| Event Id | 63 |
| Source | WinMgmt |
| Description | A provider, Provider_Name, has been registered in the WMI namespace, ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. |
| Event Information | CAUSE:
Health Monitor registers several Windows Management Instrumentation (WMI) providers to run under the local system account to access the information that the providers supply. Because providers that run under the local system account pose a greater risk if they are compromised, Microsoft Windows 2003 generates warnings when these providers are registered. Warnings are generated for the following providers:
PerfProv HealthMonPingProvider PortConnectProvider MicrosoftComPlus_AppStats MicrosoftComPlus_AppName HTTPProvider MicrosoftHM_MethProvider MicrosoftHM_InstProvider STATUS: Microsoft has confirmed that this is a problem in Microsoft Application Center 2000 SP2. ------------------------- Following information from a newsgroup post may help: WMI (Windows Management Instrumentation) is a core Windows Management Technology. It is used manage local and remote systems by accessing or modifying relevant management data. Various WMI providers exist to achieve this management. Windows XP provides greater flexibity for the security context providers can be made to run under. Providers written for Windows 2000 do not take advantage of this flexibility and so they run in the most privileged account. Windows XP writes these warnings when such providers are registered so that administrators know that a greater risk is posed by these providers and can encourage the provider maker to update it to run in a lower privileged account. ------------------------- This message is just a warning to the user sent at the time of WDM providers registration. Saying that it will be running under localsystem (very high privilege account on a local box) which has all the privileges on your box. Whenever any provider (say a third party) are registered to be run under this account WMI will send out this warning so that user is aware that this provider can |
| Reference Links | PRB: WinMgmt Warning Message When You Install and Run Application Center SP2 Event ID 63 occurs when you run the Microsoft System Information program from Office 2003 |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.