Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Explain VBScript WMI query / impersonationLevel, etc

Dim strComputer, objReg, ScriptName, strKeyPath, strValueName, strValue
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."

Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
    strComputer & "\root\default:StdRegProv")

This is a piece of a larger script that I am trying to reverse engineer for work. Original coder not available.

I have tried to research and understand the last line of code but I can't find any good info on the net and I am not that good at vbs.

As far as I can tell: - objreg is a SWbemObjectEx type object. - winmgmts:{impersonationLevel=impersonate} lets the object use the caller's security level (in my case system) - StdRegProv should point to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Impersonation Level

I kind of get what it's supposed to do but I don't get how it does it play by play.

If anyone can explain procedurally word by word what it does including stuff like "!\", I would greatly apreciate it. Thank you.

like image 925
user3515319 Avatar asked Apr 09 '14 12:04

user3515319


1 Answers

First off, by setting strComputer equal to period (.), that means it's targeting the local machine, not a remote machine, because the period is an MS Windows shorthand for the local computer.

The GetObject() method is a Windows Scripting Host function that can be used to get many types of objects, depending on what you provide as the first argument (see http://msdn.microsoft.com/en-us/library/8ywk619w%28v=vs.84%29.aspx for more info). In this case, you're using it to connect to Windows' built-in Windows Management Instrumentation (WMI) data source (see http://msdn.microsoft.com/en-us/library/aa394582%28v=vs.85%29.aspx for more info on WMI) with the WMI moniker winmgmts: (see http://technet.microsoft.com/en-us/library/bb684728.aspx for more info on connecting to WMI objects).

In any WMI connection using this procedure, the WMI moniker allows for three components:

  • The prefix "winmgmts:" (mandatory)
  • A security settings component (optional)
  • A WMI object path component (optional)

In your example, the "security settings component" is provided: {impersonationLevel=impersonate}! as well as the "WMI object path component": \\.\root\default:StdRegProv.

The security component, as you correctly pointed out, is used to set the privileges that will be provided to the query.

The path component is used to reference the WMI "object or class path", which is to say the path to the specific piece of information of set of information provided with WMI. It should NOT be confused with a path in a file system. The path component always starts with \\<computer name>\, where <computer name> is either a remote computer or the period I mentioned above indicating the local computer.

In your case, the path points to the StdRegProv class (see http://msdn.microsoft.com/en-us/library/aa393664%28v=vs.85%29.aspx for more info); this class simply provides access to the Windows registry for reading and writing.

Once your object is obtained via

Set objReg=GetObject("winmgmts:impersonationLevel=impersonate}!\\" & _
    strComputer & "\root\default:StdRegProv")

you can use objReg to perform the any of the available operations (again, see http://msdn.microsoft.com/en-us/library/aa393664%28v=vs.85%29.aspx for more info).

like image 57
rory.ap Avatar answered Sep 21 '22 02:09

rory.ap