Setting Security on an Asynchronous Call in VBScript
The performance of semisynchronous calls is usually adequate for most situations. Asynchronous calls are generally not a recommended practice for scripts. However, if asynchronous calls must be made, a registry value can be set to force WMI to perform access checks on asynchronous calls.
The HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\UnsecAppAccessControlDefault registry value controls whether WMI checks for an acceptable authentication level when returning data for an asynchronous call. The callback can be returned at a lower authentication level than that of the original asynchronous call. By default, this value is set to zero so that callbacks are not checked. To secure asynchronous calls in scripting, you must set the registry key to 1 (one).
Windows XP and Windows 2000: The HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\UnsecAppAccessControlDefault registry value is not available.
Scripts can use the GetStringValue and SetStringValue methods of the registry object StdRegProv to change the setting of the UnsecAppAccessControlDefault registry value. For more information about authentication and impersonation levels required for remote access, see Connecting to WMI on a Remote Computer.
To set asynchronous call security in VBScript
The following VBScript code example shows you how to change the registry value to control WMI authentication of callbacks.
The script changes the value of UnsecAppAccessControlDefault from zero to one, or if the value is already set, from one to zero. Zero is the default on a newly installed system. Once the flag is set, the setting persists across reboot or WMI restart. This script requires Windows Server 2003.
The script uses a SWbemMethod.InParameters object and SWbemObject.ExecMethod to call StdRegProv.GetStringValue and StdRegProv.SetStringValue. For more information about setting the values in an InParameters object, see Constructing InParameters Objects and Parsing OutParameters Objects. For an example of a registry call using GetObject, see StdRegProv.SetStringValue.
' Registry key value in hex Const hklm = &h800000002 ' Subkey string Const Subkey = "software\\microsoft\\wbem\\cimom" ' Asynchronous access control Const sValueName = "UnsecAppAccessControlDefault" ' Obtain registry object Set objReg = GetObject("winmgmts:root\default:StdRegProv") ' Get the initial value of the asynchronous ' access control registry key ' Use an InParameters object to set up the ' parameters for the ExecMethod call ' For more information see Constructing InParameters Objects ' topic and SWbemObject.ExecMethod_ topic Set InParams = objReg.methods_("GetStringValue").InParameters.SpawnInstance_ InParams.hDefKey = hklm InParams.sSubKeyName = Subkey InParams.sValueName = sValueName ' Get return value from OutParameters object returned by ExecMethod. ' For more information see Parsing OutParameters Objects topic Set OutParams = objReg.Execmethod_("GetStringValue",InParams) If (OutParams.ReturnValue <> 0) then Wscript.Echo "GetStringValue returned " & OutParams.ReturnValue Wscript.Quit 1 End If Svalue = OutParams.sValue If (sValue = 0) Then AccessControl = "WMI not performing asynch access control" Else AccessControl = "WMI performing asynch access control" End If Wscript.Echo sValueName & " = " _ & sValue & VBNewLine & AccessControl ' Change asynchronous access control registry key value Set InParams = objReg.methods_("SetStringValue").InParameters.SpawnInstance_ InParams.hDefKey = hklm InParams.sSubKeyName = Subkey InParams.sValueName = sValueName InParams.sValue = sValue XOR 1 Set OutParams = objReg.ExecMethod_("SetStringValue",InParams) If (OutParams.Returnvalue <> 0) Then Wscript.Echo "SetStringValue returned " & OutParams.Returnvalue Wscript.Quit 1 End If Wscript.Echo SValueName & " changed to " & (sValue XOR 1)
Send comments about this topic to Microsoft
Build date: 11/19/2012
