FAQ for security enhancements posted on 05/19
This post covers some FAQs on the WMI changes detailed here on 5/19 and is intended to address common questions that might arise about the two new running modes for the WMI provider host process.
Question: How to identify if the WMI provider used by our product is launched in secure mode or not?
Answer: Check the registry values under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders.
If your provider is present in this registry hive, it will be launched in a secure mode
Question: How to control the behavior of registry keys when I’m doing a deployment in an enterprise?
· Answer: Review the following MSDN topic for setting registry keys through GP: Registry Keys for Controlling Provider Security
Question: How to control the behavior of single provider, which my product uses? I also want to move it to the secure mode?
Answer: Check the registry values under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders.
And add your provider the registry key in the following format:
<Namespace>:__Win32Provider.Name=”<ProviderName>” REG_SZ 0
(Either __win32provider or the provider Class derived from __win32provider)
Example provider names:
Question: After I move my provider to secure mode, my application/product quits working. What should I do?
Answer: Move your provider back to compatibility mode. Then you should contact the company which has written the WMI provider for you. As a workaround, you can add your provider to the following registry key:
HKLM \SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders
Question: How do I verify the WMI provider used by our product is launched in secure mode?
Answer: Use the following steps to verify if your provider is launched in secure mode:
1) Log on to a computer that has your product installed as an Administrator.
2) Download & Install ProcExplorer tool.
3) Run the ProcExplorer as administrator.
4) Open the LowerPane view by selecting View -> Lower Pane View -> Handles ( or use CTRL + H)
5) Using Task Manager identify and Kill all ‘wmiprvse.exe’ processes running under the context of Network Service or Local Service
6) Execute a test case for your application that exercises a WMI Query using a specific WMI Provider.
7) This will create a new WMIPrvSE.exe process to service the new WMI Query that you just executed.
8) On the process explorer tool bar ensure that you have selected the View DLLs as shown in the figure below.
9) Look in the lower pane to see if your DLL has been loaded in the newly created WMIPrvSE.exe
10) Double click on the WMIPrvSE.exe to open up the Properties dialog box
11) Select the ‘Security’ Tab and make sure the following
a. Log on SID is of the form (S-1-5-5-****)
b. The log on SID is also marked as the owner
12) Click on the permission button and verify that neither NetworkService nor LocalServices come up in the list. This will confirm that your provider is now being launched in secured mode.
Question: I’m having compatibility issues with my provider in secure mode. I want to move the provider from secure mode to compatible mode. What should I do?
Answer: You should delete the provider entry that is listed under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders.
Then add your provider to the following registry key:
HKLM \SOFTWARE\Microsoft\WBEM\CIMOM\CompatibleHostProviders.