Didier Stevens

Monday 21 March 2011

Windows Security Center: Under the Hood

Filed under: Windows 7,Windows Vista — Didier Stevens @ 10:29

I’m sure you’ve seen the following warning before:

But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7).

It gets the information from the Windows Management Instrumentation interface, and more precisely, the WMI name spaces \root\SecurityCenter and \root\SecurityCenter2. I wrote a small script to display this info:

You can download the script here.

It’s also possible to modify this WMI information. Say you’ve uninstalled an antivirus program, but that it still shows up in the Windows Security Center. Then you can delete the WMI information with utility wbemtest.exe.

Start wbemtest (if you’re on Windows Vista or 7, you need to elevate wbemtest) and click on connect.

Type the name space you want to change: \root\SecurityCenter or \root\SecurityCenter2 (SecurityCenter2 is a recent addition). And then connect.

Click onEnum Classes…

Then click OK

Then double-click the type of information you want to change. Here we change AntiVirusProduct:

Then click Instances

And now you can change the information. Here we delete it:

8 Comments »

  1. Hi Didier,

    It seems wbemtest crashes on me in the pic before last one when I click ‘Instances’ so I looked for another appoach.

    In powershell you can get into WMI with much less code, so this is what I did:

    Get-WmiObject -Namespace ROOT\Securitycenter2 -Query "select * from antivirusproduct"

    and if I wanted to delete this I could pipe this into ‘remove-wmiobject’ but I don’t really have a vm to test this on atm

    Comment by bonarez — Monday 21 March 2011 @ 18:02

  2. @bonarez Interesting, any idea why wbemtest crashes?

    Comment by Didier Stevens — Sunday 27 March 2011 @ 20:06

  3. securitycenter2 doesnt work on windows server 2003 or 2008.
    What is the alternative to detect antivirus?

    Comment by gaurav — Thursday 14 April 2011 @ 22:12

  4. @gaurav Thzt’s normal, Windows Security Center only exists on client versions of Windows, not on server versions.

    Comment by Didier Stevens — Friday 15 April 2011 @ 8:36

  5. Thanks – the script was very helpful and will add to our testing tools!

    Comment by William Thomas — Monday 1 August 2011 @ 17:40

  6. Great article!

    Is there a way to script the removal of the Anti Virus package code?

    Comment by Anonymous — Wednesday 28 September 2011 @ 14:51

  7. @Anonymous You mean uninstalling the AV? Yes.

    Comment by Didier Stevens — Wednesday 28 September 2011 @ 16:43

  8. Good post =). Did you tried to connect to the namespaces SecurityCenter or SecurityCenter2 in remote enabling permissions? Seems to have a WBEM_E_INVALID_CLASS error, but I’m looking for some explainations about it =/

    Comment by FlUxIuS — Saturday 3 March 2012 @ 20:48


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: