WMI Basics

nchernoff

Administrator
Staff member
May 16, 2008
42
2
#1
Migrated From JP Software Wiki

When I learned, during the private beta testing of version 8, of 4NT's Windows Management Instrumentation query capabilities, I was very excited. I had some idea how much information was available from WMI and had (painfully) delved once or twice into WMI programming. Let me give a brief tutorial on the subject. I hope to give sufficient examples so users might continue to explore on their own. I hope those more versed in WMI will add to our appreciation of this powerful feature.

4NT's interface to WMI is not meant to be all-encompassing but I suspect that with it the user has access to over 99% of the information in the WMI repository. It has two aspects. First there's the interactive WMIQUERY command which allows for listing the classes of information available and for querying the values of members of those classes. Second is @WMI[] which will return the values of specified members a specified classes.

Here's a good starting point for learning about WMI classes:

Microsoft WMI CLasses

The largest "namespace" in the WMI repository and the one most likely to be useful is called "root\cimv2" which can be abbreviated ".". The command


wmiquery /c . "*"​

shows me the names of 896 classes, nearly all of which fall into one of the categories "Win32_*" and "CIM_*".

Here,


wmiquery /c . "win32_*"​

shows some 462 clases in the first of those categories. Here's one with its output:
Code:
    v:\> wmiquery /c . "win32_operating*"
    Win32_OperatingSystem
    Win32_OperatingSystemAutochkSetting
    Win32_OperatingSystemQFE
The Win32_OperatingSystem class and the Win32_Process class are very interesting, and most, perhaps all the remaining examples will deal with them. There are also several interesting classes of PERF data; try


wmiquery /c . "win32_*perf*"​

Querying is done using a subset of WQL (Windows Query Language) which is itself a subset of ANSI-SQL. The basic form of a query is:


"select properties from <class> [where ...]"​

It should be noted that if several properties are requested the are returned in alphabetical order (not in the order requested). Here, for example, are all the properties of Win32_OperatingSystem:
Code:
    v:\> wmiquery . "select * from Win32_OperatingSystem"

    BootDevice = \Device\HarddiskVolume2
    BuildNumber = 2600
    BuildType = Uniprocessor Free
    Caption = Microsoft Windows XP Professional
    CodeSet = 1252
    CountryCode = 1
    CreationClassName = Win32_OperatingSystem
    CSCreationClassName = Win32_ComputerSystem
    CSDVersion = Service Pack 2
    CSName = JJ
    CurrentTimeZone = -240
    DataExecutionPrevention_32BitApplications = False
    DataExecutionPrevention_Available = False
    DataExecutionPrevention_Drivers = False
    DataExecutionPrevention_SupportPolicy = 2
    Debug = False
    Description =
    Distributed = False
    EncryptionLevel = 168
    ForegroundApplicationBoost = 2
    FreePhysicalMemory = 733344
    FreeSpaceInPagingFiles = 1829044
    FreeVirtualMemory = 2056712
    InstallDate = 20021227212114.000000-300
    LargeSystemCache = 0
    LastBootUpTime = 20060822171910.144297-240
    LocalDateTime = 20060902171332.307000-240
    Locale = 0409
    Manufacturer = Microsoft Corporation
    MaxNumberOfProcesses = -1
    MaxProcessMemorySize = 2097024
    Name = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
    NumberOfProcesses = 22
    NumberOfUsers = 2
    Organization = Syracuse University Mathematics
    OSLanguage = 1033
    OSType = 18
    Primary = True
    ProductType = 1
    QuantumLength = 0
    QuantumType = 0
    RegisteredUser = Vincent Fatica
    SerialNumber = 55274-OEM-0011903-00102
    ServicePackMajorVersion = 2
    ServicePackMinorVersion = 0
    SizeStoredInPagingFiles = 1998364
    Status = OK
    SuiteMask = 272
    SystemDevice = \Device\HarddiskVolume5
    SystemDirectory = F:\WINDOWS\system32
    SystemDrive = F:
    TotalVirtualMemorySize = 2097024
    TotalVisibleMemorySize = 1047532
    Version = 5.1.2600
    WindowsDirectory = F:\WINDOWS
Had I wanted only a couple bits of info, I could have:
Code:
    v:\> wmiquery . "select lastbootuptime,localdatetime from
    Win32_OperatingSystem"

    LastBootUpTime = 20060822171910.144297-240
    LocalDateTime = 20060902171828.152000-240
Many classes have several instances. A good example is the Win32_Process class. This command


wmiquery /a . "select * from win32_process"​

would give every property of every process of the current machine (more info than I wish to include here).

