none
WinMgmt Errors: A provider,has been registered in the WMI namespace Event ID: 5603 Event ID: 63

    Question

  • I have searched everywhere and I can't find any KB on how to fix these event warnings listed below. From what I have found on other blogs is that the warning event 5603 and 63 is a by-design behavior. Can anybody elaborate on why this occurs multiple times through the day? Is it because the SMS service is constantly checking the system status?

    Event Type: Warning
    Event Source: WinMgmt
    Event Category: None
    Event ID: 5603
    Date:  2/27/2009
    Time:  7:00:02 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: XXX
    Description:
    A provider, RegProv, has been registered in the WMI namespace, root\cimv2, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Warning
    Event Source: WinMgmt
    Event Category: None
    Event ID: 5603
    Date:  2/27/2009
    Time:  7:00:02 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: XXX
    Description:
    A provider, SMS_CIMP, has been registered in the WMI namespace, root\cimv2\SMS, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Warning
    Event Source: WinMgmt
    Event Category: None
    Event ID: 63
    Date:  2/27/2009
    Time:  7:00:02 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: XXX
    Description:
    A provider, SMS_CIMV2_EX, has been registered in the WMI namespace, root\cimv2\SMS, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Tiesto
    Monday, March 02, 2009 1:42 PM

Answers

  • WMI Providers: Default Security Hosting Model

    Brief Description

    The default HostingModel value for WMI providers has changed from LocalSystem to NetworkServiceHost.

    Under previous versions of Windows (prior to Windows Vista® and Windows Server® 2008), if the HostingModel value of a WMI provider (__Win32Provider.HostingModel property) was unspecified, it was defaulted to LocalSystem. Because LocalSystem is a highly privileged account, the WMI provider running in this security context exposes the operating system to a risk of elevation of privileges depending on the provider code quality and testing.

    For most cases LocalSystem is unnecessary, and the NetworkServiceHost context is more appropriate. This case is especially true because most WMI Providers must impersonate (ImpersonationLevel=1) the client security context to perform the requested operations on behalf of the WMI client.

    Manifestation

    If a WMI provider lacks a definition for hosting model and executes as if it is running under the LocalSystem level, it will not run properly.

    Remedies

    The expected hosting model must be changed to ensure that the WMI provider code performs the operations in the client security context by impersonating the WMI client. Cases that require the LocalSystem security context are extremely rare; however, if LocalSystem is an absolute requirement, specify the hosting model explicitly with the HostingModel=LocalSystemHost statement in the provider MOF file.


    http://msdn.microsoft.com/en-us/library/bb757016.aspx


    Additionally, this link explains the changes to SMS_DEF.MOF in Systems Management Server 2003 SP3:

    http://download.microsoft.com/download/d/c/3/dc3f3ce3-d218-47bd-8d37-b46052eb9174/ChangestoSMSDEFMOFinSMS2003SP3.htm

    • Proposed as answer by David Shen Tuesday, March 03, 2009 4:01 AM
    • Marked as answer by David Shen Thursday, March 05, 2009 2:14 AM
    Monday, March 02, 2009 8:50 PM

All replies

  • WMI Providers: Default Security Hosting Model

    Brief Description

    The default HostingModel value for WMI providers has changed from LocalSystem to NetworkServiceHost.

    Under previous versions of Windows (prior to Windows Vista® and Windows Server® 2008), if the HostingModel value of a WMI provider (__Win32Provider.HostingModel property) was unspecified, it was defaulted to LocalSystem. Because LocalSystem is a highly privileged account, the WMI provider running in this security context exposes the operating system to a risk of elevation of privileges depending on the provider code quality and testing.

    For most cases LocalSystem is unnecessary, and the NetworkServiceHost context is more appropriate. This case is especially true because most WMI Providers must impersonate (ImpersonationLevel=1) the client security context to perform the requested operations on behalf of the WMI client.

    Manifestation

    If a WMI provider lacks a definition for hosting model and executes as if it is running under the LocalSystem level, it will not run properly.

    Remedies

    The expected hosting model must be changed to ensure that the WMI provider code performs the operations in the client security context by impersonating the WMI client. Cases that require the LocalSystem security context are extremely rare; however, if LocalSystem is an absolute requirement, specify the hosting model explicitly with the HostingModel=LocalSystemHost statement in the provider MOF file.


    http://msdn.microsoft.com/en-us/library/bb757016.aspx


    Additionally, this link explains the changes to SMS_DEF.MOF in Systems Management Server 2003 SP3:

    http://download.microsoft.com/download/d/c/3/dc3f3ce3-d218-47bd-8d37-b46052eb9174/ChangestoSMSDEFMOFinSMS2003SP3.htm

    • Proposed as answer by David Shen Tuesday, March 03, 2009 4:01 AM
    • Marked as answer by David Shen Thursday, March 05, 2009 2:14 AM
    Monday, March 02, 2009 8:50 PM
  • Thanks for the info!! You defiantly pointed me in the right direction. Thanks ;)


    Tiesto
    Thursday, March 05, 2009 3:17 AM