Skip to content

Instantly share code, notes, and snippets.

@EvanMcBroom

EvanMcBroom/exec_remote_process.cpp

Last active October 16, 2024 19:25
Show Gist options
  • Save EvanMcBroom/99ea88304faec38d3ed1deefd1aba6f9 to your computer and use it in GitHub Desktop.
Save EvanMcBroom/99ea88304faec38d3ed1deefd1aba6f9 to your computer and use it in GitHub Desktop.
Download ZIP
Examples of using an impersonation token instead of explicit credentials to create a process on a remote host via DCOM and MS-WMI.
Raw
exec_remote_process.cpp
// Copyright (C) 2024 Evan McBroom
#include <Windows.h>
#include <iostream>
#include <vector>
#include <WbemCli.h>
#include <atlbase.h>
#include <iomanip>
// The modified, compiled IDL file from:
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/
#include "ms_wmi_h.h"
#include "ms_wmi_i.c"
#pragma comment(lib, "WbemUuid.lib")
WCHAR domainName[] = L"DOMAIN NAME";
WCHAR userName[] = L"USER NAME";
WCHAR password[] = L"PASSWORD";
WCHAR address[] = L"IP ADDRESS OR HOST NAME";
WCHAR process[] = L"calc.exe";
// An alternative option to set EOAC_STATIC_CLOAKING or EOAC_DYNAMIC_CLOAKING on an individual
// interface instead of on the entire process (e.g., CoInitializeSecurity) if desired.
bool SetProxyBlanket(IUnknown* iunknown) {
return SUCCEEDED(CoSetProxyBlanket(iunknown, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHZ_NONE, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_STATIC_CLOAKING));
}
int main() {
// Set an impersonation token that will use explicit credentials
// when doing NTLM authentication to a remote host. Kerberos
// tickets may also be added to the logon session via PTT while
// the token is being impersonated.
HANDLE token;
size_t result = LogonUserW(userName, domainName, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &token);
(void)ImpersonateLoggedOnUser(token);
// Start COM and set it to always use the current impersonation token (e.g., EOAC_STATIC_CLOAKING),
// and for COM to choose how to authenticate (e.g., authentication service = -1). NTLM and/or kerberos
// can be explicitly set via the authentication list parameter if desired.
(void)CoInitialize(nullptr);
result = CoInitializeSecurity(nullptr, -1, nullptr, nullptr, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_STATIC_CLOAKING, nullptr);
// Create an object on a remote host.
// For the CLSID_WbemLevel1Login object, this requires you to use Administrative credentials.
// CLSID_WbemLevel1Login does not allow you to immediately query IWbemLevel1Login so you
// must query for IUnknown first.
COSERVERINFO serverInfo = { 0 };
serverInfo.pwszName = address;
MULTI_QI interfaces = { 0 };
interfaces.pIID = &IID_IUnknown;
if (SUCCEEDED(result = CoCreateInstanceEx(CLSID_WbemLevel1Login, nullptr, CLSCTX_REMOTE_SERVER, &serverInfo, 1, &interfaces))) {
// Convert IUnknown to IWbemLevel1Login.
// This takes a few seconds to complete the first time you do it on the host,
// or if you have not called it in a while and the previous instance has been
// destroyed (e.g., due to a timeout).
CComPtr<IUnknown> iUnknown{ interfaces.pItf };
CComPtr<IWbemLevel1Login> wbemLevel1Login;
if (SUCCEEDED(result = iUnknown.QueryInterface(&wbemLevel1Login))) {
WCHAR address[] = L"ROOT\\CIMV2";
CComPtr<IWbemServices> wbemServices;
if (SUCCEEDED(result = wbemLevel1Login->NTLMLogin(address, nullptr, 0, nullptr, &wbemServices))) {
// Get the WMI object
CComPtr<IWbemClassObject> win32Process;
wbemServices->GetObjectW(CComBSTR{ L"Win32_Process" }, 0, nullptr, &win32Process, nullptr);
// Get the signature (e.g., the definition) of the input parameters.
CComPtr<IWbemClassObject> inSignature;
win32Process->GetMethod(L"Create", 0, &inSignature, nullptr);
CComPtr<IWbemClassObject> inParameters;
// Create an instance of the input parameters for use to set them to
// actual values.
inSignature->SpawnInstance(0, &inParameters);
CComVariant variant(process);
inParameters->Put(L"CommandLine", 0, &variant, 0);
// Execute the Win32_Process:Create and show its output parameters.
