Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: WMI Trying To Access Internet

  1. #1
    jonoro Guest

    Default WMI Trying To Access Internet

    For the past 2 days (not before), I've gotten a ZoneAlarm Alert re WMI trying to access the internet; I've seen "mixed messages" on the Net re this being a valid Windows process or not, so I've chosen to deny access each time.
    A search of my pc found several "wmiprvse.exe" files
    in several C:\WINDOWS subfolders:
    i386$NtUninstallKB956572$PrefetchSystem32\dllcache System32\wbem$hf_mig$\KB956572\SP3GDR$hf_mig$\KB95 6572\SP3QFE& 4 different SoftwareDistribution\Download\ folders, also ending in SP3GDR and SP3QFE
    How do I tell if the process is legit?Should I continue to deny access?
    Thanx.
    JR

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: WMI Trying To Access Internet


    <blockquote><hr>jonoro wrote:
    For the past 2 days (not before), I've gotten a ZoneAlarm Alert re WMI trying to access the internet; I've seen "mixed messages" on the Net re this being a valid Windows process or not, so I've chosen to deny access each time.
    A search of my pc found several "wmiprvse.exe" files
    in several C:\WINDOWS subfolders:
    i386$NtUninstallKB956572$PrefetchSystem32\dllcache System32\wbem$hf_mig$\KB956572\SP3GDR$hf_mig$\KB95 6572\SP3QFE& 4 different SoftwareDistribution\Download\ folders, also ending in SP3GDR and SP3QFE
    How do I tell if the process is legit?Should I continue to deny access?
    Thanx.
    JR

    Operating System:
    Windows XP Home Edition
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>


    Try looking using the ZoneAlarm instead of looking at needless files..the ZA did give out the alert and it already knows the file location ...and the ZA can show you the details of the file's Properties....just right click the wmiprvse.exe (look for 'WMI' in the list) in the Zone Alarm Program listing and then open the Properties...tells you everything you probably want to know.

    As for the reason why the wmiprvse.exe attempts to connect to the internet....you should look at the IP and the ports in those ZA alerts to help understand what or why is happening...or check the logs in the Log Viewer to see the records of the connection attempts if you missed your ZA alerts.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    glenn_s Guest

    Default Re: WMI Trying To Access Internet

    Hi Oldsod,

    Like jonoro I've seen this alert crop up in the last 3-4 days... I did check the file properties link from the ZoneAlarm pop-up. The file does claim to be a legit MircoSoft file. And I also checked the IP destination (once anyway) - it claimed to be Level3 in the Phoenix area. So all that seems to indicate this is a legit access request, but...

    Still the real question is why has VMI suddenly started requesting access it never needed in the past? What changed? Are others seeing the same thing? Obviously - at least two of us are.

    Should we all just let it fly (give access) and hope for the best??

    glenn

    PS: To anyone reading this - please be aware that Oldsod is by far one of the most reliable sources of info on this board. So my questions are not related to what Oldsod has advised. What he advised is spot on. The real question is a bit bigger - What has changed with VMI?

    PSS: FYI - VMI, if legit, is a program from MircoSoft for &quot;Virtual Machine Instrumentation&quot;. There has been some anecdotal suggestions that some virus attacks could try to use VMI as a trojan to hide on a system... And there in lies my real concerns.

  4. #4
    jonoro Guest

    Default Re: WMI Trying To Access Internet

    Thanx Oldsod for your reply &amp; advice, &amp; thanx Glenn-S for your reply, which also anticipated my own response...
    JR

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: WMI Trying To Access Internet


    <blockquote><hr>glenn-s wrote:
    Hi Oldsod,

    Like jonoro I've seen this alert crop up in the last 3-4 days... I did check the file properties link from the ZoneAlarm pop-up. The file does claim to be a legit MircoSoft file. And I also checked the IP destination (once anyway) - it claimed to be Level3 in the Phoenix area. So all that seems to indicate this is a legit access request, but...

    Still the real question is why has VMI suddenly started requesting access it never needed in the past? What changed? Are others seeing the same thing? Obviously - at least two of us are.

    Should we all just let it fly (give access) and hope for the best??

    glenn

    PS: To anyone reading this - please be aware that Oldsod is by far one of the most reliable sources of info on this board. So my questions are not related to what Oldsod has advised. What he advised is spot on. The real question is a bit bigger - What has changed with VMI?

    PSS: FYI - VMI, if legit, is a program from MircoSoft for "Virtual Machine Instrumentation". There has been some anecdotal suggestions that some virus attacks could try to use VMI as a trojan to hide on a system... And there in lies my real concerns.
    <hr></blockquote>


    Actually the wmiprvse.exe is named WMI, not VMI.
    WMI means 'Windows Management Instrumentation'.

    Used for WBEM in an enterprise enviroment, related to some DCOM events and it is used with many window functions such as Boot Configuration Data (BCD) Provider or the Storage Volume Provider and the Windows SEcurity Center, and for windows services such as WMI and WMI Performance Adapter and can work with Advanced Configuration and Power Interface (ACPI).

    Still the question is....where did it want to connect to (IPs) and when and what port and protocol?

