| Event Id | 63 |
| Source | Microsoft-Windows-WMI |
| Description | The %1 provider has been registered in the WMI namespace, %2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. |
| Event Information | According to Microsoft : Cause : This event is logged when the provider has been registered in the WMI namespace to use the LocalSystem account. Resolution : Obtain a version of the provider that does not run under the LocalSystem security context. WMI logs a warning event log message when a WMI provider running in the LocalSystem security hosting context is loaded. This is done to inform system administrators about the risk of elevation of privilege attacks. Such attacks are possible if the provider code is not properly implemented. To correct this situation, work with the vendor of the provider to obtain a version that does not run in the LocalSystem security context. Providers are not required to run with LocalSystem security context if they correctly impersonate caller security context. Verify : The LocalSystem account is highly privileged. A WMI provider running in this security context exposes the operating system to a risk of elevation of privileges depending on the provider code quality and testing. In most cases, LocalSystem security context is unnecessary and the NetworkServiceHost security context is more appropriate. This is especially true because most WMI Providers must impersonate the client security context to perform the requested operations on behalf of the WMI client. |
| Reference Links | Event ID 63 from Source Microsoft-Windows-WMI |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.