Many network administrators have heard of Windows Management Instrumentation (WMI). Simply put, WMI represents a major change in the way that application applications interact with the Windows family of Operating Systems. In the past, developers were required to write complicated code to perform even the simplest tasks or collect basic information about computers on the network. This was a difficult task even for the most seasoned programmer. WMI changes this approach to become simpler and more consistent
WMI is a layer of software that runs as service. It functions in much the same way a database does. A series of providers abstract and expose the operating system. These providers allow developers to reference a multitude of classes. The classes represent things such as your network configuration, running processes, installed services, hardware and software. In many cases these providers expose data structures that resemble tables, making code that interacts with them simple and easy to write.
WMI is also important for network administrators. This new model has resulted in a new generation of command line tools, management applications and scripts. Commands such as the EVENTQUERY, SC, and TYPEPERF all interact with the computer via WMI. Applications such as Microsoft Operations Manager (MOM) and Systems Management Server (SMS) use WMI to query and manage systems from a central location. WMI can even be used in conjunction with group policy on Windows Server 2003 and Windows XP Professional as an additional filter when applying GPO’s.
What is WMIC?
The WMI command-line (WMIC) is a simplified command line interface for working with WMI. Using WMIC, you can manage multiple computers running different versions of Microsoft Windows. WMIC features a non-blocking interface that allows it to be used by scripts and batch files. Some of the capabilities of WMIC are:
- Commands based on aliases making common tasks quick and easy to perform.
- Ability to work with the local computer, a remote computer, or a collection of remote computers.
- Customizable output formats and aliases.
- Used to manage any computer running WMI.
Using WMIC
Before you being to work with WMIC, you will need to adjust your command prompt to avoid wrapping of output. Some WMIC commands produce very large outputs that are difficult to read. There are two adjustments that I recommend, both of which are found on the properties of your command prompt window. Simply configure your command prompt window as shown below.
Figure 1
Figure 2
To use WMIC you must know a little about how it works. WMIC includes a series of “canned” WMI queries known as aliases. These aliases represent the most common pieces of information that administrators would gather from computers. You can view the contents of any alias by simply typing WMIC following by the name of the alias. For example, “WMIC QFE” will list all hotfixes and service packs that are installed on the computer. A complete list of aliases can be found by typing “WMIC /?”. The table below lists some of the more useful aliases
Computersystem: Information found in the system properties such as the computer name, make, model, and currently logged on user.
Csproduct: Computer system product information. This contains the computers UUID, which can be used with deployment solutions such as RIS.
Pagefile and Pagefileset: Information on the current size and usage of page files.
Memphysical: Memory capacity of the computer and current physical RAM configuration.
Product: Installed software products.
Sysaccount: Builtin system user account information, SIDS, and status information.
Process: Detailed information on running processes.
Service: Detailed information on all installed services.
The default aliases include two output formats. The default is a full listing of all values. You can access a reduced view, which contains only the most useful information by typing the following.
WMIC
You should note that although the brief listing is customizable, it is very difficult to change. A more practical approach is to create a custom list of only the information you want to see using the GET clause. A simple example is to create a list of the startup configuration for each service on your computer. A full listing of the SERVICE alias includes about 15 columns. Of these 15, you only need 4 to generate a report on the startup type of all services. The columns you need are the CAPTION, NAME, and STARTMODE. You can also include the STATE column to compare the services that are started with those that should be started. The query looks like this.
Wmic service get caption, name, startmode, state
Notice the use of the GET keyword to create a list of columns. This will work for any column that is included in the alias.
Another option to limit the out put of a large WMIC command is to filter the rows of information that are returned. In our above example, we may only want to see services that are started, to generate a report of running services. This is done by including a WHERE clause in the query. The WHERE clause has a simple filter expression. You specify the column you want to filer on, and a value to compare the column to. Text columns are expressed in quotes (i.e. “server”) and numeric columns are not (i.e. < 80). The query to generate a report of only running services looks like this.
Wmic service where (state=”running”) get caption, name, startmode, state
When the WHERE and GET clauses are used in the same query, the WHERE will always appear before the GET.
Another option is to redirect output to a file for viewing. This is accomplished by using output redirection, which has been a feature of the command prompt since the days of DOS. The default output format is a TSV (tab separated values) format. This format is understood by most database and spreadsheet products. We can redirect our report of running services by using the following command.
Wmic service where (state=”running”) get caption, name, startmode, state > output.tsv
When the file is opened using Microsoft Excel, it looks like this.
Figure 3
Beyond Reporting
WMI has the ability to go far beyond simple reporting. Using WMI you can also create and manipulate a Windows computer. There are a few terms that must be understood before we proceed.
Class – A class is a definition of something. For example, the class process defines all the characteristics of a process, but does not refer to any specific process.
