|Product:||Windows Operating System|
|Message:||A provider, %1, has been registered in the WMI namespace, %2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.|
The Windows Management Instrumentation (WMI) provider subsystem runs individual providers within specific COM servers based on their required security level. Only administrators are allowed to register providers and configure their required security level, and only trusted providers should be configured to use LocalSystem. This warning message is an audit record indicating that the provider is running with the privileges of the LocalSystem account.
Verify that the provider is trusted and requires the privileges of the LocalSystem account.
If the provider is not trusted, change the hosting model to either LocalServiceHost or NetworkServiceHost by changing the HostingModel property of the _Win32Provider instance for the specific provider. To do this, use Cscript to run the following script after modifying the namespace and provider variables to match those reported in the message.
‘ Change the hosting model for a WMI provider
computer = .
const wbemNotFound = &h80041002
Set objWMIService = GetObject(winmgmts:\\ & computer & \ & namespace)
count = 0
‘ Use NetworkServiceHost for providers that need remote access to other machines
wscript.echo New value: & providerObj.HostingModel
if (count = 0) then
If the provider depends upon the higher privileges of the LocalSystem account, it might not function correctly with the lower privilege. Note that some providers included with Windows require LocalSystem to operate correctly.
For more information about provider hosting and security, see the MSDN article Provider Hosting and Security.