[Help] How is the "winmgmt" service created?

[ricktendo]

I was wondering if anybody knew how this service is created, I have searched INF files with no luck so I assume its done by a self registering DLL or EXE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Instrumental de administración de Windows"
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,02,00,00,00,03,00,03,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
"Description"="Proporciona una interfaz común y un modelo de objeto para tener acceso a la información de administración acerca de un sistema operativo, dispositivos, aplicaciones y servicios. Si se detiene este servicio, la mayoría del software basado en Windows no funcionará correctamente. Si este servicio está deshabilitado, cualquier servicio que explícitamente dependa de él no podrá iniciarse."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\
  00,6c,00,6c,00,00,00
"ServiceMain"="ServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Enum]
"0"="Root\\LEGACY_WINMGMT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

I need to find how its generated because I want to edit the "ImagePath" for KB897571 hotfix so I dont have to use this

sc config winmgmt binPath= "%systemroot%\system32\svchost.exe -k winmgmt"

Edited October 21, 2009 by ricktendo64

[cluberti]

It's actually created during setup - I worked on a Windows 2000 .INF file that would do a "bare metal" WMI install, basically causing the setup engine to re-run all of the WMI portions of windows setup, but it was never 100% effective and would fail a few times out of 100. I never did get it working with Windows 2003, as it seemed there was even more to the setup routine that I hadn't been able to figure out, but I do know it was still entirely a part of the Windows setup routine that created the service reg entries and placed the binaries on disk (no amount of re-registering files is going to get the service created).

[ricktendo]

Im looking for the names of the EXE or (preferably) INF files responsible for creating the service, I am not looking to recreate the reg entries, just looking to edit the ImagePath of the service from:

HKLM,"SYSTEM\CurrentControlSet\Services\winmgmt","ImagePath",0x20000,"%systemroot%\system32\svchost.exe -k netsvcs"

To this

HKLM,"SYSTEM\CurrentControlSet\Services\winmgmt","ImagePath",0x20000,"%systemroot%\system32\svchost.exe -k winmgmt"

Right now I run this during T13 to achieve this but if it can be done by a simple INF edit I would prefer it

sc config winmgmt binPath= "%systemroot%\system32\svchost.exe -k winmgmt"

Edited October 22, 2009 by ricktendo64