Windows Management
Instrumentation
WMI
Eran Spitz
(www.myitforum.com)
EDS-Israel
What is the WMI?
MS implementation of DMTF’s WBEM
initiative
Centralized resource for desktops data
WMI Components
Location:
%SystemRoot%\System32\WBEM
Repository:
WBEM\Repository\CIM.rep
Logging: WBEM\Logs
Process: Winmgmt.exe
WMI Structure
Namespace
Cimv2
Class
Instance
Win32_Service
Alerter
Class Parameters
Path: Root\Cimv2\Win32_Service
Display Name
Process ID
Path (exe file)
Start Mode
Start Name (account)
State
Class Methods
Path: Root\Cimv2\Win32_Service
Change
Change start mode
Create
Delete
Pause Service
Resume Service
Start Service
Stop Service
User control service
Tools for configuration
and analyzing
Wbemtest.exe
Wbemperm.exe
WMI SDK – Object Browser
CIM Studio
WMI Event Viewer
Wbemdump.exe
Scripting (vbs,js etc.)
WMI Framework Flow
Extending the WMI
Extension done through MOF files
(managed objects format)
ASCII files that represent a Schema
structure
Compiled using Mofcomp.exe
Management
Applications and WMI
Tasks:
Collection of data from managed computers
Alerts based on WMI events
Execution of methods on managed computers
Scripting With WMI
2 ways for connecting the WMI:
SwbemLocator Object
“Winmgmts:” Moniker
Monikers
ProgID -> CLSID -> DLL file
Mapping is also found: HKCR
“Winmgmts:” Moniker uses the:
%sys32%\wbem\wbemdisp.dll
Using WMI Moniker
3 optional parts for using WMI
moniker:
1. Using the “Winmgmts:” Perfix
2. Security Settings-Ipmersonation
3. Object Path.
Object Path
Specifying Object path:
Remote Computer
WMI Namespace
WMI Class\Instance