event viewer warnings - HiPerfCooker CmdTriggerConsumer, Rsop use LocalSystem account

Discussion in 'malware problems & news' started by Steven Avery, Apr 17, 2009.

Thread Status:
Not open for further replies.
  1. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Hi Folks,

    Recently I did a clean XP install with the Dell CDs - XP SP2 which I brought up to SP3 - on my Precision 380. At one point a few days later I had a temporary problem with permissions (which cleared after a reboot or two, and I do not know why it occurred, although I have a couple of theories .. guesses .. about the Service Pack and updates which may have not taken perfectly .. another about a startup manager program with configurations).

    While I had the permissions problem .. I tried to let Event Viewer be my friend, and I found something a little strange. Early on the install, after a bunch of Performance Counters installed, and the installation of MDTC (Microsoft Distributed Transaction Coordinator) there were some warning messages, basically these three, although two had immediate repetition, making five.

    ===========================================

    THREE EVENT VIEWER NOTIFICATIONS

    Source: WinMgmt

    A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

    A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2 (continues the same)

    A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

    ============================================================

    After that things looked pretty normal .. a setup_security.inf backup, the Windows Security Center Service started up, the Dell Resource CD was installed (drivers), the Broadcom controller. Then came the Internet, the AntiVir started up and other stuff. I got a new appreciation of the event viewer and I am looking to see if event viewer software should be used more frequently.

    There is a fair amount of discussion of these types of messages on the net. A lot of the talk revolves around MBR and rootkit and router possibilities with conspiracy theories floating about. And it is unclear whether malware in such areas would actually activate so early, grabbing permissions. Or if they would be sitting quietly waiting for an .exe or BHO or something to activate them in later operations. Putting aside the possibility of something getting into a manufacturers CD, which is quite unlikely with a company like Dell.

    However, I do wonder if those warning messages could be related to more normal Dell activities. They have a special partition on the disk for diagnostics.

    Or, more signficantly, they could be related to simple overrides, activities, clashes in service pack and updates in bringing an OS up to speed. After quite a bit of searching the following webpage was pointed out, that indicates that at least one of the messages is "normal" per Microsoft.

    ======================================

    MICROSOFT ON the RSoP DATA WARNING

    http://support.microsoft.com/kb/915148
    Event ID: 5603 occurs when you install Windows Server 2003 Service Pack 1, Windows XP Service Pack 2, or Windows XP Service Pack 3

    After you install Windows Server 2003 Service Pack 1, Windows XP Service Pack 2, or Windows XP Service Pack 3, the following Windows Management Warning event may be logged .... RSoP data is used only for monitoring and diagnostic purposes. "No known security implications exist when the RSoP provider runs under the Local System account.

    ============================================

    Here is the Microsoft Forum thread.

    http://www.microsoft.com/communitie...6-ba1a8875c1a7&lang=en&cr=&sloc=en-us&m=1&p=1
    Package Installer looks fishy in General Security Discussion

    So do any of our readers have an idea about these ? Is is sensible that a group of such events can all be simply from an internal Microsoft "update - WGA - Service Pack" type of cause ?

    Thanks for your thoughts.

    Shalom,
    Steven Avery
    Queens, NY

    SOME OTHER THREADS HERE AND THERE

    There are many threads, I will put a few here. However they tend to not address whether this can be simply Microsoft mildly messing up, in terms of giving alarmist warnings where they really are an overstatement. They threads tend to focus on the more sinister possibilities.

    http://www.pcreview.co.uk/forums/thread-3520830.php
    "and these things show up before--BEFORE--the machine is connected to the net."

    http://www.malwarebytes.org/forums/index.php?showtopic=6302
    'Flatten and Rebuild', A *really* clean start required!

    http://tinyurl.com/chmx8z
    I've done both of these 'silly things'!

    http://www.eggheadcafe.com/conversation.aspx?messageid=33332742&threadid=33305565
    Package Installer looks fishy - FromTheRafters

    http://forum.piriform.com/index.php?showtopic=18226
    HiPerfCooker, Rsop Planning Mode Provider, CmdTriggerConsumer..., Impersonate?
    "I have had a total of five different computers develop this problem, and I have no confidence that any new machine would solve this problem for me. My left-leaning sister says she thinks it's probably my own government surveilling me. I don't know about that, but it makes as much sense as anything Microsoft has offered."

    http://forum.piriform.com/lofiversion/index.php/t4382.html
    What does this mean? (discussion of "security privileges in WMI Management" with instructions)

    And more. Many threads were begun by one poster, and the answers vary widely.
     
Loading...
Thread Status:
Not open for further replies.