Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
A provider, <provider name>, has been registered in the WMI namespace, <namespace>, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is WMI?
What is a WMI provider?
What is a WMI namespace?
According to TD315566, in order to fix this problem you need to obtain a version of the provider that does not run under the LocalSystem security context.
From a newsgroup post: "Typically occuring when a Service Pack is applied, these messages are completely normal. This happens when the Windows Management Instrumentation (WMI) Provider is doing it's business."
From a newsgroup post: "This warning is by design. The reasoning behind the warning is that we are letting the users know that any WMI provider that runs under the LocalSystem context is not optimal. Therefore, we just provide the warning anytime the WMI service starts up. We will be writing a KB article to keep administrators and users informed on this issue".
As per Microsoft: "Health Monitor registers several Windows Management Instrumentation (WMI) providers to run under the local system account to access the information that the providers supply. Because providers that run under the local system account pose a greater risk if they are compromised, Microsoft Windows 2003 generates warnings when these providers are registered". See ME820460 to find out for what providers this event is generated.
See ME891642 for more information on this issue.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated