WMI Service: Access Denied
There are times that the WMI Service within Microsoft Windows may become corrupt, or the permissions are incorrect, leading to access denied errors to occur when performing updates, or other maintenance. This guide will show you how to check and repair the WMI Permissions on directories, as well as the WMI Service to ensure that it is configurable and workable.
Symptoms:
1. When installing software such as Microsoft Exchange Service Pack Upgrades, you may be greeted with an Access Denied message
2. When attempting to stop, start or restart the Winmgmt service, the options are greyed out (GUI) or you receive Access Denied (Command line)
Troubleshooting:
You will be making changes to permissions and registry entries, as well as some system permissions. Please make sure you have a good backup of the server or computer before continuing. If you are not comfortable making the changes, there is a good chance you can corrupt your Windows Installation.
1. Log into Windows as an Administrative User
2. Check permissions on C:\:
Administrators: Full Control System: Full Control Users: Read Authenticated Users: Read Everyone: Read
3. Check permissions on C:\Windows\System32
Administrators: Full Control System: Full Control Users: Read Authenticated Users: Read Everyone: Read
4. Check permissions on C:\Windows\Registration
Administrators: Full Control System: Full Control Users: Read Authenticated Users: Read Everyone: Read
5. Check permissions on C:\Windows\Registration\*.clb (any file with the file extension .clb)
Administrators: Full Control System: Full Control Users: Read Authenticated Users: Read Everyone: Read
6. Open the Registry Editor, regedit
7. Navigate to HKEY_Classes_Root\CLSID
8. Check permissions on CLSID
Administrators: Full Control System: Full Control Users: Read Authenticated Users: Read Everyone: Read Computer: Read
9. Open an elevated command prompt
10. Check the security descriptors for WinMGMT by using the command sc sdshow winmgmt
The security descriptors are different based on Operating System version and service pack. Below are some suggested descriptors. They should match what you see in the command above, if not the command to change them is below.
Security Descriptors by Operating System Version
Windows Server 2012: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Windows Server 2008 R2 SP1: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Windows Server 2008 SP2 x64: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) Windows 8.1 x64: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) Windows 7 SP1 x86: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU) Windows 7 SP1 x64: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) Windows XP SP3 x86: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
11. If the security descriptors are not correct for you operating system version, then run the command sc sdset winmgmt *DESCRIPTORS* where *DESCRIPTORS* is the appropriate set for your Operating System Version. (See above)
12. Restart the Server/Computer and check the WMI Service to see if the issue is resolved.
