Event ID 63 — WMI Provider Hosting

Applies To: Windows Server 2008 R2

WMI resides in a shared service host with several other services. To avoid stopping all of the services when a provider fails, providers are loaded into a separate host process named "Wmiprvse.exe." More than one process with this name can be running. Each can run under a different account with different security. For computers running on the Vista operating system, use the winmgmt command to run WMI in a separate process, by itself, using a fixed port.

The shared host can run under one of the following system accounts in a Wmiprvse.exe host process:

  • LocalSystem
  • NetworkService
  • LocalService

A provider can also be a local COM server (.exe), or self-hosted, which does not require a WMI provider host.

Event Details

Product: Windows Operating System
ID: 63
Source: Microsoft-Windows-WMI
Version: 6.1
Symbolic Name: WBEM_MC_PROVIDER_SUBSYSTEM_LOCALSYSTEM_PROVIDER_LOAD
Message: The %1 provider has been registered in the WMI namespace, %2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Resolve

Obtain a version of the provider that does not run under the LocalSystem security context.

WMI logs a warning event log message when a WMI provider running in the LocalSystem security hosting context is loaded. This is done to inform system administrators about the risk of elevation of privilege attacks. Such attacks are possible if the provider code is not properly implemented.

To correct this situation, work with the vendor of the provider to obtain a version that does not run in the LocalSystem security context. Providers are not required to run with LocalSystem security context if they correctly impersonate caller security context.

Verify

The LocalSystem account is highly privileged. A WMI provider running in this security context exposes the operating system to a risk of elevation of privileges depending on the provider code quality and testing. In most cases, LocalSystem security context is unnecessary and the NetworkServiceHost security context is more appropriate. This is especially true because most WMI Providers must impersonate the client security context to perform the requested operations on behalf of the WMI client.

WMI Provider Hosting

Management Infrastructure