WMIADAP.EXE is "ignoring" its own PG settings

Discussion in 'ProcessGuard' started by nameless, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I'm running PG 1.200 on WinXP. The screen shot says it best: I have "C:\WINDOWS\system32\wbem\wmiadap.exe" in PG's list (actually, I think it was there by default), and it has every possible "Allow" privilege.

    Still, however, I see log entries that tell me that WMIADAP.EXE "tried to gain WRITE, TERMINATE, SET INFO, SUSPEND" access on" every entry in the PG list. This happens pretty frequently. It's as if the "Allow" settings for WMIADAP.EXE are being ignored.

    Screen shot (JPG, 127 KB)
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    seems to be a bug somewhere, indeed, if you look at your SS carefully, you will notice that

    c:\windows\system32\wbem\wmiadap.exe

    is protected and allowed, while

    \\?\c:\windows\system32\wbem\wmiadap.exe

    is blocked. The path is different, and "\\?\" doesn't mean anything to my eyes.

    I'm sure you will have news from DCS tomorrow.
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The screenshot is not available, at least when I just tried to click on it, so I cannot see it. :)

    -Jason-
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Does this one work:
    http://home.rochester.rr.com/bootitng/images/00004658.JPG
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Sorry, the image is pretty large, so I didn't want to imbed it. I also forgot that I have the ASCII log enabled, and that I could get the output from there as well. So here is an excerpt from it:

    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\smss.exe [384]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\csrss.exe [460]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\winlogon.exe [484]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\services.exe [528]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\lsass.exe [540]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\svchost.exe [704]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\svchost.exe [784]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\svchost.exe [828]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\explorer.exe [976]
    \\?\c:\windows\system32\wbem\wmiadap.exe [PID] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\spoolsv.exe [980]


    There are a ton of these entries; this is only a portion of them. There is one entry for every instance of every program I have in PG's list at the time WMIADAP.EXE runs (for example, APACHE.EXE is in PG's list, and when WMIADAP.EXE runs, it creates a log entry like the above twice for APACHE.EXE--because Apache uses two instances when it runs).
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Well, let's put it on this server ;)
     

    Attached Files:

    • shot.gif
      shot.gif
      File size:
      94.9 KB
      Views:
      2,797
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Thanks. I'm such a moron when it comes to handling images. :doubt: If I'd just used a PNG like I usually do, there would have been no problem.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No problem ;)

    regards.

    paul
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Thanks, this has been fixed for PG1.250 :)

    -Jason-
     
Thread Status:
Not open for further replies.