aj
2009-04-28 07:05:01 UTC
Hi,
I write a small program to do local account auditing by WMI event
notification. The prog runs as a Win32 service with local system privilege in
a workstation connected to a domain controller. The workstation sends many
SMB/RPC packets to the DC due to this WMI async query and cause very high cpu
usage of DC. I just want to audit local users, not domain users. How to
prevent this? Thanks.
The WQL statement is "SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE
TargetInstance ISA 'Win32_UserAccount'".
I write a small program to do local account auditing by WMI event
notification. The prog runs as a Win32 service with local system privilege in
a workstation connected to a domain controller. The workstation sends many
SMB/RPC packets to the DC due to this WMI async query and cause very high cpu
usage of DC. I just want to audit local users, not domain users. How to
prevent this? Thanks.
The WQL statement is "SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE
TargetInstance ISA 'Win32_UserAccount'".