Jump to content

Strange Behavior When Scanning WMI Entries

Recommended Posts

I have a HIPS rule to alert me when any child processes are started from wmiprvse.exe. Up till two weeks ago, that rule was never triggered. At that time when performing an Eset on-demand scan, the rule triggered when scanning WMI entries noting an attempted startup of werfault.exe. Appeared to be a fluke event and I just blocked the werfault.exe startup.

Yesterday while again running an Eset on-demand scan, the same behavior occurred:

Time;Application;Operation;Target;Action;Rule;Additional information
3/26/2023 4:57:56 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\WerFault.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

Here's a screen shot showing command line string input to werfault.exe:


At the same time of the HIPS alert, my Win 10 Code Integrity log filled up with entries; most notably Eset eamsi.dll attempting to run:



Link to comment
Share on other sites

This is the last Win WMI log entry prior to the HIPS alert which is revealing:


Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...