Register-CimProvider.exe
- File Path:
C:\WINDOWS\SysWOW64\Register-CimProvider.exe
- Description: WMI
Hashes
| Type |
Hash |
| MD5 |
0042B2C7A176D23ACBAD0AE1F43AEF7C |
| SHA1 |
DECFBD2FE5AA5F163AED1D428C8FDD0F4BA012E3 |
| SHA256 |
8B76F4C4E0D1D3A87B0C749A995E3A31CFCA2BA88C180C18BA7F169E14C06B60 |
| SHA384 |
EC4E4F5EA12C3A36554D84F188A4FB1551BD1DE942E2DF1902F938ED0B95F95D84FB9B99DC088C5FFC756AAA3AA29C54 |
| SHA512 |
B82921B999976B6BE7BD78F3F4822492B79F33CE0A2DE73F53BB829A1DD065C2543337FA163CC91A1E578DE5E6C8EC15295428256833DD4639C7B44FA72B0A62 |
| SSDEEP |
384:xsR1sKmxpfQ6bRsOGoEajBBpszlfWaHm1ZPTKtoQw5EDcYkf+N2OB4KQ+xgWB1Ww:2R1lUuYsv8ps1WaHAVKXDcYkG2OB4sxl |
| IMP |
E38114F7B41F83A6809D0A3C49C82EEE |
| PESHA1 |
70A7C6E11C89734A9B62A881618E772251A5D3C4 |
| PE256 |
FD86430B837FCB95D1D7E16AA53DE8A5714FE3B414AAE753709269E9915106F3 |
Runtime Data
Usage (stdout):
Registers CIM Provider into system
Usage: Register-CimProvider.exe
-Namespace <NamespaceName>
-ProviderName <ProviderName>
-Path <ProviderDllPath>
[-ClassList <Space delimited list of white-listed classes>]
[-Impersonation <True or False>]
[-Decoupled <SDDL>]
[-HostingModel <HostingModel>]
[-Localize <locale>]
[-NoAutorecover]
[-SupportWQL]
[-GenerateUnregistration]
[-ForceUpdate]
[-Verbose]
-Namespace <NamespaceName>
Specifies the target namespace of the provider.
-ProviderName <ProviderName>
Specifies the provider name.
-Path <ProviderDllPath>
Specifies the provider binary path.
-Impersonation <True or False>
Specifies foldidentity of decoupled provider, by default is True.
-Decoupled <SDDL>
Registers provider as decoupled and specifies the security descriptor
that determines the set of users that can successfully register
the provider.
-HostingModel <HostingModel>
Specifies the HostingModel of coupled provider.
-Localize <locale>
Localizes the provider with resource of specified locale.
-NoAutorecover
Doesn't autorecover the provider.
-SupportWQL
Passes the query expression to the filter.
-GenerateUnregistration
Generate the uninstall mof for the registration,
which is disabled by default.
-ForceUpdate
Force update the class if it exists in the system.
-ClassList <ProviderDllPath>
Specifies space delimited list of white-listed classes that
will be generated in the mof.
-Verbose
Outputs registration log.
Loaded Modules:
| Path |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
| C:\WINDOWS\SysWOW64\Register-CimProvider.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED
- Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: Register-CimProvider2.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/8b76f4c4e0d1d3a87b0c749a995e3a31cfca2ba88c180c18ba7f169e14c06b60/detection
Possible Misuse
The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
MIT License. Copyright (c) 2020-2021 Strontic.