Kernel WMI Object Security
|
Windows Management Instrumentation (WMI) in the Windows family of operating systems enables system firmware and kernel-mode device drivers to expose WMI objects, called kernel WMI objects, for configuration and instrumentation. To expose kernel WMI objects, system firmware includes ACPI objects that are exposed to WMI through the ACPI WMI mapping driver. A kernel-mode driver defines WMI classes as described in the Windows Driver Kit (WDK).
Kernel WMI objects, especially objects that are exposed by system firmware, are more likely than other WMI objects to expose critical system functionality, such as the ability to change the behavior of a device driver or to change configuration information stored in the system firmware. To help enhance the security of kernel WMI objects, the default security descriptor on Windows Server 2003 and later versions of Windows allows only users who belong to the Local Administrators group to access kernel WMI objects. This security descriptor is more restrictive than the default security descriptor on Windows XP and earlier versions of Windows, which allows any user to read, write, and execute methods on kernel WMI objects.
This paper describes the default security permissions for kernel WMI objects on Windows Server 2003 and Windows Vista and how system manufacturers, device driver vendors, and BIOS developers can change the security permissions during device installation.
This information applies for the following operating systems:
Windows Server 2008
Windows Vista
Microsoft Windows Server 2003
Included in this paper:
| • | Kernel WMI Architecture |
| • | Levels of WMI Object Security |
| • | Retrieving Instrumentation Data from a Kernel WMI Object |
| • | Specifying Kernel WMI Object Security in an INF File |
| • | INF File Directives for Kernel WMI Object Security |
| • | Example INF File That Specifies Security Descriptors |
| • | Installing the INF File |
| • | Best Practices for Kernel WMI Object Security |
