Support of Windows Vista / Windows 7

  • Anonymous - 2011-05-31


    first of all I will say that I don’t know if this will ever works but that’s why I will discuss this ;-).

    The problem is on Windows Vista / Windows 7 and Windows 2008 you have to change the owner of registry entries from TrustedInstaller to Administrator(s) to make changes on this (see post from csturtz) and this could not be changed be an msi package, so you have to do this manually (or have someone a solution for this?).

    The question is why does j-interop needs this changes and a vbs-script not?

    In wireshark I could see that j-Interop does a first authentication and then it does a RemoteActivation,  the vbs script does an nearly  the same  authentication but then it does a ISystemActivator RemoteCreateInstance.

    So I try to change this in the JIComServer class by replacing in the init method:

                syntax = "4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0";
                getEndpoint().getSyntax().setUuid(new rpc.core.UUID("4d9f4ab8-7d1c-11cf-861e-0020af6e7c57"));
                remoteActivation = new JIRemActivation(clsid);


                //setup syntax for ISystemActivator
                syntax = "000001A0-0000-0000-C000-000000000046:0.0";
                getEndpoint().getSyntax().setUuid(new rpc.core.UUID("000001A0-0000-0000-C000-000000000046"));
                sysActivator = new JISystemActivator(clsid);
                call(Endpoint.IDEMPOTENT, sysActivator);

    I write a class for JISystemActivator (based on JIRemActivation), this class does not work correctly at the moment! Most of the request is hard coded:

