2

on one of our servers registry keys keep disappearing. These keys contain certificate keys for our sophos av management console and parts of the enterprise console stop working after each reboot (the message router to be specific). After enabling the auditing of the registry, we found

C:\Windows\System32\wbem\WmiPrvSE.exe

edits the registry.

here is the complete eventlog entry

    Protokollname: Security
Quelle:        Microsoft-Windows-Security-Auditing
Datum:         19.03.2015 15:24:37
Ereignis-ID:   4657
Aufgabenkategorie:Registrierung
Ebene:         Informationen
Schlüsselwörter:Überwachung erfolgreich
Benutzer:      Nicht zutreffend
Computer:      SERVER.domain.com
Beschreibung:
Ein Registrierungswert wurde geändert.

Antragsteller:
    Sicherheits-ID:     SYSTEM
    Kontoname:      SERVER$
    Kontodomäne:        DOMAIN
    Anmelde-ID:     0x3e7

Objekt:
    Objektname:     \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private
    Name des Objektwerts:   pkp
    Handle-ID:      0x1d8
    Vorgangstyp:        Der Registrierungswert wurde gelöscht.

Prozessinformationen:
    Prozess-ID:     0x1ba4
    Prozessname:        C:\Windows\System32\wbem\WmiPrvSE.exe

Informationen zur Änderung:
    Typ des alten Werts:        REG_BINARY
    Alter Wert:     <Wertänderungsüberwachung wird für diesen Registrierungstyp nicht unterstützt.>
    Typ des neuen Werts:        -
    Neuer Wert:     -
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4657</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12801</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2015-03-19T14:24:37.744545900Z" />
    <EventRecordID>11004886</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="80" />
    <Channel>Security</Channel>
    <Computer>SERVER.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SERVER$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private</Data>
    <Data Name="ObjectValueName">pkp</Data>
    <Data Name="HandleId">0x1d8</Data>
    <Data Name="OperationType">%%1906</Data>
    <Data Name="OldValueType">%%1875</Data>
    <Data Name="OldValue">%%1800</Data>
    <Data Name="NewValueType">-</Data>
    <Data Name="NewValue">-</Data>
    <Data Name="ProcessId">0x1ba4</Data>
    <Data Name="ProcessName">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
  </EventData>
</Event>

Is there any way to see what causes WMI to delete these keys on every boot?

chewbakka
  • 401
  • 4
  • 8

1 Answers1

1

WmiPrvSE.exe is not WMI, but rather, it is the WMI provider hosting process. So WmiPrvSE is a part of the overall WMI implementation, but it is not WMI itself. WmiPrvSE hosts WMI providers, both those supplied by Microsoft and also WMI providers provided by third parties. You can easily view the WMI providers being hosted by any instance of the WmiPrvSE process by using Process Explorer and hovering over the WmiPrvSE instance. Very similar to hovering your mouse over svchost.exe in Process Explorer to see the services hosted within.

I can't think of any reason why an out-of-the-box Microsoft WMI provider would mess specifically with registry keys belonging to Sophos software that you have installed. What seems way more likely, is that the Sophos software that you installed, comes with its own WMI provider, and that Sophos WMI provider is acting funky. (Actions taken by this WMI provider would be charged against a WmiPrvSE process.) This would not surprise me at all, as integrating with WMI is a very common thing for anti-virus vendors to do.

I would take it up with Sophos support.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Thanks for your answer. Sophos support was already involved because this caused the enterprise console to work only partialy. After we found out, that registry keys dissapear they closed the case. "we found why it is not working, the rest is your problem." After that i turned on auditing and got the eventlog entries. – chewbakka Mar 19 '15 at 19:05
  • And is there a way to log what provider is using WmiPrvSE to delete the keys? – chewbakka Mar 19 '15 at 19:21
  • 1
    @chewbakka Grab Sysinternals Process Monitor (procmon.) Enable boot logging. Reboot. Stop trace. Find the event where the registry entry is deleted. Observe the instance of WMIPrvSE that is responsible. Look at the properties, go to the Process tab. Look at the loaded modules. I bet the WMIPrvSE that deleted the keys, just so happens to have a DLL that Sophos authored loaded into it. – Ryan Ries Mar 22 '15 at 16:50