WMI

• WMI allows admin to create their own objects: create a process, services, …
• WMI provider host process WmiPrvse.exe, this executable responsible for executing WMI activity

Components:

1. WMI Providers: COM servers that monitor managed objects. A WMI provider normally consists of a MOF file, which defines the data and event classes for which the provider returns data, and a DLL file which contains the code that supplies data. These providers are typically DLLs and can be found in C:\Windows\System32\wbem\*.
2. Managed objects: processes, services, operating system…
3. WMI infrastructure: WMI service (winmgmt):
   3.1. The CIM object manager (CIMON): this component handles the connect between management application and provider.
   3.2. WMI/CIMON object repository is organized by WMI namespaces. Holding a collection of provider at C:\Windows\System32\wbem\Repository\
4. Management Application (WMI consumer): The client application (exe excutable, vbscript, powershell script,…) interacts with WMI infrastructure.

• WMI service (winmgmt) is stored within wmisvc.dll which is loaded and runs inside of svchost.exe. Look at WinMgmt config within registry:
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Another WMI binary on disk called WmiPrvSe (WMI provider Host) is used to load correct COM server (WMI providers), its parent is svchost.exe process with commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p. This svchost is launched under services.exe.

WMI called in high level:

1. WMI service (wmisvc.dll) is launched within the SVCHOST process via C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
2. Management application (powershell.exe) executes WMI method.
3. WmiPrvSe is launched via C:\Windows\system32\wbem\wmiprvse.exe -Secured -Embedding, under the DCOMLaunch svchost process.
4. The WMI services loads the appropriate WMI provider into WmiPrvSe.
5. WmiPrvSe executes the function expressed by the method

Practice:

• 2 different WMI cmdlet via powershell: WMI cmdlets and CIM cmdlets

Find WMI class that allows us to create a process

# 
PS C:\Users\v13td0x> Get-CimClass -MethodName *Create*
   NameSpace: ROOT/cimv2

CimClassName                        CimClassMethods      CimClassProperties
------------                        ---------------      ------------------
Win32_ShadowStorage                 {Create}             {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...}
StdRegProv                          {CreateKey, Delet... {}
Win32_ScheduledJob                  {Create, Delete}     {Caption, Description, InstallDate, Name...}
Win32_DfsNode                       {Create}             {Caption, Description, InstallDate, Name...}
Win32_BaseService                   {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_SystemDriver                  {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_Service                       {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_Share                         {Create, SetShare... {Caption, Description, InstallDate, Name...}
Win32_ClusterShare                  {Create, SetShare... {Caption, Description, InstallDate, Name...}
Win32_ShadowCopy                    {Create, Revert}     {Caption, Description, InstallDate, Name...}
Win32_Process                       {Create, Terminat... {Caption, Description, InstallDate, Name...} ## <<<------

PS C:\Users\v13td0x> (Get-CimClass -ClassName Win32_Process).CimClassMethods['Create'].Parameters

Name                       CimType Qualifiers                                 ReferenceClassName
----                       ------- ----------                                 ------------------
CommandLine                 String {ID, In, MappingStrings}
CurrentDirectory            String {ID, In, MappingStrings}
ProcessStartupInformation Instance {EmbeddedInstance, ID, In, MappingStrings}
ProcessId                   UInt32 {ID, MappingStrings, Out}

• U can see WMI class called Win32_Process that holds a method called Create. Next, let's find WMI provider is. As mentioned before, are essentially just COM servers. Which means they are stored in registry behind a CLSID.
• And the params we need on Win32_Prcess.Create method

PS C:\Users\v13td0x> (Get-CimInstance __Provider -Filter "Name = '$(([WmiClass] 'Win32_Process').Qualifiers['provider'].Value)'").CLSID
{d63a5850-8f16-11cf-9f47-00aa00bf345c}

# use that CLSID for find out
PS C:\Users\v13td0x> Get-ItemPropertyValue -Path "Registry::HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InprocServer32\" -Name '(default)'
C:\Windows\system32\wbem\cimwin32.dll

So, what we have?

WMI Class : Win32Process
Method: Create(CommandLine, CurrentDirectory, ProcessStartupInformation, ProcessId)
Provider: cimwin32.dll
Namespace: ROOT/cimv2

References:

https://jsecurity101.medium.com/wmi-internals-part-1-41bb97e7f5eb