    package org.jinterop.dcom.core;
    import java.util.ArrayList;
    import java.util.HashMap;
    import org.jinterop.dcom.common.JIComVersion;
    import org.jinterop.dcom.common.JIRuntimeException;
    import org.jinterop.dcom.common.JISystem;
    import rpc.core.UUID;
    import ndr.NdrException;
    import ndr.NdrObject;
    import ndr.NetworkDataRepresentation;
    public class JISystemActivator extends NdrObject {
        public static final int RPC_C_IMP_LEVEL_IDENTIFY = 2;
        public static final int RPC_C_IMP_LEVEL_IMPERSONATE = 3;
        private int impersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
        private int mode = 0;
        private String monikerName = null;
        private UUID clsid = null;
        private boolean activationSuccessful = false;
        private JIOrpcThat orpcthat = null;
        private byte[] oxid = null;
        private JIDualStringArray dualStringArrayForOxid = null;
        private String ipid = null;
        private String clsidStr = null;
        private int authenticationHint = -1;
        private JIComVersion comVersion = null;
        private int hresult = -1;
        private JIInterfacePointer mInterfacePointer = null;
        boolean isDual = false;
        String dispIpid = null;
        int dispRefs = 5;
        byte[] dispOid = null;
        private JIInterfacePointer iidPtr = null;   
        public JISystemActivator(String clsid)
            this.clsid = new UUID(clsid);
        public void setMode (int mode)
            this.mode = mode;
        public void setClientImpersonationLevel(int implLevel)
            impersonationLevel = implLevel;
        public void setfileMonikerAtServer(String name)
            if (name != null  && !name.equalsIgnoreCase(""))
                monikerName = name;
        public int getOpnum() {
            return 4; // Operation RemoteCreateInstance
        public void write(NetworkDataRepresentation ndr) {
            // OrpcThis
            JIOrpcThis orpcThis = new JIOrpcThis();
            ndr.writeUnsignedLong(0); // Reserved?
            ndr.writeUnsignedLong(0x00020000); // PointVal
            ndr.writeUnsignedLong(744); // CntData: This should be set automatically
            ndr.writeUnsignedLong(744);// ArraySize: This should be set automatically
            // ObjectRef
            ndr.writeUnsignedLong(0x574f454d); // Signature MEWO
            ndr.writeUnsignedLong(4); // OBJREF_CUSTOM
            // IID_IActivationPropertiesIn see
            UUID uuid = new UUID();
            try {
            } catch (NdrException e) {
            // CLSID
            // CLSID_ActivationPropertiesIn see
            try {
            } catch (NdrException e) {
            ndr.writeUnsignedLong(0); // CBExtension        
            ndr.writeUnsignedLong(696); // Size: This should be set automatically
            // TODO: Find out what in that String!
            String str = "b0:02:00:00:00:00:00:00:01:10:08:00:cc:cc:cc:cc:b0:00:00:00:00:00:00:00:b0:02:00:00:c0:00:00:00:00:00:00:00:02:00:00:00:06:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:04:00:02:00:00:00:00:00:06:00:00:00:b9:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:ab:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:a5:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:a6:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:a4:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:aa:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:06:00:00:00:68:00:00:00:58:00:00:00:90:00:00:00:50:00:00:00:20:00:00:00:30:00:00:00:01:10:08:00:cc:cc:cc:cc:58:00:00:00:00:00:00:00:ff:ff:ff:ff:00:00:00:00:00:00:00:00:00:00:00:00:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:14:00:00:00:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:10:08:00:cc:cc:cc:cc:48:00:00:00:00:00:00:00:5e:f0:c3:8b:6b:d8:d0:11:a0:75:00:c0:4f:b6:88:20:14:00:00:00:00:00:00:00:00:00:00:00:01:00:00:00:00:00:00:00:00:00:02:00:58:00:00:00:05:00:07:00:01:00:00:00:18:ad:09:f3:6a:d8:d0:11:a0:75:00:c0:4f:b6:88:20:00:00:00:00:01:10:08:00:cc:cc:cc:cc:80:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:00:00:00:00:60:00:00:00:60:00:00:00:4d:45:4f:57:04:00:00:00:c0:01:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:3b:03:00:00:00:00:00:00:c0:00:00:00:00:00:00:46:00:00:00:00:30:00:00:00:01:00:01:00:c1:b9:7b:6f:98:5b:ce:43:86:79:2d:a3:55:ac:72:58:02:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:00:00:00:01:10:08:00:cc:cc:cc:cc:40:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:00:00:00:00:00:00:00:00:04:00:02:00:00:00:00:00:00:00:00:00:0c:00:00:00:00:00:00:00:0c:00:00:00:31:00:30:00:2e:00:31:00:30:00:2e:00:31:00:30:00:2e:00:35:00:39:00:00:00:01:10:08:00:cc:cc:cc:cc:10:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:10:08:00:cc:cc:cc:cc:20:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:02:00:00:00:01:00:00:00:04:00:02:00:01:00:00:00:07:00:00:00:00:00:00:00";
            String[] strB = str.split(":");
            for (String s : strB) {         
        public void read(NetworkDataRepresentation ndr) {
            // TODO: The decoding does not work at the moment
            orpcthat = JIOrpcThat.decode(ndr);
            //now fill the oxid
            // oxid = JIMarshalUnMarshalHelper.readOctetArrayLE(ndr,8);
            long lng = ndr.readUnsignedLong(); //size will be one
            //array length
             lng = ndr.readUnsignedLong();
            //array length
             lng = ndr.readUnsignedLong();
            /// OBJREF
            // Signature MEWO
             lng =ndr.readUnsignedLong();
            // OBJREF_CUSTOM
            lng =ndr.readUnsignedLong();
             // IID
                try {
                    UUID ipid2 = new UUID();
                    ipid = (ipid2.toString());
                } catch (NdrException e) {
                try {
                    UUID ipid2 = new UUID();
                    clsidStr = (ipid2.toString());
                } catch (NdrException e) {
                // CBExtension
                lng = ndr.readUnsignedLong();
                // Size
                lng = ndr.readUnsignedLong();           
                // Activation Properties out
                lng = ndr.readUnsignedLong();           
                lng = ndr.readUnsignedLong();
                // MInterfacePointer 
                mInterfacePointer = JIInterfacePointer.decode(ndr, new ArrayList(), JIFlags.FLAG_NULL, new HashMap());
                // pObjectData?
                // IID?
            //final hresult
            int hresult1 = ndr.readUnsignedLong();
            if (hresult1 != 0)
                //something happened.
                throw new JIRuntimeException(hresult1);
        public JIInterfacePointer getInterfacePointer()
            return iidPtr;
        public boolean isActivationSuccessful()
            return activationSuccessful;
        public JIOrpcThat getORPCThat()
            return orpcthat;
        public byte[] getOxid()
            return oxid;
        public JIDualStringArray getDualStringArrayForOxid()
            return dualStringArrayForOxid;
        public int getAuthenticationHint()
            return authenticationHint;
        public JIComVersion getComVersion()
            return comVersion;
        public int getHresult()
            return hresult;
        public JIInterfacePointer getMInterfacePointer()
            return iidPtr;
        public String getIPID()
            return ipid;

    The hard coded request works, but I could not decode the response.

