Jul 22, 2017

WMI Querying Techniques, Part 1 – WbemTest

https://unsplash.com/@branch_portraits

Breaking the ice with WMI

I wanted to throw together a few different use cases for WMI querying.  There are many articles that have some good information on various use cases of WMI, I figured I would share some that I’ve used recently for various engagements. In the next couple of posts, we’ll go over a few different methods to use WMI, using GUI, Command line, PowerShell, and incorporating into your C# code.

Let’s jump in! We’re going to start out with some basics, starting with the Windows GUI, Windows Management Instrumentation Tester, or WBEMTest.  You can open it by clicking on your start menu, and just type in wbemtest.  Once the window opens up, click on Connect, leaving everything to default, where your namespace is root\cimv2 for our examples, we’ll stick with default impersonation level, and use the default connector, click Connect again.  You should be back to the main screen and all of the options should be available.

fig 1

To have a dive into what classes are available to you, click on Enum Classes.  From here, to get a full list of available Superclasses, select Recursive, then OK.  In this post we’ll focus on CIM_Process.

From the main Wbemtest screen, click Enum Classes, and type in CIM_Process, once you click ok you will get a box that now shows the Win32_Process subclass.

If you double click on Win32_Process, you now have the definition of the class. Click Hide System Properties to give better insight into what we can touch, leaving it unchecked will show you the parameters passed to WMI to display this information. (starting with __)

fig 2

In our properties window, we see all of the names that we can query against, along with the data type. These properties are what we will use to build our queries ahead. Below are the Methods available in this class. Double clicking a method will open the Method Editor, and if you click Edit Input Arguments, you will see what it is expecting, and what the data type is.

WMI Querying

Now go back to the main screen (fig 1) and click Query. Let’s put in some examples and see what we get, here are some common ones:

select * from Win32_Process
select * from Win32_Process where (Name like “%expl%”)
select * from Win32_Service where (State=”Running”) and (StartMode=”Manual”)
select * from Win32_SystemDriver where not (PathName like “%C:\\Windows\\System32\\Drivers\\%”)
^^ hopefully this comes up empty or at least you know what they are!
select * from Win32_StartupCommand where (User=”Public”)
select * from Win32_Processor where (DeviceID=”CPU0″) and (AddressWidth=64)

Conclusion

Hopefully this post helped you at least break the ice with WMI, we will be using some of these queries in future posts.  Using wbemtest can also be good for testing out Group Policy WMI queries before you deploy them to your systems.  In our next post, we will be covering WMI on the command line, including Aliases, alternate namespaces, pathing, and calling methods.

Here are some references for more inforamtion regarding WMI

https://msdn.microsoft.com/en-us/library/bb742610.aspx

https://msdn.microsoft.com/en-us/library/bg126473(v=vs.85).aspx

Check out part two where we step into command line usage.