Powershell WMI Permissions issue

I posted this over at the MS Powershell forum but it is quickly falling off the front page so I thought that I would try here since Jeff probably has some valid insights.
 
If I run this:
gwmi win32_process -computer "COMPUTER" -credential "DOMAIN\USER"
And provide the proper password then I get a permission denied error.
However if I do essentially the exact same thing in VBScript:
On Error Resume Next
Dim strComputer
Dim objWMIService
Dim propValue
Dim objItem
Dim SWBemlocator
Dim UserName
Dim Password
Dim colItems
strComputer = "COMPUTER"
UserName = "DOMAIN\USER"
Password = "PASSWORD"
Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService =
SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
Set colItems = objWMIService.ExecQuery("Select * from Win32_Process",,48)
For Each objItem in colItems
 WScript.Echo "Caption: " & objItem.Caption
 WScript.Echo "CommandLine: " & objItem.CommandLine
 WScript.Echo "CreationClassName: " & objItem.CreationClassName
 WScript.Echo "CreationDate: " & objItem.CreationDate
 WScript.Echo "CSCreationClassName: " & objItem.CSCreationClassName
 WScript.Echo "CSName: " & objItem.CSName
 WScript.Echo "Description: " & objItem.Description
 WScript.Echo "ExecutablePath: " & objItem.ExecutablePath
 WScript.Echo "ExecutionState: " & objItem.ExecutionState
 WScript.Echo "Handle: " & objItem.Handle
 WScript.Echo "HandleCount: " & objItem.HandleCount
 WScript.Echo "InstallDate: " & objItem.InstallDate
 WScript.Echo "KernelModeTime: " & objItem.KernelModeTime
 WScript.Echo "MaximumWorkingSetSize: " & objItem.MaximumWorkingSetSize
 WScript.Echo "MinimumWorkingSetSize: " & objItem.MinimumWorkingSetSize
 WScript.Echo "Name: " & objItem.Name
 WScript.Echo "OSCreationClassName: " & objItem.OSCreationClassName
 WScript.Echo "OSName: " & objItem.OSName
 WScript.Echo "OtherOperationCount: " & objItem.OtherOperationCount
 WScript.Echo "OtherTransferCount: " & objItem.OtherTransferCount
 WScript.Echo "PageFaults: " & objItem.PageFaults
 WScript.Echo "PageFileUsage: " & objItem.PageFileUsage
 WScript.Echo "ParentProcessId: " & objItem.ParentProcessId
 WScript.Echo "PeakPageFileUsage: " & objItem.PeakPageFileUsage
 WScript.Echo "PeakVirtualSize: " & objItem.PeakVirtualSize
 WScript.Echo "PeakWorkingSetSize: " & objItem.PeakWorkingSetSize
 WScript.Echo "Priority: " & objItem.Priority
 WScript.Echo "PrivatePageCount: " & objItem.PrivatePageCount
 WScript.Echo "ProcessId: " & objItem.ProcessId
 WScript.Echo "QuotaNonPagedPoolUsage: " & objItem.QuotaNonPagedPoolUsage
 WScript.Echo "QuotaPagedPoolUsage: " & objItem.QuotaPagedPoolUsage
 WScript.Echo "QuotaPeakNonPagedPoolUsage: " &
objItem.QuotaPeakNonPagedPoolUsage
 WScript.Echo "QuotaPeakPagedPoolUsage: " & objItem.QuotaPeakPagedPoolUsage
 WScript.Echo "ReadOperationCount: " & objItem.ReadOperationCount
 WScript.Echo "ReadTransferCount: " & objItem.ReadTransferCount
 WScript.Echo "SessionId: " & objItem.SessionId
 WScript.Echo "Status: " & objItem.Status
 WScript.Echo "TerminationDate: " & objItem.TerminationDate
 WScript.Echo "ThreadCount: " & objItem.ThreadCount
 WScript.Echo "UserModeTime: " & objItem.UserModeTime
 WScript.Echo "VirtualSize: " & objItem.VirtualSize
 WScript.Echo "WindowsVersion: " & objItem.WindowsVersion
 WScript.Echo "WorkingSetSize: " & objItem.WorkingSetSize
 WScript.Echo "WriteOperationCount: " & objItem.WriteOperationCount
 WScript.Echo "WriteTransferCount: " & objItem.WriteTransferCount
Next
 
Then it works just fine. Is this a known issue with powershell? Is there
some Powershell setting that is preventing this?
 

I think you would need to use the Get-Credential cmdlet

$credentials = Get-Credential
gwmi win32_process -computer "COMPUTER" -credential $credentials

Yeah, I should have posted that I had tried it with that method as well. Although you can do it the way I posted too.

Ok, some more info. I can run the powershell as an admin then get the remote processes fine. It is just when I run as a regular user and try to pass credentials that I have a problem.

The first thing to remember is that PowerShell is abstracting the .NET classes that work with WMI and those are very different than the COM object we use in VBScript. So I wouldn't be totally surprised if there are differences.  Now I have run into issues with WMI when the computer I'm querying FROM is not in a trusted domain.

You also mention running as adminstrator. Does this mean you are running your script FROM a Vista desktop?  What is the OS on the remote machine?  Vista, UAC and PowerShell add yet another hurdle.

The remote and local machine are both XP. I am 90% certain it is a permissions issue in component permissions I just can't figure out what needs to change.

This does seem odd. If both machines are in the domain, then

gwmi win32_process -computer "COMPUTER" -credential "DOMAIN\USER"

assuming domain\user is an administrator on the remote computer, then this should work. I just tested it between two laptops that are in workgroups, not even domains. I specified the local administrator account on the remote computer and it worked.  Wait one...check that.  I ran


gwmi win32_process -computer "COMPUTER" -credential "DOMAIN\USER"  | select name

and it worked.  I just tried it without piping results to Select and I get:

format-default : Exception retrieving members: "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"

I'll keep digging.

In looking at my event log on the remote computer, I can see the authentication for the passed credentials.  But I also see failed authentication attempts using the credential of the current logged on user on my computer which of course will fail since the machines are in workgroups. I'm assuming the same thing is happening here. There is some secondary .NET process that PowerShell is calling that doesn't pass the alternate credential. I'm assuming when you get the error, you are using an account that doesn't have admin rights on the remote machine. So PowerShell/.NET is starting a new thread that doesn't inherit the alternate credentials. It inherits the security context of the parent thread, ie PowerShell which is why this all works when you try this from a PowerShell session running under admin credentials.

Do you need to see every single process property? PowerShell doesn't seem to object when you pipe GWMI to Select. There's something about the formatting process where PowerShell/.NET is trying to access something else on the remote system but with invalid credentials.

Thanks for looking into this for me. I will try using the Select trick. I have a function that will start a new process with a specified user's context so for the time beign I can just run powershell with the admin account when I need to access the remote machine. I just wish it worked the way that I expected it to.