Security Issues If you are collecting data using the registry, monitoring a remote computer requires the use of the Remote Registry Service. If the service stops due to failure, the system restarts it automatically only once. Therefore, if the service stops more than once, you must restart the service manually on the second and any subsequent failures. To change this default behavior, modify the properties for Remote Registry Service. You can access service properties using Services under Services and Applications in Computer Management or under Administrative Tools. Also check the application and system logs in Event Viewer for events that might explain why the service stopped. In addition, remote data collection requires access to certain registry subkeys and system files. Users need a minimum of Read access to the Winreg subkey in HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SecurePipeServers to provide remote access to the registry for the purpose of collecting data on remote systems. By default, members of the Administrators group have Full Control access and members of the Backup Operators group have Read access. Users also need Read access to the registry subkey that stores counter names and descriptions used by System Monitor. This subkey is HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT\CurrentVersion\Perflib\LanguageID, where LanguageID is the numeric code for the spoken language for the operating system installation. (For the English language, the subkey is Perflib\009.) By default, members of the Administrators and Creator Owners groups, and the System account, have Full Control access. Therefore, a local user on a server who isn't logged on as an administrator will not be able to see performance counters. Users might also require Read access to the files that supply counter names and descriptions to the registry, Perfc*.dat and Perfh*.dat. (The asterisk is a wildcard character representing the specific language code; for English, these are Perfc009.dat and Perfh009.dat.) If these files reside on an NTFS file system volume, then, in order to have access to them, the access control lists (ACLs) on these files must specify that the user has such access. By default, members of the Administrators and Interactive groups have sufficient access. The remote computer allows access only to user accounts that have permission to access it. In order to monitor remote computers, the Performance Logs and Alerts service must be started in an account that has permission to access the remote computers you are attempting to monitor. By default, the service is started under the local computer's system account, which generally has permission to access only services and resources on the local computer. To start this under a different account, start Computer Management, double-click Services and Applications, and then click Services. Click Performance Logs and Alerts, and update the properties under the Log On tab. To monitor using counter logs or alerts, you must also have permission to read the HKEY_CURRENT_MACHINE \SYSTEM \CurrentControlSet \Services \SysmonLog \LogQueries registry subkey.) In general, administrators have this access by default. In each case, attempting to use the tools without appropriate permissions will generate an error message. If you are collecting data remotely by means of WMI, the user must be a member of the Administrators group.
If you are collecting data using the registry, monitoring a remote computer requires the use of the Remote Registry Service. If the service stops due to failure, the system restarts it automatically only once. Therefore, if the service stops more than once, you must restart the service manually on the second and any subsequent failures. To change this default behavior, modify the properties for Remote Registry Service. You can access service properties using Services under Services and Applications in Computer Management or under Administrative Tools. Also check the application and system logs in Event Viewer for events that might explain why the service stopped. In addition, remote data collection requires access to certain registry subkeys and system files. Users need a minimum of Read access to the Winreg subkey in HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SecurePipeServers to provide remote access to the registry for the purpose of collecting data on remote systems. By default, members of the Administrators group have Full Control access and members of the Backup Operators group have Read access. Users also need Read access to the registry subkey that stores counter names and descriptions used by System Monitor. This subkey is HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT\CurrentVersion\Perflib\LanguageID, where LanguageID is the numeric code for the spoken language for the operating system installation. (For the English language, the subkey is Perflib\009.) By default, members of the Administrators and Creator Owners groups, and the System account, have Full Control access. Therefore, a local user on a server who isn't logged on as an administrator will not be able to see performance counters. Users might also require Read access to the files that supply counter names and descriptions to the registry, Perfc*.dat and Perfh*.dat. (The asterisk is a wildcard character representing the specific language code; for English, these are Perfc009.dat and Perfh009.dat.) If these files reside on an NTFS file system volume, then, in order to have access to them, the access control lists (ACLs) on these files must specify that the user has such access. By default, members of the Administrators and Interactive groups have sufficient access. The remote computer allows access only to user accounts that have permission to access it. In order to monitor remote computers, the Performance Logs and Alerts service must be started in an account that has permission to access the remote computers you are attempting to monitor. By default, the service is started under the local computer's system account, which generally has permission to access only services and resources on the local computer. To start this under a different account, start Computer Management, double-click Services and Applications, and then click Services. Click Performance Logs and Alerts, and update the properties under the Log On tab. To monitor using counter logs or alerts, you must also have permission to read the HKEY_CURRENT_MACHINE \SYSTEM \CurrentControlSet \Services \SysmonLog \LogQueries registry subkey.) In general, administrators have this access by default. In each case, attempting to use the tools without appropriate permissions will generate an error message. If you are collecting data remotely by means of WMI, the user must be a member of the Administrators group.