• File Path: C:\WINDOWS\system32\Register-CimProvider.exe
  • Description: WMI


Type Hash
MD5 9BB87AE9589B1806DB65F31963652455
SHA1 F97D880F8648BD2E8B139DB197E5412B8C43D0C2
SHA256 63E3FC6A6755A16B952786E88D9CDC2B2C878D07A929A58520B6000E42C6E1D4
SHA384 9A71AF157D7E076EE75E533D5BCF74A228B86F34861B4231DE6018EA7FB75C977A803A41DB7239D68CDE9995E2B75E28
SHA512 AFF7E4B824E0B3951A504FF8D8E24E6D4E09AC79E8494ED0170BDC0AB85B3789407E53B67C353E8752198E0E43A8534F12C7F906B75ABA72B1570C2AF54982E9
SSDEEP 384:UMlyG64HGnf5u6/5meTCKt1y/kZ0JSMh1T2dQTR/4Mq7h8rl2R5PQpSXALQ456t1:Lj6JdLvPMh1Tey/4MMOl0JXALQ4Qxn
PESHA1 440045DD4355A5EBFDD5801BEB16BF3F606998EE
PE256 2C9ECC586DDFA36977051A799C39F21B2433FD4BFFB8B6B8666548C30EDD2D8F

Runtime Data

Usage (stdout):

Registers CIM Provider into system

Usage:  Register-CimProvider.exe
		-Namespace <NamespaceName>
		-ProviderName <ProviderName>
		-Path <ProviderDllPath>
		[-ClassList <Space delimited list of white-listed classes>]
		[-Impersonation <True or False>]
		[-Decoupled <SDDL>]
		[-HostingModel <HostingModel>]
		[-Localize <locale>]

-Namespace <NamespaceName>
	Specifies the target namespace of the provider.

-ProviderName <ProviderName>
	Specifies the provider name.

-Path <ProviderDllPath>
	Specifies the provider binary path.

-Impersonation <True or False>
	Specifies foldidentity of decoupled provider, by default is True.

-Decoupled <SDDL>
	Registers provider as decoupled and specifies the security descriptor
	that determines the set of users that can successfully register
	the provider.

-HostingModel <HostingModel>
	Specifies the HostingModel of coupled provider.

-Localize <locale>
	Localizes the provider with resource of specified locale.

	Doesn't autorecover the provider.

	Passes the query expression to the filter.

	Generate the uninstall mof for the registration,
	which is disabled by default.

	Force update the class if it exists in the system.

-ClassList <ProviderDllPath>
	Specifies space delimited list of white-listed classes that
	will be generated in the mof.

	Outputs registration log.

Loaded Modules:



  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Register-CimProvider2.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link:

Possible Misuse

The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_register_cimprovider.yml title: DLL Execution Via Register-cimprovider.exe DRL 1.0
sigma win_susp_register_cimprovider.yml description: Detects using register-cimprovider.exe to execute arbitrary dll file. DRL 1.0
sigma win_susp_register_cimprovider.yml - DRL 1.0
sigma win_susp_register_cimprovider.yml Image\|endswith: '\register-cimprovider.exe' DRL 1.0
LOLBAS Register-cimprovider.yml Name: Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Command: Register-cimprovider -path "C:\folder\evil.dll"  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\System32\Register-cimprovider.exe  
LOLBAS Register-cimprovider.yml - Path: C:\Windows\SysWOW64\Register-cimprovider.exe  
atomic-red-team - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team ## Atomic Test #3 - Register-CimProvider - Execute evil dll MIT License. © 2018 Red Canary
atomic-red-team C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.