Solved

Can WMI information provided by Win32 classes be modified by any means?

Posted on 2010-08-20
3
1,484 Views
Last Modified: 2013-12-04
Hi,

I will use some hardware information from WMI to get an ID for the PC and I want to know if someone can change some information in some way that I will rely on;

i.e. is it possible for someone to change (without changing the hardware, just by software) followings;
- Win32_physicalmedia
- Win32_BaseBoard
- Win32_Processor
- Win32_NetworkAdapter

etc? My question is not a code request showing how I can change WMI, more related with if the information I am pointing out is secure or not.
0
Comment
Question by:Weigher
3 Comments
 
LVL 19

Expert Comment

by:marsilies
ID: 33485481
I imagine WMI grabs this information from the Windows Registry. Thus, if someone has altered the registry values WMI reads, what WMI returns will have been changed.

For example, in the registry, the key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 contains info on the processor (or at least the first core of the processor).

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS has some keys relating to the BaseBoard.

You could try altering some of these registry keys on a test system and see if WMI returns different info. Note that altering the registry could potentially make the system unusable.

Found reference to one of these keys here:
http://www.windowsforum.com/windows-7/804-tricks-spoof-your-processor-speed.html


Windows initially gets some of this info from the BIOS, and could alter it on boot if new hardware is detected. Someone could potentially "spoof" info provided by the BIOS by using a bootstrapper. I haven't heard of anyone using this type of spoof except for circumventing Windows activation by spoofing an OEM BIOS SLIC table for SLP.
http://www.computerworld.com/s/article/9016382/OEM_BIOS_emulators_spoof_Vista_make_pirated_copies_look_legit
http://blog.hishamrana.com/2009/07/30/windows-7-activation-spoofed-not-cracked-via-slic-2-1-and-oem-master-key
0
 
LVL 41

Expert Comment

by:graye
ID: 33503575
The Win32_NetworkAdapter does have one field that is read/write... plus it has two methods.
To answer your question, just look up the documentation and see which fields (if any) have "Access type: Read/write".  For example, the following shows:
  • Property: NetConnectionID (read/write)
  • Method: Enable
  • Method: Disable
http://msdn.microsoft.com/en-us/library/aa394216(VS.85).aspx
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 250 total points
ID: 33519714
Whether the source of WMI data can be modified or not depends on the type of WMI class and the provider.

Some providers (eg Registry provider) indeed queries the registry and the source can be adapted.

Other providers, like performance adapters and hardware information could be queried directly (on the fly) from drivers/hardware and could be regarded as more reliable/trustworthy. Theoretically, still not really secure, but not as easily to modify as the registry.

I found the following article on WMI sources and MOF files a pretty interesting read.
http://msdn.microsoft.com/en-us/library/ms974554.aspx

Regards
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Permission issue? 10 25
Robocopy Question 7 45
Adding out of box drivers in MDT 2013 12 66
server plus 2 47
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now