Migrated From JP Software Wiki
When I learned, during the private beta testing of version 8, of 4NT's Windows Management Instrumentation query capabilities, I was very excited. I had some idea how much information was available from WMI and had (painfully) delved once or twice into WMI programming. Let me give a brief tutorial on the subject. I hope to give sufficient examples so users might continue to explore on their own. I hope those more versed in WMI will add to our appreciation of this powerful feature.
4NT's interface to WMI is not meant to be all-encompassing but I suspect that with it the user has access to over 99% of the information in the WMI repository. It has two aspects. First there's the interactive WMIQUERY command which allows for listing the classes of information available and for querying the values of members of those classes. Second is @WMI[] which will return the values of specified members a specified classes.
Here's a good starting point for learning about WMI classes:
Microsoft WMI CLasses
The largest "namespace" in the WMI repository and the one most likely to be useful is called "root\cimv2" which can be abbreviated ".". The command
shows me the names of 896 classes, nearly all of which fall into one of the categories "Win32_*" and "CIM_*".
Here,
shows some 462 clases in the first of those categories. Here's one with its output:
The Win32_OperatingSystem class and the Win32_Process class are very interesting, and most, perhaps all the remaining examples will deal with them. There are also several interesting classes of PERF data; try
Querying is done using a subset of WQL (Windows Query Language) which is itself a subset of ANSI-SQL. The basic form of a query is:
It should be noted that if several properties are requested the are returned in alphabetical order (not in the order requested). Here, for example, are all the properties of Win32_OperatingSystem:
Had I wanted only a couple bits of info, I could have:
Many classes have several instances. A good example is the Win32_Process class. This command
would give every property of every process of the current machine (more info than I wish to include here).
Here's one with more manageable output:
I could get info on the current 4NT like this:
I could have gotten such info on all 4NT processes like this:
One last note on @WMI[]. Quite simply, it can be used to pick out any collection of values (one per line) of properties of a single class instance value. Here are a couple of examples illustrating the difference between formatted perf data (seconds uptime) and raw perf date (an "age" (FILETIME) of the last boot):
I hope I've gotten you interested!
Vincent Fatica
When I learned, during the private beta testing of version 8, of 4NT's Windows Management Instrumentation query capabilities, I was very excited. I had some idea how much information was available from WMI and had (painfully) delved once or twice into WMI programming. Let me give a brief tutorial on the subject. I hope to give sufficient examples so users might continue to explore on their own. I hope those more versed in WMI will add to our appreciation of this powerful feature.
4NT's interface to WMI is not meant to be all-encompassing but I suspect that with it the user has access to over 99% of the information in the WMI repository. It has two aspects. First there's the interactive WMIQUERY command which allows for listing the classes of information available and for querying the values of members of those classes. Second is @WMI[] which will return the values of specified members a specified classes.
Here's a good starting point for learning about WMI classes:
Microsoft WMI CLasses
The largest "namespace" in the WMI repository and the one most likely to be useful is called "root\cimv2" which can be abbreviated ".". The command
wmiquery /c . "*"
shows me the names of 896 classes, nearly all of which fall into one of the categories "Win32_*" and "CIM_*".
Here,
wmiquery /c . "win32_*"
shows some 462 clases in the first of those categories. Here's one with its output:
Code:
v:\> wmiquery /c . "win32_operating*"
Win32_OperatingSystem
Win32_OperatingSystemAutochkSetting
Win32_OperatingSystemQFE
wmiquery /c . "win32_*perf*"
Querying is done using a subset of WQL (Windows Query Language) which is itself a subset of ANSI-SQL. The basic form of a query is:
"select properties from <class> [where ...]"
