Windows Management Instrumentation

WMI is Microsoft's implementation of CIM (Common Information Model) for the Windows platform.

«Instrumentation» because it shows internal values of Windows like dashboard instruments in a car do.

WMI is Microsoft's implementation of WBEM and CIF.

WMI providers are:

cimwin32.dll
stdprov.dll
…

WMI clients are:

WMIC.exe
PowerShell (get-wmiObject …)
Windows Scripting Host (VB Script, JScript)
wbemtest.exe
COM capable programs
winrm
winrs.exe

MOF files are Managed Object Format files.

WMI Classes

Win32_Process, Win32_Service, AntiVirusProduct, Win32_Startup ...

WMI objects are queried using a SQL like language: WMI Query Language (WQL).

Persistent objects are stored in %SYSTEMROOT%\System32\wbem\Repository\OBJECTS.DATA.

Most classes are implemented as providers. Such providers are either COM dlls or kernel drivers.

Providers

A provider monitors a managed object such as

hard disk drive
network adapter
database system
operating system
process
service

A provider consists of

a dll
a MOF (Managed Object Format) file

These DLLs and MOF files are located under %SYSTEMROOT%\System32\wbem.

Hierarchical Namespace

WMI classes are hierarchically organized into namespaces.

Some namespaces (such as root\default, root\cimv2, root\subscription…) are created when the system boots up.

The name of the default namespace is ROOT\CIMV2 (see Default Namespace under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting).

The namespaces in a given namespace (for example root) can be shown like so:

PS C:\> get-cimInstance -namespace root -class __namespace | sort name

Name            PSComputerName
----            --------------
CIMV2
Cli
DEFAULT
directory
Hardware
Interop
Microsoft
msdtc
PEH
RSOP
SECURITY
SecurityCenter
SecurityCenter2
ServiceModel
StandardCimv2
subscription
WMI

Similarly, the following command shows the namespaces under ROOT\CIMV2 (which happens to be he default namespace):

PS C:\> get-cimInstance -namespace root\cimv2 -class __namespace | sort name

The classes in given namespace can be showns like so:

PS C:\> get-cimClass -namespace root\cimv2

An instance of a particular class can then be obtained like so (note that -namespace root\cimv2 is not necessary here as it is the default namespace anyway):

PS C:\> get-cimInstance -namespace root\cimv2 -class win32_process

Recursively traversing namespaces

A PowerShell script (that I found here) can be used to show the namespaces:

function get-wmiNamespace {
   param($namespace='ROOT')
   get-wmiObject -namespace $namespace -class __NAMESPACE | forEach-object { (
     $ns='{0}\{1}' -f $_.__NAMESPACE, $_.name)
     get-wminamespace -namespace $ns
   }
}

# $wmiClasses=
get-wminamespace | forEach-object {
  $namespace=$_
  get-wmiObject -namespace $namespace -list | forEach-object {
     $_.path.path
  }
} | sort-object -unique

Remote usage

WMI can be used locally, and even more importantly and powerfully remotely.

There are two protocols for remote adminstering: DCOM and WinRM.

DCOM unfortunately is not very firewall friendly.

PowerShell cmdlets

PowerShell cmdlets for WMI are

get-wmiObject
invoke-wmiMethod
register-wmiEvent
remove-wmiObject
set-wmiInstance

VBScript

The following simple script demonstrates how WMI can be queried with VBScript:

option explicit

dim winos
set winos = getObject("winmgmts:").instancesOf("Win32_OperatingSystem")

dim rec
for each rec in winos ' {

    wScript.echo "Caption:           " & rec.caption
    wScript.echo "Manufacturer:      " & rec.manufacturer
    wScript.echo "Build Type:        " & rec.BuildType
    WScript.echo "Version:           " & rec.Version
    WScript.echo "Locale:            " & rec.Locale
    WScript.echo "Windows Directory: " & rec.windowsDirectory
    WScript.echo "Total memory:      " & round(rec.totalVisibleMemorySize/1024/1024) & " MB"
    WScript.echo "Serial Number:     " & rec.SerialNumber
    Wscript.echo ""
next ' }

Ideally, this script is executed from the command line with script.exe rather than wscript.exe:

C:\users\rene> cscript query-Win32.vbs