What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

WMI Error: 80041003

Votes:

1

Greetings everyone,

I am trying to monitor my Hyper-V clusters via WMI with PRTG. I used this MS KB article to elevate the authentication level of the PRTG Probe and Server.exe services: http://support.microsoft.com/kb/268884/en-us.

I have only recently discovered PRTG. Until now, I've been relying on IP Network Host Monitor. I have successfully applied the steps in the above KB article, and was able to query root\MSCluster with IPNHM. However, the same fix does not seem to have worked either for PRTG or Paessler's WMITool.exe. Both return the following error, even though I am using the Domain Admin account in both cases:

"80041003: The current user does not have permission to perform the action."

Again, on the same server, using the same credentials, I have no problems using other programs to query the cluster. Also, the server and Hyper-V Cluster are both on the same network in the same domain.

Is there any other executable whose authentication level I have to elevate (doubt this will fix it, as WMITest.exe fails)? Any other suggestions?

authentication clustering hyper-v prtg wmi

Created on May 2, 2012 9:29:13 PM



Best Answer

Accepted Answer

Votes:

2

One more thing we have found:

  • UAC blocks some (not all) WMI counters, resulting in error 80041003: The current user does not have permission to perform the action. . You can add the following registry key to disable this feature of UAC.
    Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Add a new DWORD value:
    Name: LocalAccountTokenFilterPolicy
    Value: 1
    • Note: This disables some of the protection provided by UAC. Specifically, any remote access to the server using an administrator security token is automatically elevated with full administrator rights, including access to the root folder. More information can be found here: http://support.microsoft.com/kb/951016

Created on Jun 13, 2012 11:57:12 AM by Volker Uffelmann [Paessler Support]



8 Replies

Votes:

0

Hello,

do other WMI Sensors (for example simply WMI CPU Load or WMI Uptime) work on the same hosts (and only the Hyper-V WMIs do not)?

best regards.

Created on May 4, 2012 12:52:10 PM by Torsten Lindner [Paessler Support]



Votes:

1

Correct. I have dozens of WMI sensors for the Hyper-V Hosts, most of which work flawlessly. Those that do not work return a different error; haven't take the time to troubleshoot them yet.

However, please note, I am not directly querying a node in the cluster, I am querying the cluster IP address itself. Possibly a distinction without a difference, but I thought it was worth mentioning.

Created on May 4, 2012 2:20:49 PM



Votes:

0

So, what happens if you query the nodes directly?

Created on May 4, 2012 3:42:48 PM by Torsten Lindner [Paessler Support]



Votes:

0

Sorry for the delay. Makes no difference; identical error message.

My boss happens to be an experienced VB developer. He was able to compile the example program in the KB article I linked in under a couple minutes:

http://www.filedropper.com/setclientauthenticationlevel

Please give it a try and let me know how it works for you. As I have said, it works for everything I've tried it with except PRTG.

Created on May 4, 2012 9:47:31 PM



Accepted Answer

Votes:

2

One more thing we have found:

  • UAC blocks some (not all) WMI counters, resulting in error 80041003: The current user does not have permission to perform the action. . You can add the following registry key to disable this feature of UAC.
    Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Add a new DWORD value:
    Name: LocalAccountTokenFilterPolicy
    Value: 1
    • Note: This disables some of the protection provided by UAC. Specifically, any remote access to the server using an administrator security token is automatically elevated with full administrator rights, including access to the root folder. More information can be found here: http://support.microsoft.com/kb/951016

Created on Jun 13, 2012 11:57:12 AM by Volker Uffelmann [Paessler Support]



Votes:

1

Hi Mitch,

We ran into the same problem trying to monitor a W2K8R2 Failover Cluster using the PRTG WMI Custom sensor.

On the cluster member server the following warning was logged into the Application log: 

Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          6/29/2012 4:12:01 PM
Event ID:      5605
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXX.xxx.com
Description:
The root\MSCluster namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again

So it's quite obvious that PRTG uses the default authentication level when querying the WMI namespace. And if a namespace requires encryption like in the case of 'MSCluster', then we are in trouble.

Did you find a solution?

Instance of __NameSpace
{
  Name = "MSCluster";
};
#pragma namespace("\\\\.\\Root\\MSCluster")

[RequiresEncryption]

Created on Jun 29, 2012 3:27:06 PM

Last change on Jul 2, 2012 1:50:22 PM by Torsten Lindner [Paessler Support]



Votes:

2

I kept getting the 80041003 error when trying to connect to a machine not in my domain, and I figured out a fix. This might not fix your problem, but I thought I would mention it. What I did was go onto the target machine, right click on the computer icon, and select manage. I then found the "WMI Control", right-clicked on Properties, then went to the Security tab. I clicked on the namespace I was interested in (in my case, root/CIMV2, but you would select root/MSCluster) and then hit the Security button. I added the user I was trying to access with and gave it the following Permissions: Execute Methods, Provider Write, Enable Account, and most importantly, Remote Enable. This last permission is key.

Once I did that, I had no problem adding sensors.

Created on Apr 1, 2014 7:12:08 AM



Votes:

0

I received this error using WMI to monitor Windows Domain Controllers. The account was a member of Domain Admins. Adding the account to the Builtin\Administrators group allowed WMI monitoring on the DCs to work (even though Domain Admins are already a member of Builtin\Administrators by default).

Created on May 28, 2014 6:15:10 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.