Windows Management Instrumentation -

Using WMI
By Corey Hynes, August 22nd, 2003 Posted in Windows Scripting. Subscribe to our RSS Feed

Rather Have Fast and

Secure Remote Control?
 Securely access PCs and servers
worldwide through any firewall. Try it and
see for yourself!

Many network administrators have heard of Windows Management Instrumentation (WMI). 

Simply put, WMI represents a major change in the way that application applications interact with
the Windows family of Operating Systems.  In the past, developers were required to write
complicated code to perform even the simplest tasks or collect basic information about
computers on the network.  This was a difficult task even for the most seasoned programmer. 
WMI changes this approach to become simpler and more consistent

WMI is a layer of software that runs as service.  It functions in much the same way a database
does.  A series of providers abstract and expose the operating system.  These providers allow
developers to reference a multitude of classes.  The classes represent things such as your network
configuration, running processes, installed services, hardware and software.  In many cases these
providers expose data structures that resemble tables, making code that interacts with them
simple and easy to write.

WMI is also important for network administrators.  This new model has resulted in a new
generation of command line tools, management applications and scripts.  Commands such as the
EVENTQUERY, SC, and TYPEPERF all interact with the computer via WMI.  Applications
such as Microsoft Operations Manager (MOM) and Systems Management Server (SMS) use
WMI to query and manage systems from a central location.  WMI can even be used in
conjunction with group policy on Windows Server 2003 and Windows XP Professional as an
additional filter when applying GPO’s.

What is WMIC?
The WMI command-line (WMIC) is a simplified command line interface for working with
WMI.   Using WMIC, you can manage multiple computers running different versions of
Microsoft Windows.   WMIC features a non-blocking interface that allows it to be used by
scripts and batch files.  Some of the capabilities of WMIC are:

 Commands based on aliases making common tasks quick and easy to perform.
 Ability to work with the local computer, a remote computer, or a collection of remote
computers.
 Customizable output formats and aliases.
 Used to manage any computer running WMI.

Using WMIC

Before you being to work with WMIC, you will need to adjust your command prompt to avoid
wrapping of output.  Some WMIC commands produce very large outputs that are difficult to
read.  There are two adjustments that I recommend, both of which are found on the properties of
your command prompt window.  Simply configure your command prompt window as shown
below.

Figure 1

Figure 2

To use WMIC you must know a little about how it works.  WMIC includes a series of “canned”
WMI queries known as aliases.  These aliases represent the most common pieces of information
that administrators would gather from computers.  You can view the contents of any alias by
simply typing WMIC following by the name of the alias.  For example, “WMIC QFE” will list
all hotfixes and service packs that are installed on the computer.  A complete list of aliases can
be found by typing “WMIC /?”.  The table below lists some of the more useful aliases

Computersystem: Information found in the system properties such as the computer name, make,
model, and currently logged on user.

Csproduct: Computer system product information.  This contains the computers UUID, which
can be used with deployment solutions such as RIS.

Pagefile and Pagefileset: Information on the current size and usage of page files.

Memphysical: Memory capacity of the computer and current physical RAM configuration.

Product: Installed software products.

Sysaccount: Builtin system user account information, SIDS, and status information.

Process: Detailed information on running processes.

Service: Detailed information on all installed services.

The default aliases include two output formats.  The default is a full listing of all values.  You
can access a reduced view, which contains only the most useful information by typing the
following.

WMIC LIST BRIEF

You should note that although the brief listing is customizable, it is very difficult to change. A
more practical approach is to create a custom list of only the information you want to see using
the GET clause.  A simple example is to create a list of the startup configuration for each service
on your computer.  A full listing of the SERVICE alias includes about 15 columns.  Of these 15,
you only need 4 to generate a report on the startup type of all services.  The columns you need
are the CAPTION, NAME, and STARTMODE.  You can also include the STATE column to
compare the services that are started with those that should be started.  The query looks like this.

Wmic service get caption, name, startmode, state

Notice the use of the GET keyword to create a list of columns.  This will work for any column
that is included in the alias.

