anavem.
High RiskWindowsLegitimateCommonly Abused
wmiprvse.exeSYSTEM PROCESS

wmiprvse.exe - WMI Provider Host Security Analysis

wmiprvse.exe (WMI Provider Host) executes WMI queries and hosts WMI providers. It is abused for **lateral movement, persistence via event subscriptions, and fileless attacks**. WMI-based attacks are difficult to detect without proper logging.

Risk Summary

HIGH priority. WMI is used for lateral movement and persistence. Monitor WMI event subscriptions, process creation via Win32_Process.Create, and wmiprvse.exe child processes.

Overview

What is wmiprvse.exe?

wmiprvse.exe hosts WMI providers and processes WMI queries.

Security Significance

  • Remote Execution: WMI allows remote code execution
  • Persistence: Event subscriptions survive reboots
  • Lateral Movement: Standard Windows feature for remote management
  • Fileless Attacks: Executes code without files on disk

Normal Behavior

Normal Behavior

PropertyExpected Value
PathC:\Windows\System32\wbem\wmiprvse.exe
Parentsvchost.exe (Winmgmt)
InstancesMultiple (provider isolation)
UserNETWORK SERVICE or SYSTEM

Common Locations

C:\Windows\System32\wbem\wmiprvse.exe

Suspicious Indicators

Suspicious Indicators

IndicatorRisk
Path not in wbem folderCRITICAL
Parent not svchost.exeCRITICAL
Spawning PowerShell/cmdHIGH
Network to unusual destinationsHIGH
New WMI event subscriptionsHIGH

Abuse Techniques

Attack Techniques

WMI Process Creation

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "malware.exe"

WMI Event Subscription Persistence

$Filter = New-CimInstance -ClassName __EventFilter...
$Consumer = New-CimInstance -ClassName CommandLineEventConsumer...

Lateral Movement

wmic /node:TARGET process call create "malware.exe"

Detection Guidance

Detection

Enable WMI Logging

  • WMI-Activity Operational log (Event ID 5857-5861)

Detection Rules

wmiprvse.exe spawning interpreters → ALERT
New WMI event subscription → ALERT
Remote WMI connections → MONITOR

Remediation Steps

Remediation

  1. Remove malicious WMI subscriptions
  2. Block remote WMI if not needed
  3. Enable WMI logging
  4. Monitor WMI activity

Investigation Checklist

  • Verify path is System32\wbem
  • Check WMI event subscriptions
  • Review WMI-Activity logs
  • Check for remote WMI connections
  • Examine child processes

MITRE ATT&CK Techniques

T1047T1546.003T1021.006

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026