    Oldsod.
    Best regards.
    oldsod

  6. #6
    glenn_s Guest

    Default Re: WMI Trying To Access Internet

    <blockquote><hr>Oldsod wrote:

    Still the question is....where did it want to connect to (IPs) and when and what port and protocol?

    Oldsod.
    <hr></blockquote>


    If I recall correctly it was trying to use HTTP (which seemed odd) to connect to 8.7.243.67 which is owned by Level3 Comm. in Tempe, AZ That's not all that revealing - since I'm 90% sure L3 is an IP provider in Tempe - so it may just be a pass along address for something else. Now what I can't recall is was this during the boot process - maybe. I'll know the next time I reboot.

    I guess I should note that denying access did not seem to have any negative effect. So this all might be a wild goose chase.

    But thanks for checking in... We'll see if any other folks have hit this.

    glenn

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: WMI Trying To Access Internet


    <blockquote><hr>glenn-s wrote:
    <blockquote><hr>Oldsod wrote:

    Still the question is....where did it want to connect to (IPs) and when and what port and protocol?

    Oldsod.
    <hr></blockquote>


    If I recall correctly it was trying to use HTTP (which seemed odd) to connect to 8.7.243.67 which is owned by Level3 Comm. in Tempe, AZ That's not all that revealing - since I'm 90% sure L3 is an IP provider in Tempe - so it may just be a pass along address for something else. Now what I can't recall is was this during the boot process - maybe. I'll know the next time I reboot.

    I guess I should note that denying access did not seem to have any negative effect. So this all might be a wild goose chase.

    But thanks for checking in... We'll see if any other folks have hit this.

    glenn
    <hr></blockquote>
    I have see the WMI once attempt to connect out (blocked off in the firewall for internet access)...and that was only during a windows update.
    And I never have seen this event happen again since then.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    jonoro Guest

    Default Re: WMI Trying To Access Internet

    Just got the WMI msg again; this time I remembered to jot down the destination IP Address:



    24.29.138.24:HTTP
    How do I lookup who that is, &amp; how to tell if it's a legit request?
    Thanx.
    JR

  9. #9
    glenn_s Guest

    Default Re: WMI Trying To Access Internet

    <blockquote><hr>jonoro wrote:
    Just got the WMI msg again; this time I remembered to jot down the destination IP Address:



    24.29.138.24:HTTP
    How do I lookup who that is, &amp; how to tell if it's a legit request?
    Thanx.
    JR
    <hr></blockquote>


    I'm still seeing these too... it's a puzzle what's going on... I'm still trying to research if something bad might be going on. In mean time I'm still blocking it.

    As for the question of how to lookup the IP address, I use http://www.networksolutions.com/whois/index.jsp

    Below is the lookup for your address 24.29.138.24

    Again, as it was for mine, this is an IP provider. In this case it was RoadRunner (vs. L3 for the one I had).

    I have a question for you... what is your connection type? Meaning are you a dial-up (unlikely), a broadband cable connection (like Comcast) or a wireless broadband connection (like AT&amp;T or Verizon)?

    I'm a Verizon wireless broadband subscriber. I'm beginning to think that might be part of what is going on.

    glenn
    -------
    24.29.138.24 Lookup Result:

    OrgName: Road Runner HoldCo LLC
    OrgID: RRMA
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    ReferralServer: rwhois://ipmt.rr.com:4321

    NetRange: 24.24.0.0 - 24.29.255.255
    CIDR: 24.24.0.0/14, 24.28.0.0/15
    NetName: ROAD-RUNNER-1
    NetHandle: NET-24-24-0-0-1
    Parent: NET-24-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.RR.COM
    NameServer: DNS2.RR.COM
    NameServer: DNS3.RR.COM
    NameServer: DNS4.RR.COM
    Comment:
    RegDate: 2000-06-09
    Updated: 2002-08-22

    RTechHandle: ZS30-ARIN
    RTechName: ServiceCo LLC
    RTechPhone: +1-703-345-3416
    RTechEmail: abuse@rr.com

    OrgAbuseHandle: ABUSE10-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-345-3416
    OrgAbuseEmail: abuse@rr.com

    OrgTechHandle: IPTEC-ARIN
    OrgTechName: IP Tech
    OrgTechPhone: +1-703-345-3416
    OrgTechEmail: abuse@rr.com

  10. #10
    glenn_s Guest

    Default Re: WMI Trying To Access Internet

    I did a little more research - this has been bugging me. I'm thinking this access might be OK see details below. But I'm still bothered that only jonoro and myself have reported this problem.

    The details

    I found two copies of WMI on my system. One in C:\WINDOWS\system32\wbem, the other in C:\WINDOWS\system32\dllcache

    They appear to be identical - same size and version. Both were modified Feb 6, 09.

    I've read that ...\wbem is where it belongs - and that copy has a create date of Aug 16, 05 (which makes sense).

    The one in ...\dllcache is a little more worrisome - it's create date is April 15, 09 - which is about when the problem started.

    I looked in the event log (using the MS Event Viewer - part of the MS administrator tools) and looked for April 15th. There was a Windows Update at exactly the same time as the create date of the copy in ...\dllcache.

    So this is *probably* legit version.

    Anyway the next time it comes up - I'll check to see which copy is requesting, grant it access and see if it appears to make a difference.

    glenn

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •