WMI Error in event log every boot: EventID 5605

windows-event-logwmi

I have a few servers that I keep getting the EventID error 5605

The root\cimv2\TerminalServices namespace is marked with the
RequiresEncryption flag. Access to this namespace might be denied if
the script or application does not have the appropriate authentication
level. Change the authentication level to Pkt_Privacy and run the
script or application again.

The issue is I have no clue where this script is being run from so I can't update the script to solve the issue like every other post I have found on Event 5605. I checked the GPO for startup scripts, I checked all of my domain's SYSVOL share for a VBScript or Powershell script. I can't find this script anywhere. How can I track down this script and fix it so it stops throwing this error?

Best Answer

Use WMI Event Tracing in the Event Viewer, this will allow you to link WMI queries to a specific process.

Open Event Viewer.
On the View menu, click Show Analytic and Debug Logs.
Locate the Trace channel log for WMI under Applications and Service Logs | Microsoft | Windows | WMI Activity.
Right-click the Trace log and select Log Properties.
Click the Enable Logging check box to start the WMI event tracing.

WMI events appear in the event window for WMI-Activity.

This event log is sometimes painful to use, so you can use a script like this to start tracing and view events, with process name attached to the WMI queries:

$wmiLog = "Microsoft-Windows-WMI-Activity/Trace"
echo y | Wevtutil.exe sl $wmiLog /e:true
Read-Host -Prompt "Tracing WMI Started. Press [ENTER] to stop"
echo y | Wevtutil.exe sl $wmiLog /e:false
$events = Get-WinEvent -LogName $wmiLog -Oldest | Where-Object {$_.message.Contains("Operation = Start") -or $_.message.Contains("Operation = Provider") }

if ($events -eq $null)
{
    Write-Host "No WMI events in trace!"
    return
}

$table = New-Object System.Data.DataTable
[void]$table.Columns.Add("Computer")
[void]$table.Columns.Add("Namespace")
[void]$table.Columns.Add("Type")
[void]$table.Columns.Add("Query")
[void]$table.Columns.Add("UserName")
[void]$table.Columns.Add("Process")

ForEach ($event in $events)
{
    switch ($event.Properties.Count)
    {
        6 {
            $typeStart = $event.Properties[1].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[1].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[1].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[1].Value.Substring($event.Properties[1].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[2].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[2].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }      

            [void]$table.Rows.Add(`
                $env:COMPUTERNAME,`
                "\\.\root\cimv2",`
                $type,`
                $query,`
                "N/A",
                $process)
        }
        8 {
            $typeStart = $event.Properties[3].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[3].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[3].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[3].Value.Substring($event.Properties[3].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[6].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[6].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }

            [void]$table.Rows.Add(`
                $event.Properties[4].Value,`
                $event.Properties[7].Value,`
                $type,`
                $query,`
                $event.Properties[5].Value,
                $process)
        }
        default
        {
            Write-Error "Unexpected number of event properties."
            Write-Host $event
            Write-Host $event.Properties
        }
    }
}

$table | Out-GridView

Tracelog.exe and tracefmt.exe from Windows Driver Kit (WDK) can also be used for WMI tracing.

Related Solutions

Fix SELECT * from Win32_Process Query Hanging Indefinitely

WMI might have gotten corrupt on that machine. Try reinstalling it.

COPY ALL LINES BELOW INTO A BATCH FILE AND RUN IT:

net stop winmgmt

pause

c:

cd c:\windows\system32\wbem

rd /S /Q repository

regsvr32 /s %systemroot%\system32\scecli.dll

regsvr32 /s %systemroot%\system32\userenv.dll

mofcomp cimwin32.mof

mofcomp cimwin32.mfl

mofcomp rsop.mof

mofcomp rsop.mfl

for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s

for /f %%s in ('dir /b *.mof') do mofcomp %%s

for /f %%s in ('dir /b *.mfl') do mofcomp %%s

mofcomp exwmi.mof

mofcomp -n:root\cimv2\applications\exchange wbemcons.mof

mofcomp -n:root\cimv2\applications\exchange smtpcons.mof

mofcomp exmgmt.mof

WMI Rights required to read root\MicrosoftIISv2 in IIS7 with IIS6 compatibility mode

Resolved.

The WMI and IIS Metabase rights have to be set as you would do on an IIS 6. So they were correct for me.

The specifity is on the IIS Metabase. First of all, in IIS 7 the W3SVC rights are completely inherited from the root while you have to set the W3SVC/AppPools rights on IIS 6 if you want to handle the application pools.

Since there's a 'compatiblity', the main difference resides in IIS 7 metabase file system. On IIS 6, the read rights on the inetsrv folder (which is the default for Users) and the Metabase ACLs are sufficient.

On IIS 7, the rights have to be set on the IIS Metabase AND the IIS 7 configuration folder : %SYSTEMROOT%/system32/inetsrv/config (and .config files then). By default, only Administrators (thats why it is perfectly working with the Administrator right) and some other reserved groups can access this folder.

Another point, if you need to execute methods like a Stop on an application pool, this feature require the Write rights on the configuration folder.

Best Answer

Related Solutions

Fix SELECT * from Win32_Process Query Hanging Indefinitely

WMI Rights required to read root\MicrosoftIISv2 in IIS7 with IIS6 compatibility mode

Related Topic