CComPtr<IWbemClassObject> outParameters;
wbemServices->ExecMethod(CComBSTR{ "Win32_Process" }, CComBSTR{ "Create" }, 0, nullptr, inParameters, &outParameters, nullptr);
outParameters->Get(L"ProcessId", 0, &variant, nullptr, nullptr);
std::cout << "ProcessId: " << variant.uintVal << std::endl;
outParameters->Get(L"ReturnValue", 0, &variant, nullptr, nullptr);
std::cout << "ReturnValue: " << variant.uintVal << std::endl;
}
std::cout << result;
}
}
if (result) {
std::cout << "Result: " << std::hex << result << std::endl;
}
}
Raw
exec_remote_process.cs
// Copyright (C) 2024 Evan McBroom
// The use of CoInitializeSecurity was previously used to instruct COM to use the executing thread's
// current impersonation token when creating COM objects or interacting with their interfaces. That
// caused an issue when the code was injected into another process which had already called that API
// but with incompatible arguments for this technique. In such cases the code would fail on object
// creation with an access denied error due to COM attempting to create the object with the process's
// primary token.
//
// The code has been updated to remove the use of CoInitializeSecurity to avoid this issue. Now
// CoCreateInstanceEx and CoSetProxyBlanket are used as needed to instruct COM to use the current
// executing thread's current impersonation token when creating COM objects or interacting with their
// interfaces. This same approach can be applied to the C++ version of the proof of concept.
//
// The OleViewDotNet namespaces include modified types from James Forshaw's OleViewDotNet project:
// https://github.com/tyranid/oleviewdotnet
using OleViewDotNet.Interop;
using OleViewDotNet.Marshaling;
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
namespace OleViewDotNet.Interop
{
[Flags]
public enum CLSCTX : uint
{
REMOTE_SERVER = 0x10,
ENABLE_CLOAKING = 0x100000
}
[Flags]
public enum EOLE_AUTHENTICATION_CAPABILITIES
{
STATIC_CLOAKING = 0x20,
DYNAMIC_CLOAKING = 0x40
}
[Flags]
public enum RPC_AUTHN_LEVEL
{
PKT_PRIVACY = 6
}
[Flags]
public enum RPC_IMP_LEVEL
{
IMPERSONATE = 3
}
[Flags]
public enum RPC_C_QOS_CAPABILITIES
{
None = 0
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
internal struct COAUTHINFO
{
public RpcAuthnService dwAuthnSvc;
public int dwAuthzSvc;
[MarshalAs(UnmanagedType.LPWStr)]
public string pwszServerPrincName;
public RPC_AUTHN_LEVEL dwAuthnLevel;
public RPC_IMP_LEVEL dwImpersonationLevel;
public IntPtr pAuthIdentityData;
public RPC_C_QOS_CAPABILITIES dwCapabilities;
}
[StructLayout(LayoutKind.Sequential)]
public struct MULTI_QI : IDisposable
{
private IntPtr pIID;
public IntPtr pItf;
public int hr;
void IDisposable.Dispose()
{
Marshal.FreeCoTaskMem(pIID);
if (pItf != IntPtr.Zero)
{
Marshal.Release(pItf);
pItf = IntPtr.Zero;
}
}
public MULTI_QI(Guid iid)
{
pIID = Marshal.AllocCoTaskMem(16);
Marshal.Copy(iid.ToByteArray(), 0, pIID, 16);
pItf = IntPtr.Zero;
hr = 0;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class COSERVERINFO
{
private readonly int dwReserved1;
[MarshalAs(UnmanagedType.LPWStr)]
public string pwszName;
public IntPtr pAuthInfo;
private readonly int dwReserved2;
}
internal static class NativeMethods
{
[DllImport("ole32.dll")]
public static extern int CoCreateInstanceEx(in Guid rclsid, IntPtr punkOuter, CLSCTX dwClsCtx, IntPtr pServerInfo, int dwCount, [In, Out] MULTI_QI[] pResults);
}
}
namespace OleViewDotNet.Marshaling
{
public enum RpcAuthnService : int
{
None = 0,
Default = -1,
GSS_Negotiate = 9,
}
}
namespace ExecRemoteProcess
{
class Program
{
// Argument marshaling taking from:
// https://learn.microsoft.com/en-us/dotnet/framework/interop/default-marshalling-for-objects
[ComImport]
[Guid("F309AD18-D86A-11d0-A075-00C04FB68820")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IWbemLevel1Login
{
[return: MarshalAs(UnmanagedType.Interface)]
int EstablishPosition(/* ... */);
int RequestChallenge(/* ... */);
int WBEMLogin(/* ... */);
int NTLMLogin([In, MarshalAs(UnmanagedType.LPWStr)] string wszNetworkResource, [In, MarshalAs(UnmanagedType.LPWStr)] string wszPreferredLocale, [In] long lFlags, [In, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppNamespace);
}
[ComImport]
[Guid("9556dc99-828c-11cf-a37e-00aa003240c7")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IWbemServices
