Least priviliege DCOM access for windows_exporter (Grafana Alloy)
I'm using the bundled windows_exporter inside Grafana's Alloy service for monitoring purposes of my Windows VMs.
I do not wish to run this as local admin, and am running this service as a gMSA.
This works perfectly with membership of the following groups:
Event Log Readers
Performance Log Readers
However the 'update' collector for windows_exporter makes a call to GetTotalHistoryCount against wuauserv that fails for the gMSA but succeeds for all regular users (including users not in the local administrators group).
this powershell script tested as a non-admin user runs perfectly, however for the gMSA I recieve the error:
FAILED at last step above: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Exception type: System.UnauthorizedAccessException
HResult: 0x80070005
The script I'm using:
```
try {
Log "Creating Microsoft.Update.Session COM object..."
$session = New-Object -ComObject Microsoft.Update.Session
Log "OK: Created session"
Log "Setting UserLocale..."
$session.UserLocale = 1033
Log "OK: Set UserLocale"
Log "Setting ClientApplicationID..."
$session.ClientApplicationID = "windows_exporter"
Log "OK: Set ClientApplicationID"
Log "Creating update searcher..."
$searcher = $session.CreateUpdateSearcher()
Log "OK: Created searcher"
Log "Setting Online = false..."
$searcher.Online = $false
Log "OK: Set Online"
Log "Calling GetTotalHistoryCount..."
$count = $searcher.GetTotalHistoryCount()
Log "OK: GetTotalHistoryCount returned $count"
Log "All checks passed - gMSA has sufficient permissions"
} catch {
Log "FAILED at last step above: $($_.Exception.Message)"
Log "Exception type: $($_.Exception.GetType().FullName)"
Log "HResult: 0x$($_.Exception.HResult.ToString('X8'))"
}
```
As soon as I add the gMSA to Local Admins this succeeds however that's far too much prilvilege for read only access to a couple of metrics.
Does anyone have insight into what could be going wrong?
I ran procmon to catch ACCESS DENIED errors but it seems the restriction is somehow happening in the RPC handler of wuauserv and there was nothing caught.