    Did you think this could work when we find out the correct encoding/decoding of the iSystemActivator interface (I found some documentation but I am not so familiar with c and the network protocols).  If someone has an idea to this please let me know.

    Kind regards

  • Vikram Roopchand

        j-Interop only uses the registry when you provide the ProgID (for getting the corresponding CLSID) or if the server returns "Class not registered" exception (and j-Interop is running with AutoRegistration set to "true") in which case it tries to register the COM server.

    SystemActivator is supported by newer versions of DCOM. For all purposes the older version with RemActivation will suffice but if you want you can implement it fully and then submit a patch.

    best regards,

  • Vikram Roopchand

         This means that your handskake is not correct and APIs might have been called out of order. Can you read up the specs and check ?

    best regards,

  • Anonymous - 2011-06-15

    Hi Vikram,

    yes, the api seems the to be called out of order. When I compare the wireshark capture of the vbs script and the one from j-interop the order is different and the call ids are also different.

    Order of vbs script:

    18  3.161.039 TCP 50803 > epmap [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
    19  3.162.972 TCP epmap > 50803 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
    20  3.163.034 TCP 50803 > epmap [ACK] Seq=1 Ack=1 Win=65700 Len=0
    21  3.163.304 DCERPC  Bind: call_id: 2, 2 context items, 1st IOXIDResolver V0.0
    22  3.167.968 DCERPC  Bind_ack: call_id: 2 Unknown result (3), reason: Abstract syntax not supported
    23  3.168.108 IOXIDResolver   ServerAlive2 request
    24  3.170.612 IOXIDResolver   ServerAlive2 response[Long frame (2 bytes)]
    25  3.244.251 TCP 50804 > epmap [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
    26  3.247.987 TCP epmap > 50804 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
    27  3.248.060 TCP 50804 > epmap [ACK] Seq=1 Ack=1 Win=65700 Len=0
    28  3.297.429 DCERPC  Bind: call_id: 3 ISystemActivator V0.0, NTLMSSP_NEGOTIATE
    29  3.300.074 DCERPC  Bind_ack: call_id: 3, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840
    30  3.300.464 DCERPC  AUTH3: call_id: 3, NTLMSSP_AUTH, User: Duderstadt\Administrator
    31  3.300.517 ISystemActivator    RemoteCreateInstance request
    32  3.303.337 TCP epmap > 50804 [ACK] Seq=279 Ack=1479 Win=64240 Len=0
    33  3.350.613 ISystemActivator    RemoteCreateInstance response
    34  3.364.536 TCP 50805 > 35427 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
    35  3.367.957 TCP 35427 > 50805 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
    36  3.368.032 TCP 50805 > 35427 [ACK] Seq=1 Ack=1 Win=65700 Len=0
    37  3.373.741 TCP 50803 > epmap [ACK] Seq=141 Ack=221 Win=65480 Len=0
    38  3.418.488 DCERPC  Bind: call_id: 2, 2 context items, 1st IRemUnknown2 V0.0, NTLMSSP_NEGOTIATE
    39  3.423.305 DCERPC  Bind_ack: call_id: 2, NTLMSSP_CHALLENGE Unknown result (3), reason: Abstract syntax not supported
    40  3.423.693 DCERPC  AUTH3: call_id: 2, NTLMSSP_AUTH, User: Duderstadt\Administrator
    41  3.423.765 IRemUnknown2    RemQueryInterface request IID[1]=IWbemLoginClientID
    42  3.426.302 TCP 35427 > 50805 [ACK] Seq=303 Ack=849 Win=63392 Len=0
    43  3.443.368 IRemUnknown2    RemQueryInterface response S_OK[1] -> S_OK
    44  3.444.071 DCERPC  Alter_context: call_id: 3 IWbemLoginClientID V0.0
    45  3.446.337 DCERPC  Alter_context_resp: call_id: 3 accept max_xmit: 5840 max_recv: 5840
    46  3.446.457 DCERPC  Request: call_id: 3 opnum: 3 ctx_id: 1 IWbemLoginClientID V0
    47  3.447.966 DCERPC  Response: call_id: 3 ctx_id: 1 IWbemLoginClientID V0
    48  3.465.477 DCERPC  Alter_context: call_id: 4 IWbemLevel1Login V0.0
    49  3.467.326 DCERPC  Alter_context_resp: call_id: 4 accept max_xmit: 5840 max_recv: 5840
    50  3.467.551 DCERPC  Request: call_id: 4 opnum: 3 ctx_id: 2 IWbemLevel1Login V0
    51  3.469.465 DCERPC  Response: call_id: 4 ctx_id: 2 IWbemLevel1Login V0
    52  3.469.670 DCERPC  Request: call_id: 5 opnum: 6 ctx_id: 2 IWbemLevel1Login V0
    53  3.477.127 DCERPC  Response: call_id: 5 ctx_id: 2 IWbemLevel1Login V0
    54  3.504.633 IRemUnknown2    RemRelease request Cnt=2 Refs=5-0,5-0
    55  3.515.723 IRemUnknown2    RemRelease response -> S_OK
    56  3.553.771 TCP 50804 > epmap [ACK] Seq=1479 Ack=1423 Win=64276 Len=0
    57  3.636.456 DCERPC  Alter_context: call_id: 7 IWbemServices V0.0, NTLMSSP_NEGOTIATE
    58  3.640.042 DCERPC  Alter_context_resp: call_id: 7, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840
    59  3.640.396 DCERPC  AUTH3: call_id: 7, NTLMSSP_AUTH, User: Duderstadt\Administrator
    60  3.642.103 DCERPC  Request: call_id: 7 opnum: 20 ctx_id: 3 IWbemServices V0
    61  3.643.333 TCP 35427 > 50805 [ACK] Seq=1249 Ack=2491 Win=63366 Len=0
    62  3.657.976 DCERPC  Response: call_id: 7 ctx_id: 3 IWbemServices V0
    63  3.659.653 IRemUnknown2    RemQueryInterface request IID[1]=IWbemFetchSmartEnum
    64  3.662.353 IRemUnknown2    RemQueryInterface response S_OK[1] -> S_OK