{
[return: MarshalAs(UnmanagedType.Interface)]
int OpenNamespace(/* ... */);
int CancelAsyncCall(/* ... */);
int QueryObjectSink(/* ... */);
int GetObject([MarshalAs(UnmanagedType.BStr)] string strObjectPath, [In] long lFlags, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppObject, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppCallResult);
int GetObjectAsync(/* ... */);
int PutClass(/* ... */);
int PutClassAsync(/* ... */);
int DeleteClass(/* ... */);
int DeleteClassAsync(/* ... */);
int CreateClassEnum(/* ... */);
int CreateClassEnumAsync(/* ... */);
int PutInstance(/* ... */);
int PutInstanceAsync(/* ... */);
int DeleteInstance(/* ... */);
int DeleteInstanceAsync(/* ... */);
int CreateInstanceEnum(/* ... */);
int CreateInstanceEnumAsync(/* ... */);
int ExecQuery(/* ... */);
int ExecQueryAsync(/* ... */);
int ExecNotificationQuery(/* ... */);
int ExecNotificationQueryAsync(/* ... */);
int ExecMethod([MarshalAs(UnmanagedType.BStr)] string strObjectPath, [MarshalAs(UnmanagedType.BStr)] string strMethodName, [In] long lFlags, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pCtx, [In, Optional, MarshalAs(UnmanagedType.IUnknown)] Object pInParams, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppOutParams, [In, Out, Optional, MarshalAs(UnmanagedType.IUnknown)] ref Object ppCallResult);
int ExecMethodAsync(/* ... */);
}
[ComImport]
[Guid("dc12a681-737f-11cf-884d-00aa004b2e24")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IWbemClassObject
{
[return: MarshalAs(UnmanagedType.Interface)]
int GetQualifierSet(/* ... */);
int Get([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [In, Out] ref Object pVal, [In, Out, Optional] ref int pType, [In, Out, Optional] ref int plFlavor);
int Put([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [In] ref Object pVal, [In, Optional] int Type);
int Delete(/* ... */);
int GetNames(/* ... */);
int BeginEnumeration(/* ... */);
int Next(/* ... */);
int EndEnumeration(/* ... */);
int GetPropertyQualifierSet(/* ... */);
int Clone(/* ... */);
int GetObjectText(/* ... */);
int SpawnDerivedClass(/* ... */);
int SpawnInstance([In] long lFlags, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppNewInstance);
int CompareTo(/* ... */);
int GetPropertyOrigin(/* ... */);
int InheritsFrom(/* ... */);
int GetMethod([In, MarshalAs(UnmanagedType.LPWStr)] string wszName, [In] long lFlags, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppInSignature, [MarshalAs(UnmanagedType.IUnknown)] ref Object ppOutSignature);
int PutMethod(/* ... */);
int DeleteMethod(/* ... */);
int BeginMethodEnumeration(/* ... */);
int NextMethod(/* ... */);
int EndMethodEnumeration(/* ... */);
int GetMethodQualifierSet(/* ... */);
int GetMethodOrigin(/* ... */);
}
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
internal static extern bool LogonUser(String username, String domain, String password, int logonType, int logonProvider, ref IntPtr token);
[DllImport("ole32.dll", CharSet = CharSet.Unicode)]
public static extern int CoSetProxyBlanket(IntPtr pProxy, RpcAuthnService dwAuthnSvc, RpcAuthnService dwAuthzSvc, IntPtr pServerPrincName, RPC_AUTHN_LEVEL dwAuthLevel, RPC_IMP_LEVEL dwImpLevel, IntPtr pAuthInfo, EOLE_AUTHENTICATION_CAPABILITIES dwCapabilities);
static public string domainName = "DOMAIN NAME";
static public string userName = "USER NAME";
static public string password = "PASSWORD";
static public string address = "IP ADDRESS OR HOST NAME";
static public string process = "calc.exe";
static public string cwd = "C:\\Windows\\System32";
static bool SetProxyBlanket(IntPtr comObject)
{
return CoSetProxyBlanket(comObject, RpcAuthnService.Default, RpcAuthnService.Default, IntPtr.Zero, RPC_AUTHN_LEVEL.PKT_PRIVACY, RPC_IMP_LEVEL.IMPERSONATE, IntPtr.Zero, EOLE_AUTHENTICATION_CAPABILITIES.STATIC_CLOAKING) >= 0;
}
static bool SetProxyBlanket(object comObject, Type interfaceType)
{
return SetProxyBlanket(Marshal.GetComInterfaceForObject(comObject, interfaceType));
}
static void Main()
{
// Set an impersonation token that will use explicit credentials
// when doing NTLM authentication to a remote host. Kerberos
// tickets may also be added to the logon session via PTT while
// the token is being impersonated.