Another option to limit the out put of a large WMIC command is to filter the rows of information
that are returned.  In our above example, we may only want to see services that are started, to
generate a report of running services.  This is done by including a WHERE clause in the query. 
The WHERE clause has a simple filter expression.  You specify the column you want to filer on,
and a value to compare the column to.  Text columns are expressed in quotes (i.e. “server”) and
numeric columns are not (i.e. < 80).  The query to generate a report of only running services
looks like this.

Wmic service where (state=”running”) get caption, name, startmode, state

When the WHERE and GET clauses are used in the same query, the WHERE will always appear
before the GET.

Another option is to redirect output to a file for viewing.  This is accomplished by using output
redirection, which has been a feature of the command prompt since the days of DOS.  The
default output format is a TSV (tab separated values) format.  This format is understood by most
database and spreadsheet products.  We can redirect our report of running services by using the
following command.

Wmic service where (state=”running”) get caption, name, startmode, state >
output.tsv

When the file is opened using Microsoft Excel, it looks like this.

Figure 3
Beyond Reporting

WMI has the ability to go far beyond simple reporting.  Using WMI you can also create and
manipulate a Windows computer.  There are a few terms that must be understood before we
proceed.

Class – A class is a definition of something.  For example, the class process defines all the
characteristics of a process, but does not refer to any specific process.

Object – Sometimes called an instance; an object is a specific occurrence of a class.  For

example, when you start notepad, you instantiate the class process, and create a new process
object, which represents the copy of notepad you have running on your computer.

Action – Called a method by developers, and action is something you can ask a class or object to
do.  For example, one action associated with the class process is to create a new process. 
Another is to terminate a process.

Let’s say that you want to create an instance of a process on your computer.  The first step is to
determine the information that is required to create a new instance of a process.  This is done by
the WMIC built in help using the following command.

Wmic process /?

You will notice the output contains a CALL keyword.  This keyword is used to call an action. 
Every class (we are working with the process class) will have a different set of actions that can
be called.  Some actions will be fairly common such as create and terminate.  You can view the
list of actions by typing the following command.

Wmic process call /?

You will notice the action create.  You can now list what is required to create a new process by
typing

Wmic process call create /?

The output will contain four pieces of information.  Each parameter will have a direction (IN or
OUT), a name, and a data type.  As before, for string data types, enclose the parameter in quotes,
and for numeric, do not.  Fortunately, not all parameters are needed.

Our command to create a new instance of notepad now looks like this.

Wmic process call create “c:\windows\notepad.exe”

Notepad should now be running on your screen.  This is a simple example, but it illustrates the
power and simplicity of WMI.  Another example is to terminate the process of notepad.  This is
done using the terminate action of the process class.  Help can be found by typing
Wmic process call terminate /?

All instances of notepad can be terminated by typing:

Wmic process where (caption=”notepad.exe”) call terminate

Be careful to include a filter when you use the terminate action.  If you were to terminate all
processes, your computer would reboot.

Using WMIC to Manage Multiple Computers

If you only had to manage a single server, then WMIC represents a lot of work to complete a
simple task that can be done quickly using a GUI tool.  It is not until you begin to manage
multiple servers that you have the power of WMIC becomes apparent.

First of all, let’s look at how WMIC commands can be targeted at multiple servers.  This is
accomplished using the /NODE switch on the WMIC command.  The /NODE switch will use
either a list of computer names or a file containing a list of all computers.  To specify a list of
computer names in the WMIC command, type a command such as the following.

Wmic /node:server1,server2 process list brief

If you would like to run the query against multiple computers stored in a file, you need to create
a file.  The file can contain a list of server names, either separated by commas or on separate
lines.  The file must start with an @ character.  The following example will generate a list of all
the computers in a forest and store the results in a file named @computers.txt.

dsquery * forestroot -scope subtree -filter objectcategory=computer -attr name

–l > @computers.txt

The DSQuery command is included with Windows Server 2003 and can query any object in
Active Directory.  If you only want to search a single domain, simple run this query on a domain
controller in the domain.  Replace the forestroot option with domainroot.
You can now use this file to kill all occurrences of notepad on every computer in your forest.

