Professional Documents
Culture Documents
Using WMI
By Corey Hynes, August 22nd, 2003 Posted in Windows Scripting. Subscribe to our RSS Feed
WMI is a layer of software that runs as service. It functions in much the same way a database
does. A series of providers abstract and expose the operating system. These providers allow
developers to reference a multitude of classes. The classes represent things such as your network
configuration, running processes, installed services, hardware and software. In many cases these
providers expose data structures that resemble tables, making code that interacts with them
simple and easy to write.
WMI is also important for network administrators. This new model has resulted in a new
generation of command line tools, management applications and scripts. Commands such as the
EVENTQUERY, SC, and TYPEPERF all interact with the computer via WMI. Applications
such as Microsoft Operations Manager (MOM) and Systems Management Server (SMS) use
WMI to query and manage systems from a central location. WMI can even be used in
conjunction with group policy on Windows Server 2003 and Windows XP Professional as an
additional filter when applying GPO’s.
What is WMIC?
The WMI command-line (WMIC) is a simplified command line interface for working with
WMI. Using WMIC, you can manage multiple computers running different versions of
Microsoft Windows. WMIC features a non-blocking interface that allows it to be used by
scripts and batch files. Some of the capabilities of WMIC are:
Commands based on aliases making common tasks quick and easy to perform.
Ability to work with the local computer, a remote computer, or a collection of remote
computers.
Customizable output formats and aliases.
Used to manage any computer running WMI.
Using WMIC
Before you being to work with WMIC, you will need to adjust your command prompt to avoid
wrapping of output. Some WMIC commands produce very large outputs that are difficult to
read. There are two adjustments that I recommend, both of which are found on the properties of
your command prompt window. Simply configure your command prompt window as shown
below.
Figure 1
Figure 2
To use WMIC you must know a little about how it works. WMIC includes a series of “canned”
WMI queries known as aliases. These aliases represent the most common pieces of information
that administrators would gather from computers. You can view the contents of any alias by
simply typing WMIC following by the name of the alias. For example, “WMIC QFE” will list
all hotfixes and service packs that are installed on the computer. A complete list of aliases can
be found by typing “WMIC /?”. The table below lists some of the more useful aliases
Computersystem: Information found in the system properties such as the computer name, make,
model, and currently logged on user.
Csproduct: Computer system product information. This contains the computers UUID, which
can be used with deployment solutions such as RIS.
Pagefile and Pagefileset: Information on the current size and usage of page files.
Memphysical: Memory capacity of the computer and current physical RAM configuration.
Sysaccount: Builtin system user account information, SIDS, and status information.
The default aliases include two output formats. The default is a full listing of all values. You
can access a reduced view, which contains only the most useful information by typing the
following.
You should note that although the brief listing is customizable, it is very difficult to change. A
more practical approach is to create a custom list of only the information you want to see using
the GET clause. A simple example is to create a list of the startup configuration for each service
on your computer. A full listing of the SERVICE alias includes about 15 columns. Of these 15,
you only need 4 to generate a report on the startup type of all services. The columns you need
are the CAPTION, NAME, and STARTMODE. You can also include the STATE column to
compare the services that are started with those that should be started. The query looks like this.
Notice the use of the GET keyword to create a list of columns. This will work for any column
that is included in the alias.
Another option to limit the out put of a large WMIC command is to filter the rows of information
that are returned. In our above example, we may only want to see services that are started, to
generate a report of running services. This is done by including a WHERE clause in the query.
The WHERE clause has a simple filter expression. You specify the column you want to filer on,
and a value to compare the column to. Text columns are expressed in quotes (i.e. “server”) and
numeric columns are not (i.e. < 80). The query to generate a report of only running services
looks like this.
When the WHERE and GET clauses are used in the same query, the WHERE will always appear
before the GET.
Another option is to redirect output to a file for viewing. This is accomplished by using output
redirection, which has been a feature of the command prompt since the days of DOS. The
default output format is a TSV (tab separated values) format. This format is understood by most
database and spreadsheet products. We can redirect our report of running services by using the
following command.
