WMI Namespace-Level Security

Microsoft® Windows® 2000 Scripting Guide

Before a user is allowed to connect to WMI, on either the local computer or a remote computer, the access token for the user account is validated against permissions applied to and stored in the CIM repository.

By default, the built-in Administrators security group is granted full control of WMI and the entire CIM repository on both local and remote computers. All other users, by way of the Everyone group, are granted Enable Account, Execute Methods, and Provider Write on the local computer only. Table 6.2 lists the available WMI permissions, which are configured on the Security tab in the WMI Control MMC Snap-in, systemroot\System32\Wmimgmt.msc.


  • On computers running Windows NT 4.0 SP4, Windows 98, and Windows 95 OSR 2.5, the WMI Control application is named Wbemcntl.exe. Wbemcntl.exe is located in the systemroot\System32\Wbem directory on Windows NT 4.0 SP4.

Table 6.2 WMI Namespace Permissions





Execute Methods

Lets a user call methods in the specific namespace. However, the provider checks to ensure that the user has the right to perform these tasks. For example, a user cannot run a script that stops a service unless the user has the right to stop that service.


Table Bullet


Table Bullet

Full Write

Lets users create or modify a namespace, a system class, or an instance.


Table Bullet


Partial Write

Lets users create or modify any static class or any instance of non-system classes.


Table Bullet


Provider Write

Lets users write classes and instances to WMI providers.


Table Bullet


Table Bullet

Enable Account

Grants read permissions to a WMI namespace. This allows users to run scripts that retrieve data, but only on the local computer.


Table Bullet


Table Bullet

Remote Enable

Lets a user access a WMI namespace from a remote computer. By default, this right is granted only to administrators; regular users cannot retrieve any WMI-related information from a remote computer.


Table Bullet


Read Security

Lets the user read (but not modify) the security descriptor for a WMI namespace.


Table Bullet


Edit Security

Lets the user modify the security descriptor for a WMI namespace.


Table Bullet


WMI permissions are applied at the namespace level and apply to all classes within the namespace. These permissions also apply - potentially - to child namespaces based on inheritance. By default, permissions are explicitly applied to the root namespace only and inherited by all other child namespaces.

Security is checked only when a user connects to the CIMOM. As a result, any changes made to the WMI permissions while a user is connected will not affect that user until he or she establishes a new connection. If you have the Full Write permission when you begin running a script, you (in the context of that script) will continue to have that permission until the script completes. However, if you start a new script, any new permissions will be applied to that particular script.

By default, WMI scripts run in the security context of the user running the script.