5

I'm using WMI (Windows Management Instrumentation) to try to collect some information from a allot of remote computers. The issue is that every time I try to initiate a connection to a remote computer/resource using:

//IWbemLocator::ConnectServer method (wbemcli.h)
m_pLoc->ConnectServer ....

where

IWbemLocator *m_pLoc;

(You can assume m_pLoc is correctly initialized) , if the remote resource is unavailable, Windows generates a log event in the Windows Event Viewer:

DCOM was unable to communicate with the computer ....using any of the configured protocols; requested by PID .....

The problem is that given a huge number of remotes that at some point are not accessible the logs get flooded.

Is there any way to control or to prevent Windows from pushing a event in the Event Viewer every time I try to initiate a connection? Seems that arguments for :

IWbemLocator::ConnectServer method (wbemcli.h)

or CoCreateInstance used to intialize an IWbemLocator do not permit this sort of very custom configuration I'm looking for. Any suggestion or alternatives? Thank you!

Gabriel Grigoras
  • 151
  • 10
  • 3
    I'm sure malware writers would *love* an easy way to suppress Windows Event Log messages, so I hope doing so is not possible. – Jesper Juhl Jul 22 '22 at 16:43
  • Flooded how? Event Viewer has various filtering options. – Paul Sanders Jul 22 '22 at 17:59
  • Or maybe you can find a way of deleting them after the, erm, event. – Paul Sanders Jul 22 '22 at 18:00
  • Change the size of the logs (right click properties) so you don't loose events and then use custom filters to hide the events you are not interested in, or just to show the events you are interested in. – Richard Critten Jul 22 '22 at 18:28
  • @RichardCritten the idea is that, ideally, I want to not modify Event Viewer at all. There are situations of course where I would want to make sure those events (related to connection issue appear) but usually in situation where I don't have tens of thousand of entries. – Gabriel Grigoras Jul 22 '22 at 18:55
  • @PaulSanders I did not find a easy/elegant solution to clear them up sadly. As far as I have seen you can only remove all but not individual event entries in C++. – Gabriel Grigoras Jul 22 '22 at 18:56

1 Answers1

2

Looking at the message logged in EventViewer more closely, I can see that this is a DCOM thing, and it looks like you can turn DCOM error logging off by (as usual) tweaking the registry.

The key you want is:

HKEY_LOCAL_MACHINE
    SOFTWARE
        Microsoft
            Ole

And then create a DWORD value in there called ActivationFailureLoggingLevel and set it to 2.

Info gleaned from here. I haven't tested this myself but it looks like it should work.

Paul Sanders
  • 24,133
  • 4
  • 26
  • 48