Sunday05 February 2023

Microsoft Preps to Remove WMIC from Windows 11 and Remove an Attack Vector

Reading time is around minutes.

WMIC or the Windows Management Instrumentation Command line is a very powerful tool. It can allow an administrator or an attacker a lot of control over a system. Because of the number of times that WMIC has been abused to take control of/or compromise a system Microsoft has been testing the removal of the WMIC component of WMI. Different sources have reported that WMIC as a commend no longer works in development builds, but the WMI process is still running on the device.

Recently, Microsoft has had a renewed focus on improving the overall security of their operating system and applications. It is something of an odd shift in focus for them although it is certainly a welcome one. We have seen them make moves to improve the security and privacy of the Edge internet browser. The improvements in both security and performance have even pushed it towards the 2nd most popular browser (it is close to supplanting Safari). Microsoft has also implemented long (long, long) overdue fixes to security inside Office products as well.

Seeing them start to remove these different attack vectors is a good thing for them and users of their products in the long run, but there is still a long way to go. Microsoft still has a history of vulnerable components and sheer install footprint that will always make them a target. Users of Microsoft products are also not known for their patching consistency, while many big organizations are limited by vendor development slowness. This delay in updating software that runs on Windows means that there are end-of-life and unsupported versions of Windows running critical systems. Without additional compensating controls organizations are left at risk, and not just by buggy Microsoft operating systems.

Hopefully Microsoft will continue to work on removing vulnerabilities and attack vectors from their products. These changes will still be a big help to maintaining a good security posture. In the meantime, security teams and organizations will need to keep an eye on their environments until vendors also make the move to a more secure code base.

If you are looking to remove WMIC now in Windows 10 or 11, you can do so by renaming the WMIC.exe file found in c:\windows\system32\wbem\ and c:\windows\syswow64\wbem\. You will need to take ownership of WMIC.exe in each folder and then make sure that a trusted account has at least the modify permission. We would not recommend just deleting the file in case there are issues with application installation etc. This should be considered an extreme measure at this stage as we cannot say what this might affect. If you run into issues with applications or services, you should be able to rename the files back to WMIC.exe to restore functionality.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.