Object – Sometimes called an instance; an object is a specific occurrence of a class. For example, when you start notepad, you instantiate the class process, and create a new process object, which represents the copy of notepad you have running on your computer.
Action – Called a method by developers, and action is something you can ask a class or object to do. For example, one action associated with the class process is to create a new process. Another is to terminate a process.
Let’s say that you want to create an instance of a process on your computer. The first step is to determine the information that is required to create a new instance of a process. This is done by the WMIC built in help using the following command.
Wmic process /?
You will notice the output contains a CALL keyword. This keyword is used to call an action. Every class (we are working with the process class) will have a different set of actions that can be called. Some actions will be fairly common such as create and terminate. You can view the list of actions by typing the following command.
Wmic process call /?
You will notice the action create. You can now list what is required to create a new process by typing
Wmic process call create /?
The output will contain four pieces of information. Each parameter will have a direction (IN or OUT), a name, and a data type. As before, for string data types, enclose the parameter in quotes, and for numeric, do not. Fortunately, not all parameters are needed.
Our command to create a new instance of notepad now looks like this.
Wmic process call create “c:\windows\notepad.exe”
Notepad should now be running on your screen. This is a simple example, but it illustrates the power and simplicity of WMI. Another example is to terminate the process of notepad. This is done using the terminate action of the process class. Help can be found by typing
Wmic process call terminate /?
All instances of notepad can be terminated by typing:
Wmic process where (caption=”notepad.exe”) call terminate
Be careful to include a filter when you use the terminate action. If you were to terminate all processes, your computer would reboot.
Using WMIC to Manage Multiple Computers
If you only had to manage a single server, then WMIC represents a lot of work to complete a simple task that can be done quickly using a GUI tool. It is not until you begin to manage multiple servers that you have the power of WMIC becomes apparent.
First of all, let’s look at how WMIC commands can be targeted at multiple servers. This is accomplished using the /NODE switch on the WMIC command. The /NODE switch will use either a list of computer names or a file containing a list of all computers. To specify a list of computer names in the WMIC command, type a command such as the following.
Wmic /node:server1,server2 process list brief
If you would like to run the query against multiple computers stored in a file, you need to create a file. The file can contain a list of server names, either separated by commas or on separate lines. The file must start with an @ character. The following example will generate a list of all the computers in a forest and store the results in a file named @computers.txt.
dsquery * forestroot -scope subtree -filter objectcategory=computer -attr name –l > @computers.txt
The DSQuery command is included with Windows Server 2003 and can query any object in Active Directory. If you only want to search a single domain, simple run this query on a domain controller in the domain. Replace the forestroot option with domainroot.
You can now use this file to kill all occurrences of notepad on every computer in your forest.
Wmic /node:@computers.txt process where (caption=”notepad.exe”) call terminate
One important note is that if all computers listed in the file are not available, the entire command will fail. You can get around this limitation by only querying responsive computers. This is done with FAILFAST switch. When failfast is on, each server is pinged before the WMIC command is run. If the server fails to respond to the ping, it is skipped. Note that WMI is transported using DCOM, which uses RPC. If a firewall is preventing ICMP (Ping) then the server will not receive the command. Likewise, if a server is allowing ICMP, but not RPC, then the command will still fail. The FAILFAST switch can be used as follows.
Wmic /fastfail:on /node:@computers.txt process where (caption=”notepad.exe”) call terminate
Advanced Topics
So fare we have not gone beyond the functionality that is included with WMIC. The aliases that are provided represent the majority of tasks and information that system administrators would be interested in. This does not represent everything you can do with WMIC. WMIC can also be used to directly query the WMI schema. This gives you access to every class available, and not just those that are exposed through aliases.
A full reference of all WMI classes can be found on the Microsoft Developer Network at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_start_page.asp
The classes are organized into what are known as namespaces. Different namespaces represent different collections of classes that have a common function. The namespace that contains the classes of use to administrators is the \root\cimv2 namespace. In this namespace there are several groups of classes. The group that is of use to administrators is the Win32 group of classes. To better understand how aliases and classes relate, enter the following command.
Wmic alias list brief
The rightmost column contains a statement known as a query. This query is written in the WMI Query Language (WQL). This language is very similar to SQL. You can directly query one of the classes by using the following command.
Wmic /namespace:\\root\cimv2 class Win32_Service
The output of this command is an XML document that contains a description of all the properties of the Win32_Service, but not actual service information. In order to view actual service information, you must query the instances of Win32_Service, instead of the class Win32_Service. This is done by replacing the CLASS keyword with the PATH keyword. An example is shown.
Wmic /namespace:\\root\cimv2 path Win32_Service
WMIC supports both filtering and actions when directly querying the WMI schema.
Extensive help on WMIC can be found in both the Windows XP Professional and Windows Server 2003 help and support centers.