Wmic service where (state=”running”) get caption, name, startmode, state >
output.tsv
When the file is opened using Microsoft Excel, it looks like this.
Figure 3
Beyond Reporting
WMI has the ability to go far beyond simple reporting. Using WMI you can also create and
manipulate a Windows computer. There are a few terms that must be understood before we
proceed.
Class – A class is a definition of something. For example, the class process defines all the
characteristics of a process, but does not refer to any specific process.
Action – Called a method by developers, and action is something you can ask a class or object to
do. For example, one action associated with the class process is to create a new process.
Another is to terminate a process.
Let’s say that you want to create an instance of a process on your computer. The first step is to
determine the information that is required to create a new instance of a process. This is done by
the WMIC built in help using the following command.
Wmic process /?
You will notice the output contains a CALL keyword. This keyword is used to call an action.
Every class (we are working with the process class) will have a different set of actions that can
be called. Some actions will be fairly common such as create and terminate. You can view the
list of actions by typing the following command.
You will notice the action create. You can now list what is required to create a new process by
typing
The output will contain four pieces of information. Each parameter will have a direction (IN or
OUT), a name, and a data type. As before, for string data types, enclose the parameter in quotes,
and for numeric, do not. Fortunately, not all parameters are needed.
Our command to create a new instance of notepad now looks like this.
Notepad should now be running on your screen. This is a simple example, but it illustrates the
power and simplicity of WMI. Another example is to terminate the process of notepad. This is
done using the terminate action of the process class. Help can be found by typing
Wmic process call terminate /?
Be careful to include a filter when you use the terminate action. If you were to terminate all
processes, your computer would reboot.
If you only had to manage a single server, then WMIC represents a lot of work to complete a
simple task that can be done quickly using a GUI tool. It is not until you begin to manage
multiple servers that you have the power of WMIC becomes apparent.
First of all, let’s look at how WMIC commands can be targeted at multiple servers. This is
accomplished using the /NODE switch on the WMIC command. The /NODE switch will use
either a list of computer names or a file containing a list of all computers. To specify a list of
computer names in the WMIC command, type a command such as the following.
If you would like to run the query against multiple computers stored in a file, you need to create
a file. The file can contain a list of server names, either separated by commas or on separate
lines. The file must start with an @ character. The following example will generate a list of all
the computers in a forest and store the results in a file named @computers.txt.
The DSQuery command is included with Windows Server 2003 and can query any object in
Active Directory. If you only want to search a single domain, simple run this query on a domain
controller in the domain. Replace the forestroot option with domainroot.
You can now use this file to kill all occurrences of notepad on every computer in your forest.
One important note is that if all computers listed in the file are not available, the entire command
will fail. You can get around this limitation by only querying responsive computers. This is
done with FAILFAST switch. When failfast is on, each server is pinged before the WMIC
command is run. If the server fails to respond to the ping, it is skipped. Note that WMI is
transported using DCOM, which uses RPC. If a firewall is preventing ICMP (Ping) then the
server will not receive the command. Likewise, if a server is allowing ICMP, but not RPC, then
the command will still fail. The FAILFAST switch can be used as follows.
So fare we have not gone beyond the functionality that is included with WMIC. The aliases that
are provided represent the majority of tasks and information that system administrators would be
interested in. This does not represent everything you can do with WMIC. WMIC can also be
used to directly query the WMI schema. This gives you access to every class available, and not
just those that are exposed through aliases.
A full reference of all WMI classes can be found on the Microsoft Developer Network at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/wmisdk/wmi/wmi_start_page.asp
The classes are organized into what are known as namespaces. Different namespaces represent
different collections of classes that have a common function. The namespace that contains the
classes of use to administrators is the \root\cimv2 namespace. In this namespace there are
several groups of classes. The group that is of use to administrators is the Win32 group of
classes. To better understand how aliases and classes relate, enter the following command.
The rightmost column contains a statement known as a query. This query is written in the WMI
Query Language (WQL). This language is very similar to SQL. You can directly query one of
the classes by using the following command.