    The j-interop wireshark capture is:

    28  5.568.261 TCP 49735 > epmap [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
    29  5.569.999 TCP epmap > 49735 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
    30  5.570.052 TCP 49735 > epmap [ACK] Seq=1 Ack=1 Win=65700 Len=0
    31  5.608.591 DCERPC  Bind: call_id: 0 IOXIDResolver V0.0, NTLMSSP_NEGOTIATE
    32  5.611.773 DCERPC  Bind_ack: call_id: 0, NTLMSSP_CHALLENGE accept max_xmit: 4280 max_recv: 4280
    33  5.634.394 DCERPC  AUTH3: call_id: 0, NTLMSSP_AUTH, User:\Administrator
    34  5.785.329 TCP epmap > 49735 [ACK] Seq=279 Ack=517 Win=63724 Len=0
    35  5.785.392 IOXIDResolver   ServerAlive2 request
    36  5.787.342 IOXIDResolver   ServerAlive2 response[Long frame (2 bytes)]
    37  5.791.124 DCERPC  Alter_context: call_id: 2 ISystemActivator V0.0
    38  5.793.329 DCERPC  Alter_context_resp: call_id: 2 accept max_xmit: 4280 max_recv: 4280
    39  5.816.762 ISystemActivator    RemoteCreateInstance request
    40  5.838.770 ISystemActivator    RemoteCreateInstance response
    41  5.857.361 TCP 49735 > epmap [FIN, ACK] Seq=1439 Ack=1615 Win=65700 Len=0
    42  5.859.147 TCP epmap > 49735 [ACK] Seq=1615 Ack=1440 Win=62802 Len=0
    43  5.859.340 TCP epmap > 49735 [FIN, ACK] Seq=1615 Ack=1440 Win=62802 Len=0
    44  5.859.393 TCP 49735 > epmap [ACK] Seq=1440 Ack=1616 Win=65700 Len=0
    45  5.864.182 TCP 49738 > 35427 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
    46  5.865.084 TCP 35427 > 49738 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
    47  5.865.138 TCP 49738 > 35427 [ACK] Seq=1 Ack=1 Win=65700 Len=0
    48  5.866.737 DCERPC  Bind: call_id: 0 IRemUnknown2 V0.0, NTLMSSP_NEGOTIATE
    49  5.869.685 DCERPC  Bind_ack: call_id: 0, NTLMSSP_CHALLENGE accept max_xmit: 4280 max_recv: 4280
    50  5.879.119 DCERPC  AUTH3: call_id: 0, NTLMSSP_AUTH, User:\Administrator
    52  6.087.123 TCP 35427 > 49738 [ACK] Seq=279 Ack=533 Win=63708 Len=0
    53  6.087.186 IRemUnknown2    RemQueryInterface request IID[1]=IWbemLoginClientID[Long frame (2 bytes)]
    54  6.092.389 DCERPC  Fault: call_id: 1 ctx_id: 0 status: nca_proto_error
    55  6.095.777 TCP 35427 > 49738 [FIN, ACK] Seq=311 Ack=677 Win=63564 Len=0
    56  6.095.856 TCP 49738 > 35427 [ACK] Seq=677 Ack=312 Win=65388 Len=0
    57  6.110.895 IRemUnknown2    RemRelease request Cnt=1 Refs=10-0[Long frame (16 bytes)]
    58  6.111.136 TCP 49738 > 35427 [FIN, ACK] Seq=805 Ack=312 Win=65388 Len=0
    59  6.112.378 TCP 35427 > 49738 [RST, ACK] Seq=312 Ack=805 Win=0 Len=0
    60  6.112.573 TCP 35427 > 49738 [RST] Seq=312 Win=0 Len=0

