OK, I’m probably not the best person to blog about this. But anyway I will write this short note, so that it may safe someone else time I had wasted on trying to figure this out. Here is the story.
Machine is a member of Active Directory. So far – so good. Pretty common scenario these days. You work on it offline. Also – not so uncommon if you are lucky owner of a laptop. You plan to implement some persistent WMI event handling. So you use the best tool possible to get there (PowerEvents) that you’ve already tested in the office. It went smooth there. And that’s when ‘fun’ starts:
I know, I know, query does not give me any hope to record any events, but that’s not the point. Original one had more sense, trust me on this one. I wanted to write article about WMI persistent events, so I needed that to work. Rebooted. No success. Changed query to something basic (Win32_ProcessStartTrace). No success. Then I decided to use virtual machine (DC for my ‘test’ domain) – everything went smooth. Started to think, that this is related to AD connection – I had it obviously on my virtual DC, not so in my offline lab. Luckily dark age of dial-up connections is long gone and forgotten, VPN for the rescue! Once I was connected I pressed arrow up. It worked:
I contacted Trevor Sullivan, author of PowerEvents module and WMI expert. I asked him about this issue and he was able to reproduce this in more isolated environment. He recorded this strange behaviour, so now it’s saved for future generations 😉
Anyway: issue is there, so if you want to create persistent event handling in WMI and your computer is a member of domain – make sure you have connection to DC before you proceed. Otherwise you will get error message that will give you no real clue of what is going on. Trevor bet is that CreatorSID, that is added to record in WMI (I’ve highlighted it on second screen shot), is to blame. Sound reasonable enough (if anything in this behaviour can be considered ‘reasonable’ of course). If anybody has other suggestion or can fix it in v-Next please do so. It’s really confusing for admins like me. 😉