I'm testing various Event logs queries to remote Windows Server 2008 R2 with wbemtest.exe.
The user connected to the server is non-admin domain user but it has all the permissions
according to http://msdn.microsoft.com/en-us/library/aa393266.aspx :
1) It is a member of "Distributed COM Users" and "Event Log Readers" groups
2) It was granted "Remote Enable" for WMI root\cimv2 namespace.
When I run the following Notification Query to Event logs:
SELECT * from __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'WIN32_NTLogEvent' AND (TargetInstance.SourceName='Security' or TargetInstance.LogFile='Security')
the query fails with 0x80041003 access denied error.
A regular query (identical to the previous one) to Event logs successes:
Select * from Win32_NTLogEvent Where (Logfile = 'Security' or SourceName = 'Security')
Other Notification queries (not to Event logs), like:
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
success too.
Please advice.