3 Replies Latest reply on Sep 27, 2016 9:27 AM by cwinning

    Are the Inkscape updates using a Win32_Product WMI query for detection?

    rgsteele Apprentice

      Hello folks,


      I recently noticed that our SCCM clients had a number of events in the Windows Application log with Event ID 1035, source MsiInstaller, with text like "Windows Installer reconfigured the product. Product Name: Microsoft Office Professional Plus 2016. Product Version: 16.0.4266.1001. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0." These are occurring at regular intervals.


      This behavior is due to an application querying the Win32_Product WMI class. As explained in this Microsoft KB article, querying this WMI class initiates a repair of every MSI package on the system, which is very resource intensive.


      After turning on WMI activity tracing and analyzing the logs, I discovered this WMI query was being executed:


      select * from Win32_Product where (Name LIKE "%Inkscape%" AND Version < 0.91)


      I don't think I have any applications, packages, group policies or configuration baselines that are running this query. I can only assume that the Shavlik Patch updates for Inkscape are using this WMI query for their detection methods. Can you confirm this is the case, and explain why this mechanism is being used for the detection for this product?