Script Tips

First Person Impersonate

Welcome to a new column on scripting!

• By Don Jones
• 12/06/2004

This time out, I'd like to briefly discuss Windows Management Instrumentation (WMI) and security. You've doubtless seen WMI scripts that start off something like this:

Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & _
   "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from " & _
   "Win32_OperatingSystem")

This code uses the winmgmts moniker to connect to WMI on the computer specified in the variable strComputer; it connects to the computer's \root\cimv2 WMI namespace (which is where all the core Windows WMI classes hang out), and then query the instances of the Win32_OperatingSystem class. Straightforward and common, this is probably the most-used way of connecting to WMI.

But it is lacking in one way: While you can specify an impersonation level (WMI works best with the impersonate level used in the snippet above), you can't specify alternate credentials. That is to say, this script will take your current user account and pass it to the remote machine's WMI service, and that service will impersonate your credentials to execute the query. What if, however, the account used to run the script doesn't have permissions on the remote machine to execute the WMI query? Well, then, your script will fail.

There is another way. Check this out:

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService = objLocator.ConnectServer(strComputer, _
   "root\cimv2", strUser, strPassword)
Set colItems = objService.ExecQuery("Select * from " & _
   "Win32_OperatingSystem")

This approach performs the same function as the first snippet—querying all instances of Win32_OperatingSystem from the computer specified in strComputer—but it allows you to specify alternate credentials by plugging a username into strUser and a password into strPassword. Note that this technique only works for remote scripting; you can't specify alternate credentials when connecting to the local computer's WMI service, and if you try, you'll get an error.

Also notice that I didn't specify the impersonation level. These days, you don't generally have to; earlier versions of WMI defaulted to the identify level of impersonation, which isn't really impersonation at all and wouldn't allow the WMI query to execute. The current version of WMI, however, defaults to impersonate, so you're okay.

Use this technique to write more flexible WMI scripts. Be sure, however, to always prompt for the alternate user account password! Never ever ever hard-code the password into the script, because it'll be too easy for someone else to get the password simply by reading the script file.