A provider, %1, has been registered in the WMI namespace, %2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Details
Product: Windows Operating System
Event ID: 63
Source: WinMgmt
Version: 5.2
Symbolic Name: WBEM_MC_PROVIDER_SUBSYSTEM_LOCALSYSTEM_PROVIDER_LOAD
Message: A provider, %1, has been registered in the WMI namespace, %2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
   
Explanation

The Windows Management Instrumentation (WMI) provider subsystem runs individual providers within specific COM servers based on their required security level. Only administrators are allowed to register providers and configure their required security level, and only trusted providers should be configured to use LocalSystem. This warning message is an audit record indicating that the provider is running with the privileges of the LocalSystem account.

   
User Action

Verify that the provider is trusted and requires the privileges of the LocalSystem account.

If the provider is not trusted, change the hosting model to either LocalServiceHost or NetworkServiceHost by changing the HostingModel property of the _Win32Provider instance for the specific provider. To do this, use Cscript to run the following script after modifying the namespace and provider variables to match those reported in the message.

‘ Change the hosting model for a WMI provider

computer = “.”
namespace = “root\cimv2”
provider = “ProviderName”

const wbemNotFound = &h80041002

Set objWMIService = GetObject(“winmgmts:\\“ & computer & “\” & namespace)
Set colSWbemObjectSet = objWMIService.ExecQuery(“select * from __Win32Provider where name = ‘“ & provider & “’”)

count = 0
for each providerObj in colSwbemObjectSet
wscript.echo “Changing hosting model for provider ” & provider & “ in “ & namespace & ” namespace”
wscript.echo “Old value: “ & providerObj.HostingModel

‘ Use NetworkServiceHost for providers that need remote access to other machines
‘ Use LocalServiceHost for providers that do not need remote access
providerObj.HostingModel = “LocalServiceHost”
providerObj.Put_

wscript.echo “New value: “ & providerObj.HostingModel
count = count + 1
next

if (count = 0) then
wscript.echo “Provider “ & provider & “ not found in “ & namespace & “ namespace.”
end if

If the provider depends upon the higher privileges of the LocalSystem account, it might not function correctly with the lower privilege. Note that some providers included with Windows require LocalSystem to operate correctly.

For more information about provider hosting and security, see the MSDN article Provider Hosting and Security.

Related:

Leave a Reply