Jul 22, 2017

WMI Querying Techniques, Part 2 – Command Line

Photo by Jason Rosewell on Unsplash

In this post, we will be going over various WMI command line techniques and options, we’ll cover the built in alias, as well as using alternate namespaces and paths, and let’s not forget running remotely!  Let’s get started!

WMIC Aliases

One of the nice things Microsoft did when providing a command line utility for access WMI objects, is building Aliases on top of the more commonly used WMI Classes.  To follow along in any of our excercises today, you should open a command prompt or two as Administrator if you can.  If you don’t have Admin rights, that’s ok, you can do some of the querying as well.  Hopefully you read the last article on Wbemtest, we will keep that open to get some properties and methods as needed.

From your command prompt, type in “wmic /?” to get a list of commands and aliases.  Today we will be playing around with Process, Service, and Product. Faster IT has a good article mapping the Aliases and Classes.

Querying with Aliases

One things to consider is the verbs that are available when using classes versus the classes directly, are slightly different.  One loss is the list verb, however you still get to keep /?.  Go ahead and run wmic process from the command line.  It will take a few moments to pull all of the information, the less you ask for, the quicker it is.  After you run it, you’ll notice that it can be information overload.  One technique I use to help sort through the data easier is running this command,

wmic process | clip

Then pasting it into Notepad++ (the | clip command pipes the output of the command directly into the clipboard). This will format the output, without word wrapping to help you with some filtering of what you need.

Processes

If you just want a format that is more comparable to tasklist.exe, you can run:

wmic process list brief

Another neat function of the aliases, is the built in help. You can use /? after most commands to get additional information. Along with some examples

wmic process get /?

wmic process where Caption="calculator.exe" list brief
wmic process call create calc.exe
wmic process where Caption="calculator.exe" delete

Services

Let’s see what we can do with services…

wmic service where (Name like "%remote%") list brief
wmic service where (Name="RemoteRegistry") call ChangeStartMode Disabled
wmic service where (Name="RemoteRegistry") call StopService

Products/Software Installs

This one took me by suprise, calling the uninstall function through the alias invokes quiet, norestart options, and installing using this method is also silent.

wmic product where (Name like "%grep%") listt brief
wmic product where IdentifyingNumber="{5F98943A-A419-4FC5-B694-62BFA2774ED9}" delete
wmic product call install PackageLocation="R:\grepWin-1.7.0-x64.msi"

Querying without the use of Aliases

There are also times where you might need a little more punch than the Aliases can offer, or in a different namespace. We’ll briefly touch on using direct class queries.

Here is an example of how to create a process using the Win32_Process class, and passing parameters:

wmic path Win32_Process call create CommandLine='r:\HelloWorld.exe' CurrentDirectory='r:\'
wmic path Win32_Process where ProcessId=26388 Delete

Here are just a handful of examples, so far the most challenging aspect has been getting around parameters, there are not a log of docs out there that show how to use them. I did play around with the registry part of wmi, if you’re really in a bind, this may be last ditch effort. I only used keys in the HKLM realm, here is a document if you want to try changing around the hDefKey value around. EnumKey method of StdRegProv class

 

wmic path Win32_Process call create CommandLine="r:\helloworld.exe" CurrentDirectory="r:\"
wmic /namespace:\\root\default path StdRegProv call /?
wmic /namespace:\\root\default path StdRegProv call EnumKey sSubKeyName="system\CurrentControlSet\Services"
wmic /namespace:\\root\default path StdRegProv call DeleteKey sSubKeyName="SYSTEM\CurrentControlSet\Services\_IDontBelongHere"

Remote WMIC

Another undervalued use of wmi, is that it can be used to perform tasks on remote computers fairly easily. The downside is that you are dealing with result codes at the end of it, so if you are expecting to get any visual confirmation you are out of luck. With the information you’ve reviewed in this post you should be able to trace your own steps. The default impersonation level is the current user context, however, you can leverage credentials through argument switches.

Please keep in mind that many monitoring softwares will capture command line, including wmi, so please don’t put domain admin credentials in command line.

wmic /Node:"ComputerB" process list brief
wmic /Node:"ComputerB,ComputerC,ComputerD" where (name="Notepad.exe") process delete
wmic /Node:"ComputerB" /User:example\labadmin /password:b4dp4ssword process list brief

Per the help, you shuold only need to wrap in quotes if it contains – or / characters.

Conclusion

One of the most fun things that I found with WMIC, is that it assumes you know what you are doing, there is no prompting, delays, etc. You want to terminate a process, done. Delete a service, done. Uninstall a program? ha, done.

That being said it’s very powerful, and robust engine that you can do just about any management task needed.

Check out part one, where we introduce some of the windows GUI tools.