The output of this command is an XML document that contains a description of all the properties
of the Win32_Service, but not actual service information. In order to view actual service
information, you must query the instances of Win32_Service, instead of the class
Win32_Service. This is done by replacing the CLASS keyword with the PATH keyword. An
example is shown.
WMIC supports both filtering and actions when directly querying the WMI schema.
Extensive help on WMIC can be found in both the Windows XP Professional and Windows
Server 2003 help and support centers.
Windows Installer (.MSI) installs are great for remote administration. One of the under-utilized
tools (IMHO) is WMIC, the WMI interface from a command prompt. I got these tips from
Darwin Sanoy, when I took his excellent class on Windows Installer.
(http://www.windowsinstallertraining.com)
Why would you use this? I only occasionally have needed this; but once in a while during a
company-wide rollout & a few machines upgraded badly, the easiest solution is to uninstall and
reinstall the app. Since you can't easily use SMS to trigger an uninstall for 1-off computers
quickly without remote controlling the box or sending a tech, I've used this to uninstall an app,
and then used any one of multiple available tools to re-run the mandatory SMS advertisement.
If you don't know the name of the product, use the list command to dump it; and then you can
use one of the uninstalls. I know this information is usually available in the Add/Remove
Programs information reported to SMS--but when you are in troubleshooting mode, this is a way
to get accurate information about what is installed.
Notes: Because there are occasionally .MSIs that were crafted in ways where the product
information is not populated into the WMI class win32_product, if you are expecting to see a
product and it is not listed, that particular application may have been crafted in that way. In
those (rare) cases, a remote session, local tech, or some other solution will be required.
2. One of the nice features of WMIC is that it may be run from any
machine. With our admin command shell, we're going to enter the wmic
command followed by enter. (Note: We could have jumped into WMIC
directly from the runas command... this just breaks out the steps)
3.
Verify Program Installation (an optional informative step)
With our WMIC prompt, we can ask many questions of a node (or
nodes) and receive some nicely formatted replies. Though formatting
the replies is beyond the scope of this "How To", much more
information can be found on the internet.
So let's find out if a particular node even has our target software
(Spiceworks does attempt to list this information in its software scan)
This command asks WMI to reply with a list including the Name,
Version, and Vendor of all compliant software installations.
If you would like to filter for a specific product, you may do so. Here's
an example scanning a networked machine for all installed applications
from the vendor "Apple, Inc"
Surround the like phrase in double quotes and your search criteria in
single quotes, and use % as the wildcard symbol.
e.g.:
/node:ComputerXYZ product where "vendor like 'adobe%'" get
name,version,identifyingNumber )
... will prompt you for confirmation in the following (long) format:
4. Execute
(\\EXAMPLE\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{6
DA9102E-199F-43A0-A36B-6EF48081A658}",Name="MobileMe
Control Panel",Version="2.1.0.24")->Uninstall() (Y/N/?)?
.. to which you must reply 'y' if you wish to uninstall. WMI compliant
software will run the default uninstalation procedures without the user
needing to do anything (they receive no prompts etc).
Let's assume you just got word that Adobe Reader has a serious flaw in
it's old version. In a panic, you asked all your users to blindly install the
new version of Adobe reader straight from Adobe's site. Thankfully,
they all managed to do so... however you've received 3 tickets so far
about an Acrobat.com icon on the desktop.
You have a flat text file of all your computer's names stored in
c:\computers.txt. You pop open a WMIC shell with appropriate
permissions and enter the following command:
Which iterates through your list, skipping nodes that are invalid
(eg:machine is turned off) and those that don't meet the criteria. You'll
need to confirm 'y' that you want to uninstall on every node unless you
use the nointeractive flag.
Hopefully you've been intrigued by the potency of WMIC. Though the command-line use of the
uninstall call may not be commonly needed with software management tools, AD, etc... it can
sometimes be the best way to accomplish a task quickly without disturbing your user(s).
Let's hope spiceworks takes its WMI implementation a step further in a future release and
automates this for us;)
-------------------------------------------------------------------------------------------------------------