Wmic /node:@computers.txt process where (caption=”notepad.exe”) call terminate

One important note is that if all computers listed in the file are not available, the entire command
will fail.  You can get around this limitation by only querying responsive computers.  This is
done with FAILFAST switch.  When failfast is on, each server is pinged before the WMIC
command is run.  If the server fails to respond to the ping, it is skipped.  Note that WMI is
transported using DCOM, which uses RPC.  If a firewall is preventing ICMP (Ping) then the
server will not receive the command.  Likewise, if a server is allowing ICMP, but not RPC, then
the command will still fail.  The FAILFAST switch can be used as follows.

Wmic /fastfail:on /node:@computers.txt process where (caption=”notepad.exe”)

call terminate
Advanced Topics

So fare we have not gone beyond the functionality that is included with WMIC.  The aliases that
are provided represent the majority of tasks and information that system administrators would be
interested in.  This does not represent everything you can do with WMIC.  WMIC can also be
used to directly query the WMI schema.  This gives you access to every class available, and not
just those that are exposed through aliases.

A full reference of all WMI classes can be found on the Microsoft Developer Network at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/wmisdk/wmi/wmi_start_page.asp

The classes are organized into what are known as namespaces.  Different namespaces represent
different collections of classes that have a common function.  The namespace that contains the
classes of use to administrators is the \root\cimv2 namespace.  In this namespace there are
several groups of classes.  The group that is of use to administrators is the Win32 group of
classes.  To better understand how aliases and classes relate, enter the following command.

Wmic alias list brief

The rightmost column contains a statement known as a query.  This query is written in the WMI
Query Language (WQL).  This language is very similar to SQL.  You can directly query one of
the classes by using the following command.

Wmic /namespace:\\root\cimv2 class Win32_Service

The output of this command is an XML document that contains a description of all the properties
of the Win32_Service, but not actual service information.  In order to view actual service
information, you must query the instances of Win32_Service, instead of the class
Win32_Service.  This is done by replacing the CLASS keyword with the PATH keyword.  An
example is shown.

Wmic /namespace:\\root\cimv2 path Win32_Service

WMIC supports both filtering and actions when directly querying the WMI schema.

Extensive help on WMIC can be found in both the Windows XP Professional and Windows
Server 2003 help and support centers.

Written by Corey Hynes - Visit Website

WMIC and Windows Installer products

Windows Installer (.MSI) installs are great for remote administration.  One of the under-utilized
tools (IMHO) is WMIC, the WMI interface from a command prompt.  I got these tips from
Darwin Sanoy, when I took his excellent class on Windows Installer.
(http://www.windowsinstallertraining.com)

Examples of some commands:

To get a list of all MSI products installed on the remote computer:

WMIC /node:"computername" product list > c:\1.txt
WMIC /Node:"computername" /output:c:\1.csv product get /format:csv

To uninstall (similar to msiexec /x {guid} /qn):

WMIC /node:"computername" product where name="Widgets" call uninstall

To uninstall using alternate credentials:

WMIC /node:"computer" /user:"userid" /password:"yourpassword" product where
name="Widgets" call uninstall

Why would you use this?  I only occasionally have needed this; but once in a while during a
company-wide rollout & a few machines upgraded badly, the easiest solution is to uninstall and
reinstall the app.  Since you can't easily use SMS to trigger an uninstall for 1-off computers
quickly without remote controlling the box or sending a tech, I've used this to uninstall an app,
and then used any one of multiple available tools to re-run the mandatory SMS advertisement.

If you don't know the name of the product, use the list command to dump it; and then you can
use one of the uninstalls.  I know this information is usually available in the Add/Remove
Programs information reported to SMS--but when you are in troubleshooting mode, this is a way
to get accurate information about what is installed.

Notes: Because there are occasionally .MSIs that were crafted in ways where the product
information is not populated into the WMI class win32_product, if you are expecting to see a
product and it is not listed, that particular application may have been crafted in that way.  In
those (rare) cases, a remote session, local tech, or some other solution will be required.

WMIC (Windows Management Instrumentation Command-Line) is a potent tool that often

doesn't see much use due to the lack of (easily accessible) documentation available. More
information can be found on WMIC here: http://technet.microsoft.com/en-
us/library/bb742610.aspx. Some great switches and alternate options can be found here:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/wmic_overview.mspx. We’ll be using WMIC with domain admin credentials to crawl through
a list of nodes (PCs/Laptops) and uninstall an example program without interrupting the user.

