------------------------
26291 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26292 06:43:32 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has
been REMOVED!
26293 06:43:32 (0) - REMOVED ACE:
26294 06:43:32 (0) ACEType: &h0
26295 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26296 06:43:32 (0) ACEFlags: &h0
26297 06:43:32 (0) ACEMask: &h1
26298 06:43:32 (0) DCOM_RIGHT_EXECUTE
26299 06:43:32 (0)
26300 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26301 06:43:32 (0) Removing default security will cause some
operations to fail!
26302 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26303 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26304 06:43:32 (0)
26305 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26306 06:43:32 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has
been REMOVED!
26307 06:43:32 (0) - REMOVED ACE:
26308 06:43:32 (0) ACEType: &h0
26309 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26310 06:43:32 (0) ACEFlags: &h0
26311 06:43:32 (0) ACEMask: &h1
26312 06:43:32 (0) DCOM_RIGHT_EXECUTE
26313 06:43:32 (0)
26314 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26315 06:43:32 (0) Removing default security will cause some
operations to fail!
26316 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26317 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26318 06:43:32 (0)
26319 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26320 06:43:32 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been
REMOVED!
26321 06:43:32 (0) - REMOVED ACE:
26322 06:43:32 (0) ACEType: &h0
26323 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26324 06:43:32 (0) ACEFlags: &h0
26325 06:43:32 (0) ACEMask: &h1
26326 06:43:32 (0) DCOM_RIGHT_EXECUTE
26327 06:43:32 (0)
26328 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26329 06:43:32 (0) Removing default security will cause some
operations to fail!
26330 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26331 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26332 06:43:32 (0)
26333 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26334 06:43:32 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE'
DOES NOT match corresponding expected trustee rights (Actual->Default)
26335 06:43:32 (0) - ACTUAL ACE:
26336 06:43:32 (0) ACEType: &h0
26337 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26338 06:43:32 (0) ACEFlags: &h2
26339 06:43:32 (0) CONTAINER_INHERIT_ACE
26340 06:43:32 (0) ACEMask: &h1
26341 06:43:32 (0) WBEM_ENABLE
26342 06:43:32 (0) - EXPECTED ACE:
26343 06:43:32 (0) ACEType: &h0
26344 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26345 06:43:32 (0) ACEFlags: &h12
26346 06:43:32 (0) CONTAINER_INHERIT_ACE
26347 06:43:32 (0) INHERITED_ACE
26348 06:43:32 (0) ACEMask: &h13
26349 06:43:32 (0) WBEM_ENABLE
26350 06:43:32 (0) WBEM_METHOD_EXECUTE
26351 06:43:32 (0) WBEM_WRITE_PROVIDER
26352 06:43:32 (0)
26353 06:43:32 (0) => The actual ACE has the right(s) '&h12
WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
26354 06:43:32 (0) This will cause some operations to fail!
26355 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the removed right.
26356 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26357 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26358 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26359 06:43:32 (0) A specific WMI application can always require a
security setup different
26360 06:43:32 (0) than the WMI security defaults.
26361 06:43:32 (0)
26362 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26363 06:43:32 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE'
DOES NOT match corresponding expected trustee rights (Actual->Default)
26364 06:43:32 (0) - ACTUAL ACE:
26365 06:43:32 (0) ACEType: &h0
26366 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26367 06:43:32 (0) ACEFlags: &h2
26368 06:43:32 (0) CONTAINER_INHERIT_ACE
26369 06:43:32 (0) ACEMask: &h1
26370 06:43:32 (0) WBEM_ENABLE
26371 06:43:32 (0) - EXPECTED ACE:
26372 06:43:32 (0) ACEType: &h0
26373 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26374 06:43:32 (0) ACEFlags: &h12
26375 06:43:32 (0) CONTAINER_INHERIT_ACE
26376 06:43:32 (0) INHERITED_ACE
26377 06:43:32 (0) ACEMask: &h13
26378 06:43:32 (0) WBEM_ENABLE
26379 06:43:32 (0) WBEM_METHOD_EXECUTE
26380 06:43:32 (0) WBEM_WRITE_PROVIDER
26381 06:43:32 (0)
26382 06:43:32 (0) => The actual ACE has the right(s) '&h12
WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
26383 06:43:32 (0) This will cause some operations to fail!
26384 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the removed right.
26385 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26386 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26387 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26388 06:43:32 (0) A specific WMI application can always require a
security setup different
26389 06:43:32 (0) than the WMI security defaults.
