Setting Security on an Asynchronous Call in VBScript

Setting Security on an Asynchronous Call in VBScript

The performance of semisynchronous calls is usually adequate for most situations. Asynchronous calls are generally not a recommended practice for scripts. However, if asynchronous calls must be made, a registry value can be set to force WMI to perform access checks on asynchronous calls.

The HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\UnsecAppAccessControlDefault registry value controls whether WMI checks for an acceptable authentication level when returning data for an asynchronous call. The callback can be returned at a lower authentication level than that of the original asynchronous call. By default, this value is set to zero so that callbacks are not checked. To secure asynchronous calls in scripting, you must set the registry key to 1 (one).

Scripts can use the GetStringValue and SetStringValue methods of the registry object StdRegProv to change the setting of the UnsecAppAccessControlDefault registry value. For more information about authentication and impersonation levels required for remote access, see Connecting to WMI on a Remote Computer.

To set asynchronous call security in VBScript

The following VBScript code example shows you how to change the registry value to control WMI authentication of callbacks.

The script changes the value of UnsecAppAccessControlDefault from zero to one, or if the value is already set, from one to zero. Zero is the default on a newly installed system. Once the flag is set, the setting persists across reboot or WMI restart.

The script uses a SWbemMethod.InParameters object and SWbemObject.ExecMethod to call StdRegProv.GetStringValue and StdRegProv.SetStringValue. For more information about setting the values in an InParameters object, see Constructing InParameters Objects and Parsing OutParameters Objects. For an example of a registry call using GetObject, see StdRegProv.SetStringValue.

' Registry key value in hex
Const hklm = &h800000002  
' Subkey string 
Const Subkey = "software\\microsoft\\wbem\\cimom" 
' Asynchronous access control
Const sValueName = "UnsecAppAccessControlDefault" 

' Obtain registry object
Set objReg = GetObject("winmgmts:root\default:StdRegProv") 

' Get the initial value of the asynchronous 
'   access control registry key
' Use an InParameters object to set up the 
'   parameters for the ExecMethod call
' For more information see Constructing InParameters Objects 
'   topic and SWbemObject.ExecMethod_ topic

Set InParams = objReg.methods_("GetStringValue").InParameters.SpawnInstance_
InParams.hDefKey = hklm
InParams.sSubKeyName = Subkey
InParams.sValueName = sValueName

' Get return value from OutParameters object returned by ExecMethod. 
' For more information see Parsing OutParameters Objects topic

Set OutParams = objReg.Execmethod_("GetStringValue",InParams)

If (OutParams.ReturnValue <> 0) then
   Wscript.Echo "GetStringValue returned " & OutParams.ReturnValue
   Wscript.Quit 1
End If

Svalue = OutParams.sValue
If (sValue = 0) Then
   AccessControl = "WMI not performing asynch access control"
   AccessControl = "WMI performing asynch access control"  
End If
Wscript.Echo sValueName & " = " _
    & sValue & VBNewLine & AccessControl

' Change asynchronous access control registry key value
Set InParams = objReg.methods_("SetStringValue").InParameters.SpawnInstance_

InParams.hDefKey = hklm
InParams.sSubKeyName = Subkey
InParams.sValueName = sValueName
InParams.sValue = sValue XOR 1

Set OutParams = objReg.ExecMethod_("SetStringValue",InParams)

If (OutParams.Returnvalue <> 0) Then
    Wscript.Echo "SetStringValue returned " & OutParams.Returnvalue
    Wscript.Quit 1
End If

Wscript.Echo SValueName & " changed to " & (sValue XOR 1)



© 2016 Microsoft