I recently found this message as a warning in Applications in Event Viewer:

----------------
A provider, OffProv, has been registered in the WMI namespace,
Root\MSAPPS, to use the LocalSystem account. This account is privileged
and the provider may cause a security violation if it does not correctly
impersonate user requests.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----------------

Going to the link provided brought up a page saying Microsoft had no
further information on this.

I've searched Altavista and Google. Most of the links are now dead, so I
can't see them. The remaining articles and messages have two conflicting
themes: half think OffProv is some kind of virus, the other half think
it is a legitimate part of Office. There is an OffProv.exe file in the
Common Files\Microsoft shared folder.

Does anyone know for sure? You would think if it was an MS file,
Microsoft would have some more information about this Event Viewer message.

This is normal, and you are most likely OK (there is a=20
chance someone has modified the file, etc. but I have=20
not heard of such a trojan existing).
This is an informational message, from the WMI system,=20
letting you know that some software has been registered=20
as a provider (of repository extension) with WMI. Since=20
such providers run with high priv, WMI gives you this=20
informative message.

--=20
Roger=20

"Mike Thoma" > wrote in message =
...
> I recently found this message as a warning in Applications in Event =
Viewer:
>=20
> ----------------
> A provider, OffProv, has been registered in the WMI namespace,=20
> Root\MSAPPS, to use the LocalSystem account. This account is =
privileged=20
> and the provider may cause a security violation if it does not =
correctly=20
> impersonate user requests.
>=20
> For more information, see Help and Support Center at=20
> http://go.microsoft.com/fwlink/events.asp.
> -----------------
>=20
> Going to the link provided brought up a page saying Microsoft had no=20
> further information on this.
>=20
> I've searched Altavista and Google. Most of the links are now dead, so =
I=20
> can't see them. The remaining articles and messages have two =
conflicting=20
> themes: half think OffProv is some kind of virus, the other half think =

> it is a legitimate part of Office. There is an OffProv.exe file in the =

> Common Files\Microsoft shared folder.
>=20
> Does anyone know for sure? You would think if it was an MS file,=20
> Microsoft would have some more information about this Event Viewer =
message.
>

Thanks Roger, but "most likely OK" is less than completely reassuring. I
understand what you are saying, but I'd like to know for sure that
OffProv is a legitimate program.

I guess my real question is: is OffProv.exe part of Office or not? If
not, does anyone know what it is?

Roger Abell [MVP] wrote:
> This is normal, and you are most likely OK (there is a
> chance someone has modified the file, etc. but I have
> not heard of such a trojan existing).
> This is an informational message, from the WMI system,
> letting you know that some software has been registered
> as a provider (of repository extension) with WMI. Since
> such providers run with high priv, WMI gives you this
> informative message.
>

I'm sorry if my first response made it seem I didn't appreciate your
answer. When I post a question I'm grateful for all replies I get. But
warnings from the OS strike me as something that needs a more defintive
answer.

Roger Abell [MVP] wrote:
> This is normal, and you are most likely OK (there is a
> chance someone has modified the file, etc. but I have
> not heard of such a trojan existing).
> This is an informational message, from the WMI system,
> letting you know that some software has been registered
> as a provider (of repository extension) with WMI. Since
> such providers run with high priv, WMI gives you this
> informative message.
>

It looks like its part of MS Office see:
http://www.micos-sw.cz/img/sw1.txt

Peter
>-----Original Message-----
>Thanks Roger, but "most likely OK" is less than
completely reassuring. I
>understand what you are saying, but I'd like to know for
sure that
>OffProv is a legitimate program.
>
>I guess my real question is: is OffProv.exe part of
Office or not? If
>not, does anyone know what it is?
>
>Roger Abell [MVP] wrote:
>> This is normal, and you are most likely OK (there is a
>> chance someone has modified the file, etc. but I have
>> not heard of such a trojan existing).
>> This is an informational message, from the WMI system,
>> letting you know that some software has been registered
>> as a provider (of repository extension) with WMI.
Since
>> such providers run with high priv, WMI gives you this
>> informative message.
>>
>
>.
>

Thanks.

Peter wrote:
> It looks like its part of MS Office see:
> http://www.micos-sw.cz/img/sw1.txt
>
> Peter
>
>>-----Original Message-----
>>Thanks Roger, but "most likely OK" is less than
>
> completely reassuring. I
>
>>understand what you are saying, but I'd like to know for
>
> sure that
>
>>OffProv is a legitimate program.
>>
>>I guess my real question is: is OffProv.exe part of
>
> Office or not? If
>
>>not, does anyone know what it is?
>>
>>Roger Abell [MVP] wrote:
>>
>>>This is normal, and you are most likely OK (there is a
>>>chance someone has modified the file, etc. but I have
>>>not heard of such a trojan existing).
>>>This is an informational message, from the WMI system,
>>>letting you know that some software has been registered
>>>as a provider (of repository extension) with WMI.
>>
> Since
>
>>>such providers run with high priv, WMI gives you this
>>>informative message.
>>>
>>
>>.
>>
>

Hey, no problem and understood.
Yes, it is part of Office, and the message is fully normal (but=20
it is not OffProv.exe, it is a WMI provide named OffProv).

I was waffeling because one still does not know it is=20
unaltered, and I did not know you had recently installed=20
Office. It is conceivable someone might make an install=20
that registers a provider with that name and trojan a system=20
through this route, using a name one might not be startled=20
at seeing just as is often done with other types of trojans.

--=20
Roger=20


"Mike Thoma" > wrote in message =
...
> I'm sorry if my first response made it seem I didn't appreciate your=20
> answer. When I post a question I'm grateful for all replies I get. But =

> warnings from the OS strike me as something that needs a more =
defintive=20
> answer.
>=20
> Roger Abell [MVP] wrote:
> > This is normal, and you are most likely OK (there is a=20
> > chance someone has modified the file, etc. but I have=20
> > not heard of such a trojan existing).
> > This is an informational message, from the WMI system,=20
> > letting you know that some software has been registered=20
> > as a provider (of repository extension) with WMI. Since=20
> > such providers run with high priv, WMI gives you this=20
> > informative message.
> >=20
>

Hey, no problem and understood.
Yes, it is part of Office, and the message is fully normal (but=20
it is not OffProv.exe, it is a WMI provide named OffProv).

I was waffeling because one still does not know it is=20
unaltered, and I did not know you had recently installed=20
Office. It is conceivable someone might make an install=20
that registers a provider with that name and trojan a system=20
through this route, using a name one might not be startled=20
at seeing just as is often done with other types of trojans.

--=20
Roger=20


"Mike Thoma" > wrote in message =
...
> I'm sorry if my first response made it seem I didn't appreciate your=20
> answer. When I post a question I'm grateful for all replies I get. But =

> warnings from the OS strike me as something that needs a more =
defintive=20
> answer.
>=20
> Roger Abell [MVP] wrote:
> > This is normal, and you are most likely OK (there is a=20
> > chance someone has modified the file, etc. but I have=20
> > not heard of such a trojan existing).
> > This is an informational message, from the WMI system,=20
> > letting you know that some software has been registered=20
> > as a provider (of repository extension) with WMI. Since=20
> > such providers run with high priv, WMI gives you this=20
> > informative message.
> >=20
>