Solved

Can WMI information provided by Win32 classes be modified by any means?

Posted on 2010-08-20
3
1,546 Views
Last Modified: 2013-12-04
Hi,

I will use some hardware information from WMI to get an ID for the PC and I want to know if someone can change some information in some way that I will rely on;

i.e. is it possible for someone to change (without changing the hardware, just by software) followings;
- Win32_physicalmedia
- Win32_BaseBoard
- Win32_Processor
- Win32_NetworkAdapter

etc? My question is not a code request showing how I can change WMI, more related with if the information I am pointing out is secure or not.
0
Comment
Question by:Weigher
3 Comments
 
LVL 20

Expert Comment

by:marsilies
ID: 33485481
I imagine WMI grabs this information from the Windows Registry. Thus, if someone has altered the registry values WMI reads, what WMI returns will have been changed.

For example, in the registry, the key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 contains info on the processor (or at least the first core of the processor).

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS has some keys relating to the BaseBoard.

You could try altering some of these registry keys on a test system and see if WMI returns different info. Note that altering the registry could potentially make the system unusable.

Found reference to one of these keys here:
http://www.windowsforum.com/windows-7/804-tricks-spoof-your-processor-speed.html


Windows initially gets some of this info from the BIOS, and could alter it on boot if new hardware is detected. Someone could potentially "spoof" info provided by the BIOS by using a bootstrapper. I haven't heard of anyone using this type of spoof except for circumventing Windows activation by spoofing an OEM BIOS SLIC table for SLP.
http://www.computerworld.com/s/article/9016382/OEM_BIOS_emulators_spoof_Vista_make_pirated_copies_look_legit
http://blog.hishamrana.com/2009/07/30/windows-7-activation-spoofed-not-cracked-via-slic-2-1-and-oem-master-key
0
 
LVL 41

Expert Comment

by:graye
ID: 33503575
The Win32_NetworkAdapter does have one field that is read/write... plus it has two methods.
To answer your question, just look up the documentation and see which fields (if any) have "Access type: Read/write".  For example, the following shows:
  • Property: NetConnectionID (read/write)
  • Method: Enable
  • Method: Disable
http://msdn.microsoft.com/en-us/library/aa394216(VS.85).aspx
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 250 total points
ID: 33519714
Whether the source of WMI data can be modified or not depends on the type of WMI class and the provider.

Some providers (eg Registry provider) indeed queries the registry and the source can be adapted.

Other providers, like performance adapters and hardware information could be queried directly (on the fly) from drivers/hardware and could be regarded as more reliable/trustworthy. Theoretically, still not really secure, but not as easily to modify as the registry.

I found the following article on WMI sources and MOF files a pretty interesting read.
http://msdn.microsoft.com/en-us/library/ms974554.aspx

Regards
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question