Load up a command shell with appropriate access permissions

Though a WMIC instruction can be given appropriate credentials prior

to operation, it is typically best-practice to avoid clear-text typing the
password (who is that looking over your shoulder;)). We’ll execute the
1. runas command like the following:

Runas /user:DomainAdminAccount@DOMAIN cmd

… which will prompt us for the credentials of our

DomainAdminAccount. If authenticated, we’ll be handed a command
shell running as the Admin.

Step into WMIC

2. One of the nice features of WMIC is that it may be run from any
machine. With our admin command shell, we're going to enter the wmic
command followed by enter. (Note: We could have jumped into WMIC
directly from the runas command... this just breaks out the steps)
3.
Verify Program Installation (an optional informative step)

With our WMIC prompt, we can ask many questions of a node (or
nodes) and receive some nicely formatted replies. Though formatting
the replies is beyond the scope of this "How To", much more
information can be found on the internet.

So let's find out if a particular node even has our target software
(Spiceworks does attempt to list this information in its software scan)

>/node:COMPUTERNAME product get name,version,vendor

This command asks WMI to reply with a list including the Name,
Version, and Vendor of all compliant software installations.

If you would like to filter for a specific product, you may do so. Here's
an example scanning a networked machine for all installed applications
from the vendor "Apple, Inc"

>/node:ANOTHEREXAMPLE product where vendor="Apple Inc." get

name,vendor
 (*Note from Anders4221:
A small hint if you have special characters like '-' or '/' in the computer
name you need to use ' ' characters in order to get information from
client)

(**Note from Joe3034:

Here is how you use wildcards in your search:

Surround the like phrase in double quotes and your search criteria in
single quotes, and use % as the wildcard symbol.

e.g.:
/node:ComputerXYZ product where "vendor like 'adobe%'" get
name,version,identifyingNumber )

Call for the Uninstallation

So we can make a call to the WMI interface to uninstall a particular

product... let's pick on the MobileMe Control Panel from our previous
example. The command:

>/node:EXAMPLE product where name="MobileMe Control Panel"

call uninstall

... will prompt you for confirmation in the following (long) format:

4. Execute
(\\EXAMPLE\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{6
DA9102E-199F-43A0-A36B-6EF48081A658}",Name="MobileMe
Control Panel",Version="2.1.0.24")->Uninstall() (Y/N/?)?

.. to which you must reply 'y' if you wish to uninstall. WMI compliant
software will run the default uninstalation procedures without the user
needing to do anything (they receive no prompts etc).

**Note that you may also use the

/nointeractive flag like /node:EXAMPLE product where
name="MobileMe Control Panel" call uninstall /nointeractive to prevent
the confirmation request!
-thx Bart2691
5.
Call Uninstall for a List of Machines (an optional informative step)

Let's assume you just got word that Adobe Reader has a serious flaw in
it's old version. In a panic, you asked all your users to blindly install the
 new version of Adobe reader straight from Adobe's site. Thankfully,
they all managed to do so... however you've received 3 tickets so far
about an Acrobat.com icon on the desktop.

You have a flat text file of all your computer's names stored in
c:\computers.txt. You pop open a WMIC shell with appropriate
permissions and enter the following command:

>/fastfail:on /node:@"c:\computers.txt" product where

name="Acrobat.com" call uninstall /nointeractive

Which iterates through your list, skipping nodes that are invalid
(eg:machine is turned off) and those that don't meet the criteria. You'll
need to confirm 'y' that you want to uninstall on every node unless you
use the nointeractive flag.

* Updated Note from Bart2691

... an easy way to automate answering 'Yes'. Examples for doing it by
PC or a text file is to use the /nointeractive flag. Additionally, if you
don't wish to hang on failed nodes, use the /fastfail:on flag to quickly
skip a node that isn't responding.

wmic /fastfail:on /node:@"FILENAME.txt" product where "name like

'microsoft office professional edition 2003'" call uninstall /nointeractive

Hopefully you've been intrigued by the potency of WMIC. Though the command-line use of the
uninstall call may not be commonly needed with software management tools, AD, etc... it can
sometimes be the best way to accomplish a task quickly without disturbing your user(s).

Let's hope spiceworks takes its WMI implementation a step further in a future release and
automates this for us;)

-------------------------------------------------------------------------------------------------------------