26390 06:43:32 (0)
26391 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26392 06:43:32 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
26393 06:43:32 (0) - REMOVED ACE:
26394 06:43:32 (0) ACEType: &h0
26395 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26396 06:43:32 (0) ACEFlags: &h12
26397 06:43:32 (0) CONTAINER_INHERIT_ACE
26398 06:43:32 (0) INHERITED_ACE
26399 06:43:32 (0) ACEMask: &h13
26400 06:43:32 (0) WBEM_ENABLE
26401 06:43:32 (0) WBEM_METHOD_EXECUTE
26402 06:43:32 (0) WBEM_WRITE_PROVIDER
26403 06:43:32 (0)
26404 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26405 06:43:32 (0) Removing default security will cause some
operations to fail!
26406 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26407 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26408 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26409 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26410 06:43:32 (0) A specific WMI application can always require a
security setup different
26411 06:43:32 (0) than the WMI security defaults.
26412 06:43:32 (0)
26413 06:43:32 (0)
26414 06:43:32 (0) DCOM security warning(s) detected:
................................................................................... 0.
26415 06:43:32 (0) DCOM security error(s) detected:
..................................................................................... 3.
26416 06:43:32 (0) WMI security warning(s) detected:
.................................................................................... 0.
26417 06:43:32 (0) WMI security error(s) detected:
...................................................................................... 3.
26418 06:43:32 (0)
26419 06:43:32 (1) !! ERROR: Overall DCOM security status:
................................................................................. ERROR!
26420 06:43:32 (1) !! ERROR: Overall WMI security status:
.................................................................................. ERROR!
26421 06:43:32 (0) - Started at 'Root'
--------------------------------------------------------------------------------------------------------------
It's obviously not well! Is there a tool out there to 'fix' WMI security
settings? My current option seems to be OS reinstall.
Any ideas appreciated.
Thanks.
after several months of not updating on 14th October. Since that day I've
not been able to update with a WMI error coming up. Initially it seemed that
Microsoft would allow all the high priority updates to install together. Now
it inists on the first entry being installed solo [Microsoft .NET Framework
3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0
through 3.5 (KB951847) x86] but still fails!!
Screen shot here: http://www.twitpic.com/lh94t/full
Another here: http://www.twitpic.com/lh9g5/full
After reading a suggestion elsewhere I tried running WMIDiag v2.0 as
downloaded from Microsoft. It seems to spot 'problems' with WMI but offers
no suggestion as to how to fix them:
26290 06:43:32 (0)
----------------------------------------------------------------------------------------------------------------------------------
26291 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26292 06:43:32 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has
been REMOVED!
26293 06:43:32 (0) - REMOVED ACE:
26294 06:43:32 (0) ACEType: &h0
26295 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26296 06:43:32 (0) ACEFlags: &h0
26297 06:43:32 (0) ACEMask: &h1
26298 06:43:32 (0) DCOM_RIGHT_EXECUTE
26299 06:43:32 (0)
26300 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26301 06:43:32 (0) Removing default security will cause some
operations to fail!
26302 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26303 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26304 06:43:32 (0)
26305 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26306 06:43:32 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has
been REMOVED!
26307 06:43:32 (0) - REMOVED ACE:
26308 06:43:32 (0) ACEType: &h0
26309 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26310 06:43:32 (0) ACEFlags: &h0
26311 06:43:32 (0) ACEMask: &h1
26312 06:43:32 (0) DCOM_RIGHT_EXECUTE
26313 06:43:32 (0)
26314 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26315 06:43:32 (0) Removing default security will cause some
operations to fail!
26316 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26317 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26318 06:43:32 (0)
26319 06:43:32 (0) DCOM security for 'Microsoft WBEM UnSecured Apartment'
(Launch & Activation Permissions): ........................... MODIFIED.
26320 06:43:32 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been
REMOVED!
26321 06:43:32 (0) - REMOVED ACE:
26322 06:43:32 (0) ACEType: &h0
26323 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26324 06:43:32 (0) ACEFlags: &h0
26325 06:43:32 (0) ACEMask: &h1
26326 06:43:32 (0) DCOM_RIGHT_EXECUTE
26327 06:43:32 (0)
26328 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26329 06:43:32 (0) Removing default security will cause some
operations to fail!
26330 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26331 06:43:32 (0) For DCOM objects, this can be done with
'DCOMCNFG.EXE'.
26332 06:43:32 (0)
26333 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26334 06:43:32 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE'
DOES NOT match corresponding expected trustee rights (Actual->Default)
26335 06:43:32 (0) - ACTUAL ACE:
26336 06:43:32 (0) ACEType: &h0
26337 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26338 06:43:32 (0) ACEFlags: &h2
26339 06:43:32 (0) CONTAINER_INHERIT_ACE
26340 06:43:32 (0) ACEMask: &h1
26341 06:43:32 (0) WBEM_ENABLE
26342 06:43:32 (0) - EXPECTED ACE:
26343 06:43:32 (0) ACEType: &h0
26344 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26345 06:43:32 (0) ACEFlags: &h12
26346 06:43:32 (0) CONTAINER_INHERIT_ACE
26347 06:43:32 (0) INHERITED_ACE
26348 06:43:32 (0) ACEMask: &h13
26349 06:43:32 (0) WBEM_ENABLE
26350 06:43:32 (0) WBEM_METHOD_EXECUTE
26351 06:43:32 (0) WBEM_WRITE_PROVIDER
26352 06:43:32 (0)
26353 06:43:32 (0) => The actual ACE has the right(s) '&h12
WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
26354 06:43:32 (0) This will cause some operations to fail!
