?
Solved

Can WMI information provided by Win32 classes be modified by any means?

Posted on 2010-08-20
3
Medium Priority
?
1,621 Views
Last Modified: 2013-12-04
Hi,

I will use some hardware information from WMI to get an ID for the PC and I want to know if someone can change some information in some way that I will rely on;

i.e. is it possible for someone to change (without changing the hardware, just by software) followings;
- Win32_physicalmedia
- Win32_BaseBoard
- Win32_Processor
- Win32_NetworkAdapter

etc? My question is not a code request showing how I can change WMI, more related with if the information I am pointing out is secure or not.
0
Comment
Question by:Weigher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Expert Comment

by:marsilies
ID: 33485481
I imagine WMI grabs this information from the Windows Registry. Thus, if someone has altered the registry values WMI reads, what WMI returns will have been changed.

For example, in the registry, the key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 contains info on the processor (or at least the first core of the processor).

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS has some keys relating to the BaseBoard.

You could try altering some of these registry keys on a test system and see if WMI returns different info. Note that altering the registry could potentially make the system unusable.

Found reference to one of these keys here:
http://www.windowsforum.com/windows-7/804-tricks-spoof-your-processor-speed.html


Windows initially gets some of this info from the BIOS, and could alter it on boot if new hardware is detected. Someone could potentially "spoof" info provided by the BIOS by using a bootstrapper. I haven't heard of anyone using this type of spoof except for circumventing Windows activation by spoofing an OEM BIOS SLIC table for SLP.
http://www.computerworld.com/s/article/9016382/OEM_BIOS_emulators_spoof_Vista_make_pirated_copies_look_legit
http://blog.hishamrana.com/2009/07/30/windows-7-activation-spoofed-not-cracked-via-slic-2-1-and-oem-master-key
0
 
LVL 41

Expert Comment

by:graye
ID: 33503575
The Win32_NetworkAdapter does have one field that is read/write... plus it has two methods.
To answer your question, just look up the documentation and see which fields (if any) have "Access type: Read/write".  For example, the following shows:
  • Property: NetConnectionID (read/write)
  • Method: Enable
  • Method: Disable
http://msdn.microsoft.com/en-us/library/aa394216(VS.85).aspx
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 1000 total points
ID: 33519714
Whether the source of WMI data can be modified or not depends on the type of WMI class and the provider.

Some providers (eg Registry provider) indeed queries the registry and the source can be adapted.

Other providers, like performance adapters and hardware information could be queried directly (on the fly) from drivers/hardware and could be regarded as more reliable/trustworthy. Theoretically, still not really secure, but not as easily to modify as the registry.

I found the following article on WMI sources and MOF files a pretty interesting read.
http://msdn.microsoft.com/en-us/library/ms974554.aspx

Regards
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question