    How could I influence the order and the callIds? (If this is a problem)

    Have you some good specification document / or some keywords for me, I find mostly wireshark package description/ hacks etc. and the .pdf. In the pdf are the descriptions of the calls RemoteCreateInstance and RemQueryInterface, but not the correct call order (maybe I missed something).


    Kind regards

  • Anonymous - 2011-06-15


    ok it seems that the problem is that I comment out the properties session security (but not all). This has violates the protocol.

    Now I get a new exception:

    org.jinterop.dcom.common.JIException: The object invoked has disconnected from its clients. [0x80010108]
        at org.jinterop.dcom.core.JIRemUnknownServer.addRef_ReleaseRef(
        at org.jinterop.dcom.core.JIComObjectImpl2.addRef(
        at org.jinterop.dcom.core.JIComServer.createInstance(
        at org.jinterop.dcom.test.MSWMI2.<init>(
        at org.jinterop.dcom.test.MSWMI2.main(
    Caused by: rpc.FaultException: Received fault. (unknown)
        ... 5 more

    I will do some more testing, but if someone have an idea how I can fix this or any other hint, please post it.


  • Anonymous - 2011-06-17


    this error was caused by connecting to the wrong Object UUID, because it will be overwritten in the JIRemUnknownServer class method addRef_ReleaseRef with remunknownIPID.

    Now I get an “Access is denied” it seems that the RemQueryInterface request needs authentication in this request.

    161 8.999151 IRemUnknown2    RemQueryInterface request IID[1]=IWbemLoginClientID

    Is it possible to add the needed authentication information to the request with the j-interop framework? (Auth type: NTLMSSP, Auth level: Packet (4))


  • Anonymous - 2011-07-04

    Hello Björn.

    Did you make any progress in authenticating with the ISystemActivator?

    We need to query win7 hosts without making any changes to the target host (like creating regKeys) and your approach looks promising.

    Kind regards,

  • Vikram Roopchand

          These (creating keys) and Authentication are two separate things. You might still need to create entries if the COM object is not registered on Target host.

    best regards,

  • Danny Tylman

    Danny Tylman - 2011-07-11

    I am trying to solve the same problem, but I would like to suggest a different approach:
    1. I noted that tools like WMIC  (, based on samba4 works against Vista/7/2008 machines.
    2. I checked to code and also sniffed, it uses IWbemLevel1Login::NTLMLogin ( which gives a ptr to IWbemServices.
    This is what wmic does:

        struct com_context *ctx = NULL;
        com_init_ctx(&ctx, NULL, lp_ctx);
        dcom_client_init(ctx, cmdline_credentials);
        if (!args.ns)
            args.ns = "root\\cimv2";
        result = WBEM_ConnectServer(ctx, args.hostname, args.ns, 0, 0, 0, 0, 0, 0, &pWS);
        WERR_CHECK("Login to remote object.");
        struct IEnumWbemClassObject *pEnum = NULL;
        result = IWbemServices_ExecQuery(pWS, ctx, "WQL", args.query, WBEM_FLAG_RETURN_IMMEDIATELY | WBEM_FLAG_ENSURE_LOCATABLE, NULL, &pEnum);
        WERR_CHECK("WMI query execute.");