26355 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the removed right.
26356 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26357 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26358 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26359 06:43:32 (0) A specific WMI application can always require a
security setup different
26360 06:43:32 (0) than the WMI security defaults.
26361 06:43:32 (0)
26362 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26363 06:43:32 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE'
DOES NOT match corresponding expected trustee rights (Actual->Default)
26364 06:43:32 (0) - ACTUAL ACE:
26365 06:43:32 (0) ACEType: &h0
26366 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26367 06:43:32 (0) ACEFlags: &h2
26368 06:43:32 (0) CONTAINER_INHERIT_ACE
26369 06:43:32 (0) ACEMask: &h1
26370 06:43:32 (0) WBEM_ENABLE
26371 06:43:32 (0) - EXPECTED ACE:
26372 06:43:32 (0) ACEType: &h0
26373 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26374 06:43:32 (0) ACEFlags: &h12
26375 06:43:32 (0) CONTAINER_INHERIT_ACE
26376 06:43:32 (0) INHERITED_ACE
26377 06:43:32 (0) ACEMask: &h13
26378 06:43:32 (0) WBEM_ENABLE
26379 06:43:32 (0) WBEM_METHOD_EXECUTE
26380 06:43:32 (0) WBEM_WRITE_PROVIDER
26381 06:43:32 (0)
26382 06:43:32 (0) => The actual ACE has the right(s) '&h12
WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
26383 06:43:32 (0) This will cause some operations to fail!
26384 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the removed right.
26385 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26386 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26387 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26388 06:43:32 (0) A specific WMI application can always require a
security setup different
26389 06:43:32 (0) than the WMI security defaults.
26390 06:43:32 (0)
26391 06:43:32 (0) WMI namespace security for 'ROOT/SERVICEMODEL':
......................................................................
MODIFIED.
26392 06:43:32 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
26393 06:43:32 (0) - REMOVED ACE:
26394 06:43:32 (0) ACEType: &h0
26395 06:43:32 (0) ACCESS_ALLOWED_ACE_TYPE
26396 06:43:32 (0) ACEFlags: &h12
26397 06:43:32 (0) CONTAINER_INHERIT_ACE
26398 06:43:32 (0) INHERITED_ACE
26399 06:43:32 (0) ACEMask: &h13
26400 06:43:32 (0) WBEM_ENABLE
26401 06:43:32 (0) WBEM_METHOD_EXECUTE
26402 06:43:32 (0) WBEM_WRITE_PROVIDER
26403 06:43:32 (0)
26404 06:43:32 (0) => The REMOVED ACE was part of the DEFAULT setup for
the trustee.
26405 06:43:32 (0) Removing default security will cause some
operations to fail!
26406 06:43:32 (0) It is possible to fix this issue by editing the
security descriptor and adding the ACE.
26407 06:43:32 (0) For WMI namespaces, this can be done with
'WMIMGMT.MSC'.
26408 06:43:32 (0) Note: WMIDiag has no specific knowledge of this WMI
namespace.
26409 06:43:32 (0) The security diagnostic is based on the WMI
namespace expected defaults.
26410 06:43:32 (0) A specific WMI application can always require a
security setup different
26411 06:43:32 (0) than the WMI security defaults.
26412 06:43:32 (0)
26413 06:43:32 (0)
26414 06:43:32 (0) DCOM security warning(s) detected:
................................................................................... 0.
26415 06:43:32 (0) DCOM security error(s) detected:
..................................................................................... 3.
26416 06:43:32 (0) WMI security warning(s) detected:
.................................................................................... 0.
26417 06:43:32 (0) WMI security error(s) detected:
...................................................................................... 3.
26418 06:43:32 (0)
26419 06:43:32 (1) !! ERROR: Overall DCOM security status:
................................................................................. ERROR!
26420 06:43:32 (1) !! ERROR: Overall WMI security status:
.................................................................................. ERROR!
26421 06:43:32 (0) - Started at 'Root'
--------------------------------------------------------------------------------------------------------------
It's obviously not well! Is there a tool out there to 'fix' WMI security
settings? My current option seems to be OS reinstall.
Any ideas appreciated.
Thanks.