?
Solved

Can WMI information provided by Win32 classes be modified by any means?

Posted on 2010-08-20
3
Medium Priority
?
1,740 Views
Last Modified: 2013-12-04
Hi,

I will use some hardware information from WMI to get an ID for the PC and I want to know if someone can change some information in some way that I will rely on;

i.e. is it possible for someone to change (without changing the hardware, just by software) followings;
- Win32_physicalmedia
- Win32_BaseBoard
- Win32_Processor
- Win32_NetworkAdapter

etc? My question is not a code request showing how I can change WMI, more related with if the information I am pointing out is secure or not.
0
Comment
Question by:Weigher
3 Comments
 
LVL 20

Expert Comment

by:marsilies
ID: 33485481
I imagine WMI grabs this information from the Windows Registry. Thus, if someone has altered the registry values WMI reads, what WMI returns will have been changed.

For example, in the registry, the key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 contains info on the processor (or at least the first core of the processor).

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS has some keys relating to the BaseBoard.

You could try altering some of these registry keys on a test system and see if WMI returns different info. Note that altering the registry could potentially make the system unusable.

Found reference to one of these keys here:
http://www.windowsforum.com/windows-7/804-tricks-spoof-your-processor-speed.html


Windows initially gets some of this info from the BIOS, and could alter it on boot if new hardware is detected. Someone could potentially "spoof" info provided by the BIOS by using a bootstrapper. I haven't heard of anyone using this type of spoof except for circumventing Windows activation by spoofing an OEM BIOS SLIC table for SLP.
http://www.computerworld.com/s/article/9016382/OEM_BIOS_emulators_spoof_Vista_make_pirated_copies_look_legit
http://blog.hishamrana.com/2009/07/30/windows-7-activation-spoofed-not-cracked-via-slic-2-1-and-oem-master-key
0
 
LVL 41

Expert Comment

by:graye
ID: 33503575
The Win32_NetworkAdapter does have one field that is read/write... plus it has two methods.
To answer your question, just look up the documentation and see which fields (if any) have "Access type: Read/write".  For example, the following shows:
  • Property: NetConnectionID (read/write)
  • Method: Enable
  • Method: Disable
http://msdn.microsoft.com/en-us/library/aa394216(VS.85).aspx
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 1000 total points
ID: 33519714
Whether the source of WMI data can be modified or not depends on the type of WMI class and the provider.

Some providers (eg Registry provider) indeed queries the registry and the source can be adapted.

Other providers, like performance adapters and hardware information could be queried directly (on the fly) from drivers/hardware and could be regarded as more reliable/trustworthy. Theoretically, still not really secure, but not as easily to modify as the registry.

I found the following article on WMI sources and MOF files a pretty interesting read.
http://msdn.microsoft.com/en-us/library/ms974554.aspx

Regards
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question