nt authority system offprov

AMPLIFRIER · Post by **AMPLIFRIER** » Tue May 28, 2002 2:58 pm

i posted this in security and dint have any luck....not really sure if it should go here or there.....

but anyhow this is winXP pro i got this message one time....ive scanned my system with my updated virus scanner and online at houscall....both came back clean

i also looked in the registry and i found like 4 or 5 occurences of offprov

it seems to be associated with the magistr virus....but i scanned clean.

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 63
Date: 5/24/2002
Time: 7:17:06 PM
User: NT AUTHORITY\SYSTEM
Computer: AMP4XP
Description:
A provider, OffProv, has been registered in the WMI namespace, Root\MSAPPS, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

any additional info is appreciated

TIA

AMP

Norm · Post by **Norm** » Tue May 28, 2002 5:09 pm

"C:\Program Files\Common Files\Microsoft Shared\MSINFO","OFFPROV.EXE",44032,22.01.1999,00:29:12,"Microsoft Corporation","Office Data Provider for WBEM","9.00.2521","Office Data Provider for WBEM"

WBEM = Web Based Enterprize Management

The file is not a virus, although some viruses do infect exe files. It is a file created by MS for WBEM

AMP, I don't have any more on it than the above, but I would assume your error message is due to being logged on as a user without certain priveledges. I believe you are safe.

AMPLIFRIER · Post by **AMPLIFRIER** » Tue May 28, 2002 7:44 pm

Originally posted by Norm
"C:\Program Files\Common Files\Microsoft Shared\MSINFO","OFFPROV.EXE",44032,22.01.1999,00:29:12,"Microsoft Corporation","Office Data Provider for WBEM","9.00.2521","Office Data Provider for WBEM"

WBEM = Web Based Enterprize Management

The file is not a virus, although some viruses do infect exe files. It is a file created by MS for WBEM

AMP, I don't have any more on it than the above, but I would assume your error message is due to being logged on as a user without certain priveledges. I believe you are safe.

awesome
thanks Norm

where did you find the information at?

thanks

AMP

Norm · Post by **Norm** » Tue May 28, 2002 7:58 pm

I did a number of searches AMP, it wasn't an easy one to find info on. MS search didn't come up with anything, tried a few different search terms too. Google, and IE search turned up a few hints.
I still don't know for sure what a developer can use that for, and if it could be used for destructive or spying purposes. I guess we'll have to live with it for now. I have it on my system as well, I believe it's on most systems. It's in my win98 and my win2K partition.

If you find the offprov.exe on your system, and right click it>properties, you'll see that it is a MS file, and that it is for. Well, a basic idea anyway. That goes for most exe files, especially MS created ones. MS will usually add a bit of info in a files properties.

AMPLIFRIER · Post by **AMPLIFRIER** » Tue May 28, 2002 8:04 pm

Originally posted by Norm
I did a number of searches AMP, it wasn't an easy one to find info on. MS search didn't come up with anything, tried a few different search terms too. Google, and IE search turned up a few hints.
I still don't know for sure what a developer can use that for, and if it could be used for destructive or spying purposes. I guess we'll have to live with it for now. I have it on my system as well, I believe it's on most systems. It's in my win98 and my win2K partition.

If you find the offprov.exe on your system, and right click it>properties, you'll see that it is a MS file, and that it is for. Well, a basic idea anyway. That goes for most exe files, especially MS created ones. MS will usually add a bit of info in a files properties.

yeah i too performed a buch of searches and came up with very vague hits.

once a virus got into your system ....could it alter the properties to reflect a MS origin?

thanks

AMP

Norm · Post by **Norm** » Tue May 28, 2002 8:09 pm

I guess anything is possible if you can program well, but highly unlikely that it's a virus.

It is a MS file for sure. But I really at this point don't understand what it does, or can be used to do by an unscrupulous type.

I get the feeling it works with MS Office, and/or MS Publisher (possibly other MS apps too) to access files on the web.

AMPLIFRIER · Post by **AMPLIFRIER** » Tue May 28, 2002 8:16 pm

Originally posted by Norm
I guess anything is possible if you can program well, but highly unlikely that it's a virus.

It is a MS file for sure. But I really at this point don't understand what it does, or can be used to do by an unscrupulous type.

I get the feeling it works with MS Office, and/or MS Publisher (possibly other MS apps too) to access files on the web.

dont get me wrong.....i believe what your saying......the whole "altering the properties thing" was just something that popped in to my head

thanks again man i appreciate it

AMP

Norm · Post by **Norm** » Tue May 28, 2002 8:20 pm

No problem, you're welcome Amp.

I have it on my machine and got curious when I saw your post, and then in some searches MagistrB was referred to. I honestly believe we're safe though.