    And this is what I am trying to do:

      public static final String IID_IWbemLevel1Login = "F309AD18-D86A-11d0-A075-00C04FB68820";
        public static final String CLSID_IWbemLevel1Login = "8BC3F05E-D86B-11d0-A075-00C04FB68820";
    session = JISession.createSession(domain, user, password);
            int timeout = 50000;
            JIComServer winmgmtClass =
                    new JIComServer(JIClsid.valueOf(CLSID_IWbemLevel1Login), hostName, session);
            IJIComObject winmgmt = winmgmtClass.createInstance();
            IJIComObject wbemLevel1Login = winmgmt.queryInterface(IID_IWbemLevel1Login);
            JICallBuilder ntlmLoginCall = new JICallBuilder(!wbemLevel1Login.isDispatchSupported());                
            ntlmLoginCall.addInParamAsString("root\\CIMV2", JIFlags.FLAG_REPRESENTATION_STRING_LPWSTR);
            ntlmLoginCall.addInParamAsString("", JIFlags.FLAG_REPRESENTATION_STRING_LPWSTR);
            ntlmLoginCall.addInParamAsInt(0, JIFlags.FLAG_REPRESENTATION_VT_INT);
            Object services = new Object();

    (i was playing with the in/out parameters quite a lots, but i guess I am not figuring this right, I also have sniffs of both methods - wmic and jinterop, but it seems jinterop generates encrypted buffer so I can't compare what i am doing wrong).

    Any ideas?

  • Danny Tylman

    Danny Tylman - 2011-07-11

    oh - I forget an important issue: the wmic implementation for WBEM_ConnectServer

       GUID_from_string(CLSID_WBEMLEVEL1LOGIN, &clsid);
            GUID_from_string(COM_IWBEMLEVEL1LOGIN_UUID, &iid);
            result = dcom_create_object(ctx, &clsid, server, 1, &iid, &mqi, &coresult);
            result = coresult;
            WERR_CHECK("Create remote WMI object.");
            pL = (struct IWbemLevel1Login *)mqi[0];
            result = IWbemLevel1Login_NTLMLogin(pL, ctx, nspace, locale, flags, wbem_ctx, services);
            WERR_CHECK("Login to remote object.");

    And the error I am getting on the j-interop side is:
    Recieved FAULT
    org.jinterop.dcom.common.JIException: The stub received bad data. Please check whether the API has been called in the right way, with correct parameter formation.

  • Anonymous - 2011-07-11


    first you should turn of the encryption by setting:


    After this you could compare the packages. But I am not sure if this will have success, because it seems that you using the normal j-interop activation, which requires the registry keys. Maybe they are already set for the IWbemLevel1Login.

    If I have time I will have a closer look, but this could take a while … sorry.

    Kind regards

  • Danny Tylman

    Danny Tylman - 2011-07-13


    Thanks for the reply.  seems that

    For the problem of accessing 'out-of-the-box' Visa/7/2008 it seems that IWbemLevel1Login is already registered. So access WMI is possible. I got the sense many users needs this.

    Strangely, when I try to set encryption to false, the

    IJIComObject winmgmt = winmgmtClass.createInstance();

    fails the following stack:

     org.jinterop.dcom.common.JIException: Access is denied.  [0x80070005]
        at org.jinterop.dcom.core.JIRemUnknownServer.addRef_ReleaseRef(
        at org.jinterop.dcom.core.JISession.addRef_ReleaseRef(
        at org.jinterop.dcom.core.JIComObjectImpl.addRef(
        at org.jinterop.dcom.core.JIComServer.createInstance(
        at org.jinterop.dcom.test.WMIC.login(
        at org.jinterop.dcom.test.WMIC.main(
    Caused by: org.jinterop.dcom.common.JIRuntimeException: Access is denied.  [0x80070005]
        at org.jinterop.dcom.core.JICallBuilder.readResult(
        at ndr.NdrObject.decode(
        ... 6 more

    Regards, Danny.

  • Vikram Roopchand

         Encryption needs to be set , if I am not mistaken it operates at PCKT_PRIVACY level. I hope you are aware that IWbemXXX has a different marshalling scheme (it is another specification altogether). So we would need to add those structures from the top (something like ITypeLib, ITypeInfo classes in j-Interop).

    best regards,

  • Ron Zeidman

    Ron Zeidman - 2012-08-29

    did you're approach succeed? do you have working code? should I try to further investigate your lead?

  • Danny Tylman

    Danny Tylman - 2012-08-29


    I continued this some, until reaching the point which WMI queries are more or less working.

    I have submitted a patch for this, I think; but can't find it now.  This was about 6 month ago, so I don't really remember what is going on over there.

    I can send you the patch if you'd like. Send me you e-mail.


  • Danny Tylman

    Danny Tylman - 2012-08-29
    • Richard

      Richard - 2012-11-30

      Hi Danny !

      I tried the patch and ran your test case. Fantastic job ! It works well with Windows Server 2003. However, with Windows Server 2008 it works only for the query Win32_OperatingSystem.

      For example, I tried Win32_PerfFormattedData_PerfOS_Memory and Win32_PerfFormattedData_PerfOS_Processor and it throws an Exception at this line :


      java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 0
      at org.jinterop.dcom.impls.wmi.CIMBuffer.getByte(
      at org.jinterop.dcom.impls.wmi.structures.JICIMString.init(
      at org.jinterop.dcom.impls.wmi.structures.JICIMString.readFrom(
      at org.jinterop.dcom.impls.wmi.structures.JICIMHeap.getString(
      at org.jinterop.dcom.impls.wmi.structures.JICIMInstanceType.getName(
      at org.jinterop.dcom.test.WMICTest.executeQuery(
      at org.jinterop.dcom.test.WMICTest.test(
      at org.jinterop.dcom.test.WMICTest.main(

      Any thoughts ?



  • Ron Zeidman

    Ron Zeidman - 2012-08-29

    Thanks! I'll test that.

  • Ron Zeidman

    Ron Zeidman - 2012-09-11

    Thanks for the patch, works like a charm for queries.
    I've been trying to make methods work.
    I tried to get the class object like this:

    public JIWbemClassObject getObject(String path) throws JIException {
            final int OPNUM_GET_OBJECT = 3;
            JICallBuilder cb = new JICallBuilder(true);
            cb.addInParamAsString(path, JIFlags.FLAG_REPRESENTATION_STRING_BSTR);
            cb.addInParamAsInt(0x00000000, JIFlags.FLAG_NULL); //I also tried cb.addInParamAsInt(0x00000010, JIFlags.FLAG_NULL); and getting the IWbemCallResult
            cb.addInParamAsPointer(new JIPointer(null), JIFlags.FLAG_NULL);
            cb.addOutParamAsType(IJIComObject.class, JIFlags.FLAG_NULL); // IWbemClassObject
            cb.addInParamAsPointer(new JIPointer(null), JIFlags.FLAG_NULL); // 
            Object[] res =;
            return new JIWbemClassObject((IJIComObject) res[0]);

    The problem is I'm getting in the result an empty com object as a result, and if I'm using your decode function instead of trying to get a com object the buffer consists of zeros.
    Do you have any Idea what I'm doing wrong here?

  • Danny Tylman

    Danny Tylman - 2012-09-11


    I was also trying to create objects for method invocation. If i remember correctly, the problem is that there is a completely different protocol for methods and objects which has different encoding. But It has been long time and i don't remember anymore.. sorry..

    I did it long time ago, and I was learning from the IDL and sniffing. My starting point was the WMIC implementation of samba4.  Maybe there is some progress on samba4 that can give you a clue to how objects are encoded.


  • Anonymous - 2012-09-11

    Danny is correct.  IWBemClassObject's are encoded per the  specification.  It is a very challenging specification to implement.  If you google for  you will see it.

  • Ron Zeidman

    Ron Zeidman - 2012-09-11

    Thanks for the fast response!
    I will try to implement it, but I can't seem to get any response. the


    that should contain the buffer contains 20 zeros. I'm missing something more fundamental here…


Log in to post a comment.