var LOGON32_LOGON_NEW_CREDENTIALS = 9;
var LOGON32_PROVIDER_WINNT50 = 3;
IntPtr token = IntPtr.Zero;
LogonUser(userName, domainName, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref token);
var context = WindowsIdentity.Impersonate(token);
// Create an object on a remote host.
// For the CLSID_WbemLevel1Login object, this requires you to use Administrative credentials.
// CLSID_WbemLevel1Login does not allow you to immediately query IWbemLevel1Login so you
// must query for IUnknown first.
var CLSID_WbemLevel1Login = new Guid("8BC3F05E-D86B-11D0-A075-00C04FB68820");
var classContext = CLSCTX.REMOTE_SERVER | CLSCTX.ENABLE_CLOAKING; // ENABLE_CLOAKING makes object creation use our impersonation token
var authInfoPtr = Marshal.AllocCoTaskMem(0x100); // Buffer is larger than what is needed
var authInfo = new COAUTHINFO()
{
dwAuthnSvc = RpcAuthnService.Default,
dwAuthzSvc = 0,
pwszServerPrincName = null,
dwAuthnLevel = RPC_AUTHN_LEVEL.PKT_PRIVACY,
dwImpersonationLevel = RPC_IMP_LEVEL.IMPERSONATE,
pAuthIdentityData = IntPtr.Zero,
dwCapabilities = RPC_C_QOS_CAPABILITIES.None
};
Marshal.StructureToPtr(authInfo, authInfoPtr, false);
var serverInfoPtr = Marshal.AllocCoTaskMem(0x100); // Buffer is larger than what is needed
var serverInfo = new COSERVERINFO()
{
pwszName = address,
pAuthInfo = authInfoPtr
};
Marshal.StructureToPtr(serverInfo, serverInfoPtr, false);
var IID_IUnknown = new Guid("00000000-0000-0000-C000-000000000046"); // CLSID_WbemLevel1Login requires IUnknown to be the first interface queried
var multiQi = new MULTI_QI[1];
multiQi[0] = new MULTI_QI(IID_IUnknown);
if (NativeMethods.CoCreateInstanceEx(CLSID_WbemLevel1Login, IntPtr.Zero, classContext, serverInfoPtr, 1, multiQi) >= 0 && multiQi[0].hr == 0)
{
// We need to set the proxy blanket with either STATIC_CLOAKING or DYNAMIC_CLOAKING on
// every interface we acquire to instruct COM to use our current impersonation token
SetProxyBlanket(multiQi[0].pItf);
var wbemLevel1Login = (IWbemLevel1Login)Marshal.GetObjectForIUnknown(multiQi[0].pItf);
SetProxyBlanket(wbemLevel1Login, typeof(IWbemLevel1Login));
// Connect to the required WMI namespace
object output = null;
var result = wbemLevel1Login.NTLMLogin("ROOT\\CIMV2", null, 0, null, ref output);
var wbemServices = (IWbemServices)output;
SetProxyBlanket(wbemServices, typeof(IWbemServices));
// Get an instance of Win32_Process
result = wbemServices.GetObject("Win32_Process", 0, null, ref output, null);
var win32Process = (IWbemClassObject)output;
SetProxyBlanket(win32Process, typeof(IWbemClassObject));
// Get the signature (e.g., the definition) of the input parameters.