Here's one with more manageable output:
Code:
    v:\> wmiquery /a . "select processid,name from win32_process"
    Name = System Idle Process
    ProcessId = 0
    Name = System
    ProcessId = 4
    Name = smss.exe
    ProcessId = 456
    Name = csrss.exe
    ProcessId = 508
    Name = winlogon.exe
    ProcessId = 532
    Name = services.exe
    ProcessId = 576
    Name = lsass.exe
    ProcessId = 588
    Name = svchost.exe
    ProcessId = 744
    Name = svchost.exe
    ProcessId = 800
    Name = svchost.exe
    ProcessId = 916
    Name = svchost.exe
    ProcessId = 928
    Name = svchost.exe
    ProcessId = 1028
    Name = spoolsv.exe
    ProcessId = 1044
    Name = DKService.exe
    ProcessId = 1212
    Name = dnews.exe
    ProcessId = 1396
    Name = mercury.exe
    ProcessId = 2000
    Name = explorer.exe
    ProcessId = 1856
    Name = powerpro.exe
    ProcessId = 192
    Name = winpm-32.exe
    ProcessId = 884
    Name = agent.exe
    ProcessId = 1236
    Name = 4nt.exe
    ProcessId = 2032
    Name = wmiprvse.exe
    ProcessId = 2012
I could get info on the current 4NT like this:
Code:
    v:\> wmiquery . "select * from win32_process where processid = '%_pid'"
    Caption = 4nt.exe
    CommandLine = "E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe"
    CreationClassName = Win32_Process
    CreationDate = 20060902165926.806805-240
    CSCreationClassName = Win32_ComputerSystem
    CSName = JJ
    Description = 4nt.exe
    ExecutablePath = E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe
    Handle = 2032
    HandleCount = 135
    KernelModeTime = 2500000
    MaximumWorkingSetSize = 1413120
    MinimumWorkingSetSize = 204800
    Name = 4nt.exe
    OSCreationClassName = Win32_OperatingSystem
    OSName = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
    OtherOperationCount = 701
    OtherTransferCount = 12063
    PageFaults = 4913
    PageFileUsage = 6340608
    ParentProcessId = 1856
    PeakPageFileUsage = 7213056
    PeakVirtualSize = 98697216
    PeakWorkingSetSize = 9867264
    Priority = 8
    PrivatePageCount = 6340608
    ProcessId = 2032
    QuotaNonPagedPoolUsage = 20360
    QuotaPagedPoolUsage = 44800
    QuotaPeakNonPagedPoolUsage = 21168
    QuotaPeakPagedPoolUsage = 46136
    ReadOperationCount = 127
    ReadTransferCount = 170040
    SessionId = 0
    ThreadCount = 6
    UserModeTime = 4218750
    VirtualSize = 98697216
    WindowsVersion = 5.1.2600
    WorkingSetSize = 9789440
    WriteOperationCount = 483
    WriteTransferCount = 14082
I could have gotten such info on all 4NT processes like this:


wmiquery /a . "select * from win32_process where name = '4nt.exe'"
If I happened to know that I was interested in the 21st instance of Win32_Process, I might have:
Code:
    v:\> wmiquery . "select name,processid from win32_process" 21
    Name = 4nt.exe
    ProcessId = 2032
One last note on @WMI[]. Quite simply, it can be used to pick out any collection of values (one per line) of properties of a single class instance value. Here are a couple of examples illustrating the difference between formatted perf data (seconds uptime) and raw perf date (an "age" (FILETIME) of the last boot):
Code:
    v:\> echo The system has been up for %@wmi[.,"select systemuptime from    
    Win32_PerfFormattedData_PerfOS_System"] seconds.

    The system has been up for 953245 seconds.
Code:
    v:\> echo The system was last booted %@agedate[%@wmi[.,"select
    systemuptime from Win32_PerfRawData_PerfOS_System"]]

    The system was last booted 2006-08-22,21:19:10.500
I hope I've gotten you interested!

Vincent Fatica