Didier Stevens

Monday 21 March 2011

Windows Security Center: Under the Hood

Filed under: Windows 7,Windows Vista — Didier Stevens @ 10:29

I’m sure you’ve seen the following warning before:

But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7).

It gets the information from the Windows Management Instrumentation interface, and more precisely, the WMI name spaces \root\SecurityCenter and \root\SecurityCenter2. I wrote a small script to display this info:

You can download the script here.

It’s also possible to modify this WMI information. Say you’ve uninstalled an antivirus program, but that it still shows up in the Windows Security Center. Then you can delete the WMI information with utility wbemtest.exe.

Start wbemtest (if you’re on Windows Vista or 7, you need to elevate wbemtest) and click on connect.

Type the name space you want to change: \root\SecurityCenter or \root\SecurityCenter2 (SecurityCenter2 is a recent addition). And then connect.

Click onEnum Classes…

Then click OK

Then double-click the type of information you want to change. Here we change AntiVirusProduct:

Then click Instances

And now you can change the information. Here we delete it:

Blog at WordPress.com.