result = win32Process.GetMethod("Create", 0, ref output, null);
var inSignature = (IWbemClassObject)output;
SetProxyBlanket(inSignature, typeof(IWbemClassObject));
inSignature.SpawnInstance(0, ref output);
var inParameters = (IWbemClassObject)output;
SetProxyBlanket(inParameters, typeof(IWbemClassObject));
// Get an instance of Win32_ProcessStartup and use it to set the ProcessStartupInformation
// input parameter.
result = wbemServices.GetObject("Win32_ProcessStartup", 0, null, ref output, null);
inSignature = (IWbemClassObject)output;
SetProxyBlanket(inSignature, typeof(IWbemClassObject));
inSignature.SpawnInstance(0, ref output);
var win32ProcessStartupInstance = (IWbemClassObject)output;
SetProxyBlanket(win32ProcessStartupInstance, typeof(IWbemClassObject));
var input = (object)5; // SW_HIDE
result = win32ProcessStartupInstance.Put("ShowWindow", 0, ref input);
input = 0x01000000; // CREATE_BREAKAWAY_FROM_JOB
result = win32ProcessStartupInstance.Put("CreateFlags", 0, ref input);
input = (object)win32ProcessStartupInstance;
result = inParameters.Put("ProcessStartupInformation", 0, ref input);
// Set the CommandLine input parameter
input = (object)process;
result = inParameters.Put("CommandLine", 0, ref input);
input = (object)cwd;
result = inParameters.Put("CurrentDirectory", 0, ref input);
// Execute the Win32_Process:Create and show its output parameters.
result = wbemServices.ExecMethod("Win32_Process", "Create", 0, null, inParameters, ref output, null);
Object value = null;
var outParameters = (IWbemClassObject)output;
SetProxyBlanket(outParameters, typeof(IWbemClassObject));
outParameters.Get("ProcessId", 0, ref value);
Console.Out.WriteLine("ProcessId: " + value.ToString());
outParameters.Get("ReturnValue", 0, ref value);
Console.Out.WriteLine("ReturnValue: " + value.ToString());
Console.In.ReadLine();
}
Marshal.FreeCoTaskMem(authInfoPtr);
Marshal.FreeCoTaskMem(serverInfoPtr);
}
}
}
Raw
ms_wmi.idl
// The IDL from the following link, modified to compile cleanly.
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/c2ea576a-0a62-4da8-a472-bafde9541f0f
import "oaidl.idl";
import "ocidl.idl";
interface IWbemClassObject;
interface IWbemServices;
interface IWbemObjectSink;
interface IEnumWbemClassObject;
interface IWbemCallResult;
interface IWbemContext;
interface IWbemBackupRestore;
interface IWbemBackupRestoreEx;
interface IWbemLoginClientID;
interface IWbemLevel1Login;
interface IWbemLoginHelper;
[
restricted,
uuid(8BC3F05E-D86B-11d0-A075-00C04FB68820)
]
coclass WbemLevel1Login {
interface IWbemLevel1Login;
};
[
restricted,
uuid(674B6698-EE92-11d0-AD71-00C04FD8FDFF)
]
coclass WbemContext
{
interface IWbemContext;
};
[
uuid(9A653086-174F-11d2-B5F9-00104B703EFD)
]
coclass WbemClassObject
{
interface IWbemClassObject;
};
[
uuid(C49E32C6-BC8B-11d2-85D4-00105A1F8304)
]
coclass WbemBackupRestore
{
interface IWbemBackupRestoreEx;
};
#define OPTIONAL in, unique
interface IWbemQualifierSet;
[
local,
restricted,
object,
uuid(dc12a681-737f-11cf-884d-00aa004b2e24)
]
interface IWbemClassObject : IUnknown
{
};
interface IWbemServices;
[
object,
restricted,
uuid(7c857801-7381-11cf-884d-00aa004b2e24)
]
interface IWbemObjectSink : IUnknown
{
HRESULT Indicate(
[in] long lObjectCount,
[in, size_is(lObjectCount)]
IWbemClassObject** apObjArray
);
HRESULT SetStatus(
[in] long lFlags,
[in] HRESULT hResult,
[in] BSTR strParam,
[in] IWbemClassObject* pObjParam
);
};
[
object,
restricted,
uuid(027947e1-d731-11ce-a357-000000000001)
]
interface IEnumWbemClassObject : IUnknown
{
HRESULT Reset();
HRESULT Next(
[in] long lTimeout,
[in] ULONG uCount,
[out, size_is(uCount), length_is(*puReturned)]
IWbemClassObject** apObjects,
[out] ULONG* puReturned
);
HRESULT NextAsync(
[in] ULONG uCount,
[in] IWbemObjectSink* pSink
);
HRESULT Clone(
[out] IEnumWbemClassObject** ppEnum
);
HRESULT Skip(
[in] long lTimeout,
[in] ULONG nCount
);
};
[
object,
restricted,
local,
uuid(44aca674-e8fc-11d0-a07c-00c04fb68820)
]
interface IWbemContext : IUnknown
{
};
[
object,
restricted,
uuid(44aca675-e8fc-11d0-a07c-00c04fb68820)
]
interface IWbemCallResult : IUnknown
{
HRESULT GetResultObject(
[in] long lTimeout,
[out] IWbemClassObject** ppResultObject
);
HRESULT GetResultString(
[in] long lTimeout,
[out] BSTR* pstrResultString
);
HRESULT GetResultServices(
[in] long lTimeout,
[out] IWbemServices** ppServices
);
HRESULT GetCallStatus(
[in] long lTimeout,
[out] long* plStatus
);
};
[
object,
restricted,
uuid(9556dc99-828c-11cf-a37e-00aa003240c7),
pointer_default(unique)
]
interface IWbemServices : IUnknown
{
HRESULT OpenNamespace(
[in] const BSTR strNamespace,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemServices** ppWorkingNamespace,
[out, in, unique] IWbemCallResult** ppResult
);
HRESULT CancelAsyncCall(
[in] IWbemObjectSink* pSink
);
HRESULT QueryObjectSink(
[in] long lFlags,
[out] IWbemObjectSink** ppResponseHandler
);
HRESULT GetObject(
[in] const BSTR strObjectPath,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemClassObject** ppObject,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT GetObjectAsync(
[in] const BSTR strObjectPath,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT PutClass(
[in] IWbemClassObject* pObject,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT PutClassAsync(
[in] IWbemClassObject* pObject,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT DeleteClass(
[in] const BSTR strClass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT DeleteClassAsync(
[in] const BSTR strClass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT CreateClassEnum(
[in] const BSTR strSuperclass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out] IEnumWbemClassObject** ppEnum
);
HRESULT CreateClassEnumAsync(
[in] const BSTR strSuperclass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT PutInstance(
[in] IWbemClassObject* pInst,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT PutInstanceAsync(
[in] IWbemClassObject* pInst,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT DeleteInstance(
[in] const BSTR strObjectPath,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT DeleteInstanceAsync(
[in] const BSTR strObjectPath,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT CreateInstanceEnum(
[in] const BSTR strSuperClass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out] IEnumWbemClassObject** ppEnum
);
HRESULT CreateInstanceEnumAsync(
[in] const BSTR strSuperClass,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT ExecQuery(
[in] const BSTR strQueryLanguage,
[in] const BSTR strQuery,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out] IEnumWbemClassObject** ppEnum
);
HRESULT ExecQueryAsync(
[in] const BSTR strQueryLanguage,
[in] const BSTR strQuery,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT ExecNotificationQuery(
[in] const BSTR strQueryLanguage,
[in] const BSTR strQuery,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out] IEnumWbemClassObject** ppEnum
);
HRESULT ExecNotificationQueryAsync(
[in] const BSTR strQueryLanguage,
[in] const BSTR strQuery,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemObjectSink* pResponseHandler
);
HRESULT ExecMethod(
[in] const BSTR strObjectPath,
[in] const BSTR strMethodName,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemClassObject* pInParams,
[out, in, unique] IWbemClassObject** ppOutParams,
[out, in, unique] IWbemCallResult** ppCallResult
);
HRESULT ExecMethodAsync(
[in] const BSTR strObjectPath,
[in] const BSTR strMethodName,
[in] long lFlags,
[in] IWbemContext* pCtx,
[in] IWbemClassObject* pInParams,
[in] IWbemObjectSink* pResponseHandler
);
};
[
object,
restricted,
uuid(C49E32C7-BC8B-11d2-85D4-00105A1F8304)
]
interface IWbemBackupRestore : IUnknown
{
HRESULT Backup(
[in, string] LPCWSTR strBackupToFile,
[in] long lFlags
);
HRESULT Restore(
[in, string] LPCWSTR strRestoreFromFile,
[in] long lFlags
);
};
[
object,
restricted,
uuid(A359DEC5-E813-4834-8A2A-BA7F1D777D76)
]
interface IWbemBackupRestoreEx : IWbemBackupRestore
{
HRESULT Pause();
HRESULT Resume();
};
typedef enum _WBEM_REFR_VERSION_NUMBER {
WBEM_REFRESHER_VERSION = 2
} WBEM_REFR_VERSION_NUMBER;
typedef [v1_enum] enum _WBEM_INSTANCE_BLOB_TYPE {
WBEM_BLOB_TYPE_ALL = 2,
WBEM_BLOB_TYPE_ERROR = 3,
WBEM_BLOB_TYPE_ENUM = 4
} WBEM_INSTANCE_BLOB_TYPE;
typedef struct _WBEM_REFRESHED_OBJECT {
long m_lRequestId;
WBEM_INSTANCE_BLOB_TYPE m_lBlobType;
long m_lBlobLength;
[size_is(m_lBlobLength)] byte* m_pbBlob;
} WBEM_REFRESHED_OBJECT;
[
restricted,
uuid(F1E9C5B2-F59B-11d2-B362-00105A1F8177)
]
interface IWbemRemoteRefresher : IUnknown {
HRESULT RemoteRefresh(
[in] long lFlags,
[out] long* plNumObjects,
[out, size_is(, *plNumObjects)]
WBEM_REFRESHED_OBJECT** paObjects
);
HRESULT StopRefreshing(
[in] long lNumIds,
[in, size_is(lNumIds)] long* aplIds,
[in] long lFlags
);
HRESULT Opnum5NotUsedOnWire(
[in] long lFlags,
[out] GUID* pGuid
);
};
typedef struct {
IWbemRemoteRefresher* m_pRefresher;
IWbemClassObject* m_pTemplate;
GUID m_Guid;
} _WBEM_REFRESH_INFO_REMOTE;
typedef struct {
[string] wchar_t* m_wszNamespace;
IWbemClassObject* m_pTemplate;
} _WBEM_REFRESH_INFO_NON_HIPERF;
typedef enum
{
WBEM_REFRESH_TYPE_INVALID = 0,
WBEM_REFRESH_TYPE_REMOTE = 3,
WBEM_REFRESH_TYPE_NON_HIPERF = 6
}WBEM_REFRESH_TYPE;
typedef [switch_type(long)] union {
[case (WBEM_REFRESH_TYPE_REMOTE)]
_WBEM_REFRESH_INFO_REMOTE m_Remote;
[case (WBEM_REFRESH_TYPE_NON_HIPERF)]
_WBEM_REFRESH_INFO_NON_HIPERF m_NonHiPerf;
[case (WBEM_REFRESH_TYPE_INVALID)]
HRESULT m_hres;
} WBEM_REFRESH_INFO_UNION;
typedef struct {
long m_lType;
[switch_is(m_lType)] WBEM_REFRESH_INFO_UNION m_Info;
long m_lCancelId;
} _WBEM_REFRESH_INFO;
typedef struct {
[string] LPSTR m_szMachineName;
DWORD m_dwProcessId;
GUID m_guidRefresherId;
} _WBEM_REFRESHER_ID;
typedef enum {
WBEM_RECONNECT_TYPE_OBJECT = 0,
WBEM_RECONNECT_TYPE_ENUM = 1,
WBEM_RECONNECT_TYPE_LAST = 2
}WBEM_RECONNECT_TYPE;
typedef struct {
long m_lType;
[string] LPCWSTR m_pwcsPath;
} _WBEM_RECONNECT_INFO;
typedef struct {
long m_lId;
HRESULT m_hr;
} _WBEM_RECONNECT_RESULTS;
[
restricted,
uuid(2C9273E0-1DC3-11d3-B364-00105A1F8177)
]
interface IWbemRefreshingServices : IUnknown
{
HRESULT AddObjectToRefresher(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in, string] LPCWSTR wszPath,
[in] long lFlags,
[in] IWbemContext* pContext,
[in] DWORD dwClientRefrVersion,
[out] _WBEM_REFRESH_INFO* pInfo,
[out] DWORD* pdwSvrRefrVersion
);
HRESULT AddObjectToRefresherByTemplate(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in] IWbemClassObject* pTemplate,
[in] long lFlags,
[in] IWbemContext* pContext,
[in] DWORD dwClientRefrVersion,
[out] _WBEM_REFRESH_INFO* pInfo,
[out] DWORD* pdwSvrRefrVersion
);
HRESULT AddEnumToRefresher(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in, string] LPCWSTR wszClass,
[in] long lFlags,
[in] IWbemContext* pContext,
[in] DWORD dwClientRefrVersion,
[out] _WBEM_REFRESH_INFO* pInfo,
[out] DWORD* pdwSvrRefrVersion
);
HRESULT RemoveObjectFromRefresher(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in] long lId,
[in] long lFlags,
[in] DWORD dwClientRefrVersion,
[out] DWORD* pdwSvrRefrVersion
);
HRESULT GetRemoteRefresher(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in] long lFlags,
[in] DWORD dwClientRefrVersion,
[out] IWbemRemoteRefresher** ppRemRefresher,
[out] GUID* pGuid,
[out] DWORD* pdwSvrRefrVersion
);
HRESULT ReconnectRemoteRefresher(
[in] _WBEM_REFRESHER_ID* pRefresherId,
[in] long lFlags,
[in] long lNumObjects,
[in] DWORD dwClientRefrVersion,
[in, size_is(lNumObjects)]
_WBEM_RECONNECT_INFO* apReconnectInfo,
[in, out, size_is(lNumObjects)]
_WBEM_RECONNECT_RESULTS* apReconnectResults,
[out] DWORD* pdwSvrRefrVersion
);
};
[
restricted,
object,
uuid(423EC01E-2E35-11d2-B604-00104B703EFD)
]
interface IWbemWCOSmartEnum : IUnknown
{
HRESULT Next(
[in] REFGUID proxyGUID,
[in] long lTimeout,
[in] ULONG uCount,
[out] ULONG* puReturned,
[out] ULONG* pdwBuffSize,
[out, size_is(, *pdwBuffSize)] byte** pBuffer
);
};
[
restricted,
object,
uuid(1C1C45EE-4395-11d2-B60B-00104B703EFD)
]
interface IWbemFetchSmartEnum : IUnknown
{
HRESULT GetSmartEnum(
[out] IWbemWCOSmartEnum** ppSmartEnum
);
};
[
restricted,
object,
uuid(d4781cd6-e5d3-44df-ad94-930efe48a887)
]
interface IWbemLoginClientID : IUnknown
{
HRESULT SetClientInfo(
[in, unique, string] LPWSTR wszClientMachine,
[in] long lClientProcId,
[in] long lReserved
);
};
[
object,
restricted,
uuid(F309AD18-D86A-11d0-A075-00C04FB68820),
pointer_default(unique)
]
interface IWbemLevel1Login : IUnknown
{
HRESULT EstablishPosition(
[in, unique, string] wchar_t* reserved1,
[in] DWORD reserved2,
[out] DWORD* LocaleVersion
);
HRESULT RequestChallenge(
[in, unique, string] wchar_t* reserved1,
[in, unique, string] wchar_t* reserved2,
[out, size_is(16), length_is(16)] unsigned char* reserved3
);
HRESULT WBEMLogin(
[in, unique, string] wchar_t* reserved1,
[in, size_is(16), length_is(16), unique]
unsigned char* reserved2,
[in] long reserved3,
[in] IWbemContext* reserved4,
[out] IWbemServices** reserved5
);
HRESULT NTLMLogin(
[in, unique, string] LPWSTR wszNetworkResource,
[in, unique, string] LPWSTR wszPreferredLocale,
[in] long lFlags,
[in] IWbemContext* pCtx,
[out] IWbemServices** ppNamespace
);
};
[
restricted,
object,
uuid(541679AB-2E5F-11d3-B34E-00104BCC4B4A)
]
interface IWbemLoginHelper : IUnknown
{
HRESULT SetEvent(
[in] LPCSTR sEventToSet
);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment