WMIC Notes

WMI designed to give applications access to managed objects (Processes, reg keys, files, etc)

WMI breakdown:

Consumers: Management Applications (WMI Consumers)

Infrastructure: WMI Core (CIM Object Manager) -> Database

Providers: WMI Providers -> Managed Objects

The easiest way to access these Managed objects is with wmic. wmic command should be run in CMD prompt. Not all commands work in PS.

To use WMI you need to know 3 things:

1. Available classes

2. Class names

3. Class properties and methods

List available WMI/CIM classes:

Get-CimClass 

OR

Get-WMIObject -List -Namespace root\wmi

To query a specific Class for Properties and Methods:

Get-CimInstance -ClassName [Class Name] | Get-Member

Or

Get-WMIObject -Class [classname] | get-member

To search through a specific class and filter on a string

Get-CimClass -Classname *[search string]*

Or

Get-WMIObject -List | Where-Object {$_.name -match '[SearchString]'}

Filter output based on property value

Get-CimInstance -ClassName [classname] -Filter "[filter]"

Example:

Get-CimInstance -ClassName [classname] -Filter "name like 'PowerShell'"

OR

Get-WMIObject -Query "Select * from [classname]"

Almost every command will have a list brief and list full option. Results vary.

Filtering and using get with WMIC: get allows you to specify what field you want. This is the alternative to Get-CimInstance.

Get process information:

wmic process get name,processid,parentprocessid,executablepath,commandline /format:list

Get a single process info:

wmic process where name="wmic.exe" get processid,executablepath,commandline