WinMgt event - WMI namespace registration

XP-pro SP2-RC2 loaded yesterday AM.

Found these in my event log. Certainly nothing I allowed and information on exactly what it is and how to fix it is scarce. As usual the link at the bottom to get more information leads to a dead end and the only MSDN article I found wasn't very helpful.

Any ideas would be greatly appreciated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 5603
Date: 6/28/2004
Time: 1:44:57 PM
User: NT AUTHORITY\SYSTEM
Computer: NEWTVAIL
Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 63
Date: 6/28/2004
Time: 1:33:24 PM
User: NEWTVAIL\Newt
Computer: NEWTVAIL
Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Found several new posts and 1 from 2002 in MS newsgroup about the second one, but no info given on any of them. Did you see this? Maybe the update re-registered it.

 

Thanks Dave. Looked through that one. Got a little confused. Then looked through This one and things got worse.

The event log warning tells me to fix the problem but danged if I can even tell what the problem is, much less how to fix it.

 

I'll say! Maybe Joe can shed some light. I do think it was possibly a change created by the update though. I came across the MS Newsgroup links googling HiPerfCooker_v1. They are new posts and no info other than someone questioning the same, but you might keep an eye on them for a few days.

 

Oiy. Thats not good. all that gobbldeygook means that microsoft has 2 services that are registering with WMI incorrectly. I'd guess that was a couple of big fat bugs.

The cooked counter provider is quite a contraption. I wonder if its by design to have to run as localsystem, it does some odd shenanigans... That error is just a warning "Uhm, this guys just opened the barn doors, make sure that he's supposed to have the keys to the kingdom ". My guess is thats supposed to work that way, but shouldn't be throwing an event, so as not to upset anybody.

I'd guess the other one just has a bad registration ala HostingModel not being specified in the MOF. Sniff.. smells like a bug to me.

You should tell your friends at microsoft about that one. I'm sure one of those guys would want to file a bug on it.

 

I was thinking about this this morning at work. I'll bet your msft buddies will find a bug's already filed on that. This will rethrow the error on every reboot. Thats never a good thing, would just be confusing. Niether of those errors are true errors. XPSP1's MOF for RSOP doesnt have the new style format either. That must be a new error message.

 

Thanks Joe. I'm betting that you are correct about both the non-event status of the warning and that there is already a bug report floating around Microsoft somewhere.

 

[RANT]
I particularly loved the following from the first warning event.

Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality. which made it sound fairly trivial to 'update the HostingModel property ". Shoot, I can't even figure out what it is, much less how to update it.

And probably my alltime least favorite thing they do with the event log entries, the
For more information, see Help and Support Center at ......
at the end that may, at some time for some person and some event, have pointed at more information but for me (several PCs and 70+ servers whose event logs I monitor) it always points to nothing.

Yo!! - Microsoft - if anybody happens to be looking in here from time to time, you really ought to do something about that 'link to nothing' thing.
[/RANT]