Provider Hosting and Security
The HostingModel property in the __Win32Provider instance that represents your provider specifies the provider hosting model. Setting this property causes the provider to be loaded into a shared host process that has a specified level of privilege.
Shared Provider Host Process
WMI resides in a shared service host with several other services. To avoid stopping all the services when a provider fails, providers are loaded into a separate host process named "Wmiprvse.exe". More than one process with this name can be running. Each can run under a different account with varying security. Be aware that, starting with Windows Vista, use the winmgmt command to run WMI in a separate process by itself using a fixed port. For more information, see Connecting to WMI Remotely Starting with Vista.
The shared host can run under one of the following system accounts in a Wmiprvse.exe host process:
A provider can also be a local COM server (.exe), or self-hosted, which does not require a WMI provider host.
Setting the Hosting Model
Because LocalSystem is a privileged account, it is recommended that you set HostingModel to NetworkServiceHost when a provider is running in a Wmiprvse.exe process. NetworkServiceHost account is for services that do not require extensive privileges, but do need to communicate remotely with other systems.
If you do not set a value for the HostingModel property, WMI will set a default value of NetworkServiceHostOrSelfHost. If the HostingModel value is set to LocalSystemHost, WMI uses tracing to generate events 5603 and 5604 in the Windows Event Log. Because the local LocalSystem account is highly privileged, this setting is not recommended. You can view these events in the Event Viewer. For more information, see Tracing WMI Activity.
Set the HostingModel property for decoupled providers as "Decoupled:Com". Providers created by adding instrumentation classes from Microsoft.Management.Infrastructure in the .NET Framework are decoupled providers. (System.Management.Instrumentation is no longer supported.) For more information about creating a decoupled provider, see Incorporating a Provider in an Application.
The hosting model is specified in the HostingModel property in the __Win32Provider instance that represents your provider.
To set the hosting model for a provider
In the MOF file that defines your provider, create an instance of __Win32Provider.
Assign a name to the provider in the Name property and assign the class identifier (CLSID) of the provider COM object to the Clsid property.
The following code example assigns a name to the Name property and the CSLID of the provider COM object to the Clsid property.
Instance of __Win32Provider as $NewProvider { Name = "MyProvider"; Clsid = "{.......}"; }Assign the appropriate shared host value to the HostingModel property. Shared host values such as "NetworkServiceHost" are defined in the HostingSpecification property of MSFT_Providers class.
The following code example assigns a shared host value to the HostingModel property.
HostingModel = "NetworkServiceHost";
The following code example shows how to register a provider in NetworkServiceHost.
Instance of __Win32Provider as $NewProvider
{
Name = "MyProvider";
Clsid = "{.......}";
HostingModel = "NetworkServiceHost";
}
If you have multiple providers, you can group them into a specific service host by registering your provider so that it resides in the specific instance.
The following code example also registers a provider in NetworkServiceHost. The MSFT_Providers class defines values for the two values that combine to create the __Win32Provider HostingModel property. In the example, "NetworkServiceHost" value comes from the HostingSpecification property of MSFT_Providers and "LocalServiceHost" comes from the HostingGroup property.
Instance of __Win32Provider as $NewProvider
{
Name = "MyProvider";
Clsid = "{.......}";
HostingModel = "NetworkServiceHost:MySharedHost";
}
Special development issues exist for providers that are not decoupled and are hosted in the Wmiprvse process. For more information, see Debugging Providers.
If you are writing a provider that contains property or class provider registration, not all threading models work. For more information, see Choosing Correct Registration.
HostingModel Values for In-Process Providers
The following list lists the provider hosting model values to use in the __Win32Provider instance for providers that run in a Wmiprvse.exe process.
| Value in __Win32Provider.HostingModel | Description |
|---|---|
| SelfHost | The provider starts using the local server implementation instead of in-process. The security context of the process in which the provider runs determines the provider security context. |
| LocalSystemHost | The provider, if implemented as in-process, is loaded into a shared provider host running under LocalSystem context. Starting with Windows Vista, LocalSystemHost is no longer the default hosting model if the HostingModel of a WMI provider (__Win32Provider.HostingModel property) is unspecified. For more information, see Security of Hosting Models. |
| LocalSystemHostOrSelfHost | The provider is self-hosted or loaded into the Wmiprvse.exe process running under the LocalSystem account. Because LocalSystem is a highly privileged account, an entry is generated in the Security NT Event Log to notify administrators of a provider running in this trusted status. |
| NetworkServiceHost | The provider, if implemented as in-process, is loaded into the Wmiprvse.exe process running under NetworkService account. Starting with Windows Vista, this is the default hosting model if the HostingModel of a WMI provider (__Win32Provider.HostingModel property) is unspecified. For more information, see Security of Hosting Models. NetworkServiceHost has limited privileges and therefore reduces the possibility of an elevation of privilege attack. If the provider only operates within the local computer, then set the HostingModel property to LocalServiceHost. |
| NetworkServiceHostOrSelfHost | The provider is self-hosted or loaded into the WmiPrvse.exe process running under the NetworkService account. NetworkServiceHostOrSelfHost is the default configuration when the HostingModel property in __Win32Provider is NULL. Because NetworkServiceHostOrSelfHost is the default, providers from earlier operating systems can continue to work in Windows Vista, Windows Server 2008, and later operating systems. |
| LocalServiceHost | The provider, if implemented as in-process, is loaded into the Wmiprvse.exe process running under the LocalService account. This is the recommended hosting model for services because LocalService has limited privileges. |
HostingModel Values for Decoupled Providers
The following list lists the provider hosting model values for decoupled providers.
-
Decoupled:Com
-
The provider is a decoupled provider hosted in a separate process that is a client to WMI.
The following example shows the FoldIdentity specifier for the HostingModel property set to FALSE, which allows the provider to impersonate the client.
Decoupled:Com:FoldIdentity(FALSE)If FoldIdentity is not specified, the FoldIdentity value is set to TRUE by default. For security reasons, it is recommended that you not specify FoldIdentity(FALSE) since a rogue application with impersonation of Delegate can affect an entire domain.
The following example shows the HostingModel property set in the recommended manner that is equivalent to setting FoldIdentity(TRUE).
Decoupled:Com -
Decoupled:Noncom
-
For internal use only. Not supported.
Security of Hosting Models
For most situations, LocalSystem is unnecessary and the NetworkServiceHost context is more appropriate. Most WMI Providers must impersonate the client security context to perform requested operations on behalf of the WMI client. Starting with Windows Vista, a WMI provider that lacks a hosting model definition and executes as if it is running under LocalSystem will not run properly. To correct this situation, change the expected hosting model and ensure that the WMI provider code performs the operations in the client security context by impersonating the WMI client. LocalSystem is rarely an requirement. If your provider must have that level of privilege, specify the hosting model with the following statement in the MOF file.
HostingModel=LocalSystemHost