Solved

Can WMI information provided by Win32 classes be modified by any means?

Posted on 2010-08-20
3
1,505 Views
Last Modified: 2013-12-04
Hi,

I will use some hardware information from WMI to get an ID for the PC and I want to know if someone can change some information in some way that I will rely on;

i.e. is it possible for someone to change (without changing the hardware, just by software) followings;
- Win32_physicalmedia
- Win32_BaseBoard
- Win32_Processor
- Win32_NetworkAdapter

etc? My question is not a code request showing how I can change WMI, more related with if the information I am pointing out is secure or not.
0
Comment
Question by:Weigher
3 Comments
 
LVL 19

Expert Comment

by:marsilies
ID: 33485481
I imagine WMI grabs this information from the Windows Registry. Thus, if someone has altered the registry values WMI reads, what WMI returns will have been changed.

For example, in the registry, the key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 contains info on the processor (or at least the first core of the processor).

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS has some keys relating to the BaseBoard.

You could try altering some of these registry keys on a test system and see if WMI returns different info. Note that altering the registry could potentially make the system unusable.

Found reference to one of these keys here:
http://www.windowsforum.com/windows-7/804-tricks-spoof-your-processor-speed.html


Windows initially gets some of this info from the BIOS, and could alter it on boot if new hardware is detected. Someone could potentially "spoof" info provided by the BIOS by using a bootstrapper. I haven't heard of anyone using this type of spoof except for circumventing Windows activation by spoofing an OEM BIOS SLIC table for SLP.
http://www.computerworld.com/s/article/9016382/OEM_BIOS_emulators_spoof_Vista_make_pirated_copies_look_legit
http://blog.hishamrana.com/2009/07/30/windows-7-activation-spoofed-not-cracked-via-slic-2-1-and-oem-master-key
0
 
LVL 41

Expert Comment

by:graye
ID: 33503575
The Win32_NetworkAdapter does have one field that is read/write... plus it has two methods.
To answer your question, just look up the documentation and see which fields (if any) have "Access type: Read/write".  For example, the following shows:
  • Property: NetConnectionID (read/write)
  • Method: Enable
  • Method: Disable
http://msdn.microsoft.com/en-us/library/aa394216(VS.85).aspx
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 250 total points
ID: 33519714
Whether the source of WMI data can be modified or not depends on the type of WMI class and the provider.

Some providers (eg Registry provider) indeed queries the registry and the source can be adapted.

Other providers, like performance adapters and hardware information could be queried directly (on the fly) from drivers/hardware and could be regarded as more reliable/trustworthy. Theoretically, still not really secure, but not as easily to modify as the registry.

I found the following article on WMI sources and MOF files a pretty interesting read.
http://msdn.microsoft.com/en-us/library/ms974554.aspx

Regards
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now