• File Path: C:\WINDOWS\SysWOW64\Register-CimProvider.exe
  • Description: WMI


Type Hash
MD5 0042B2C7A176D23ACBAD0AE1F43AEF7C
SHA256 8B76F4C4E0D1D3A87B0C749A995E3A31CFCA2BA88C180C18BA7F169E14C06B60
SHA384 EC4E4F5EA12C3A36554D84F188A4FB1551BD1DE942E2DF1902F938ED0B95F95D84FB9B99DC088C5FFC756AAA3AA29C54
SHA512 B82921B999976B6BE7BD78F3F4822492B79F33CE0A2DE73F53BB829A1DD065C2543337FA163CC91A1E578DE5E6C8EC15295428256833DD4639C7B44FA72B0A62
SSDEEP 384:xsR1sKmxpfQ6bRsOGoEajBBpszlfWaHm1ZPTKtoQw5EDcYkf+N2OB4KQ+xgWB1Ww:2R1lUuYsv8ps1WaHAVKXDcYkG2OB4sxl
IMP E38114F7B41F83A6809D0A3C49C82EEE
PESHA1 70A7C6E11C89734A9B62A881618E772251A5D3C4
PE256 FD86430B837FCB95D1D7E16AA53DE8A5714FE3B414AAE753709269E9915106F3

Runtime Data

Usage (stdout):

Registers CIM Provider into system

Usage:  Register-CimProvider.exe
		-Namespace <NamespaceName>
		-ProviderName <ProviderName>
		-Path <ProviderDllPath>
		[-ClassList <Space delimited list of white-listed classes>]
		[-Impersonation <True or False>]
		[-Decoupled <SDDL>]
		[-HostingModel <HostingModel>]
		[-Localize <locale>]

-Namespace <NamespaceName>
	Specifies the target namespace of the provider.

-ProviderName <ProviderName>
	Specifies the provider name.

-Path <ProviderDllPath>
	Specifies the provider binary path.

-Impersonation <True or False>
	Specifies foldidentity of decoupled provider, by default is True.

-Decoupled <SDDL>
	Registers provider as decoupled and specifies the security descriptor
	that determines the set of users that can successfully register
	the provider.

-HostingModel <HostingModel>
	Specifies the HostingModel of coupled provider.

-Localize <locale>
	Localizes the provider with resource of specified locale.

	Doesn't autorecover the provider.

	Passes the query expression to the filter.

	Generate the uninstall mof for the registration,
	which is disabled by default.

	Force update the class if it exists in the system.

-ClassList <ProviderDllPath>
	Specifies space delimited list of white-listed classes that
	will be generated in the mof.

	Outputs registration log.

Loaded Modules:



  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Register-CimProvider2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link:

Possible Misuse

The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_register_cimprovider.yml title: DLL Execution Via Register-cimprovider.exe DRL 1.0
sigma win_susp_register_cimprovider.yml description: Detects using register-cimprovider.exe to execute arbitrary dll file. DRL 1.0
sigma win_susp_register_cimprovider.yml - DRL 1.0
sigma win_susp_register_cimprovider.yml Image\|endswith: '\register-cimprovider.exe' DRL 1.0
LOLBAS Register-cimprovider.yml Name: Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Command: Register-cimprovider -path "C:\folder\evil.dll"  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\System32\Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\SysWOW64\Register-cimprovider.exe  
atomic-red-team - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team ## Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.