It should be noted that if several properties are requested the are returned in alphabetical order (not in the order requested). Here, for example, are all the properties of Win32_OperatingSystem:
Code:
v:\> wmiquery . "select * from Win32_OperatingSystem"
BootDevice = \Device\HarddiskVolume2
BuildNumber = 2600
BuildType = Uniprocessor Free
Caption = Microsoft Windows XP Professional
CodeSet = 1252
CountryCode = 1
CreationClassName = Win32_OperatingSystem
CSCreationClassName = Win32_ComputerSystem
CSDVersion = Service Pack 2
CSName = JJ
CurrentTimeZone = -240
DataExecutionPrevention_32BitApplications = False
DataExecutionPrevention_Available = False
DataExecutionPrevention_Drivers = False
DataExecutionPrevention_SupportPolicy = 2
Debug = False
Description =
Distributed = False
EncryptionLevel = 168
ForegroundApplicationBoost = 2
FreePhysicalMemory = 733344
FreeSpaceInPagingFiles = 1829044
FreeVirtualMemory = 2056712
InstallDate = 20021227212114.000000-300
LargeSystemCache = 0
LastBootUpTime = 20060822171910.144297-240
LocalDateTime = 20060902171332.307000-240
Locale = 0409
Manufacturer = Microsoft Corporation
MaxNumberOfProcesses = -1
MaxProcessMemorySize = 2097024
Name = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
NumberOfProcesses = 22
NumberOfUsers = 2
Organization = Syracuse University Mathematics
OSLanguage = 1033
OSType = 18
Primary = True
ProductType = 1
QuantumLength = 0
QuantumType = 0
RegisteredUser = Vincent Fatica
SerialNumber = 55274-OEM-0011903-00102
ServicePackMajorVersion = 2
ServicePackMinorVersion = 0
SizeStoredInPagingFiles = 1998364
Status = OK
SuiteMask = 272
SystemDevice = \Device\HarddiskVolume5
SystemDirectory = F:\WINDOWS\system32
SystemDrive = F:
TotalVirtualMemorySize = 2097024
TotalVisibleMemorySize = 1047532
Version = 5.1.2600
WindowsDirectory = F:\WINDOWS
Code:
v:\> wmiquery . "select lastbootuptime,localdatetime from
Win32_OperatingSystem"
LastBootUpTime = 20060822171910.144297-240
LocalDateTime = 20060902171828.152000-240
wmiquery /a . "select * from win32_process"
would give every property of every process of the current machine (more info than I wish to include here).
Here's one with more manageable output:
Code:
v:\> wmiquery /a . "select processid,name from win32_process"
Name = System Idle Process
ProcessId = 0
Name = System
ProcessId = 4
Name = smss.exe
ProcessId = 456
Name = csrss.exe
ProcessId = 508
Name = winlogon.exe
ProcessId = 532
Name = services.exe
ProcessId = 576
Name = lsass.exe
ProcessId = 588
Name = svchost.exe
ProcessId = 744
Name = svchost.exe
ProcessId = 800
Name = svchost.exe
ProcessId = 916
Name = svchost.exe
ProcessId = 928
Name = svchost.exe
ProcessId = 1028
Name = spoolsv.exe
ProcessId = 1044
Name = DKService.exe
ProcessId = 1212
Name = dnews.exe
ProcessId = 1396
Name = mercury.exe
ProcessId = 2000
Name = explorer.exe
ProcessId = 1856
Name = powerpro.exe
ProcessId = 192
Name = winpm-32.exe
ProcessId = 884
Name = agent.exe
ProcessId = 1236
Name = 4nt.exe
ProcessId = 2032
Name = wmiprvse.exe
ProcessId = 2012
Code:
v:\> wmiquery . "select * from win32_process where processid = '%_pid'"
Caption = 4nt.exe
CommandLine = "E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe"
CreationClassName = Win32_Process
CreationDate = 20060902165926.806805-240
CSCreationClassName = Win32_ComputerSystem
CSName = JJ
Description = 4nt.exe
ExecutablePath = E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe
Handle = 2032
HandleCount = 135
KernelModeTime = 2500000
MaximumWorkingSetSize = 1413120
MinimumWorkingSetSize = 204800
Name = 4nt.exe
OSCreationClassName = Win32_OperatingSystem
OSName = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
OtherOperationCount = 701
OtherTransferCount = 12063
PageFaults = 4913
PageFileUsage = 6340608
ParentProcessId = 1856
PeakPageFileUsage = 7213056
PeakVirtualSize = 98697216
PeakWorkingSetSize = 9867264
Priority = 8
PrivatePageCount = 6340608
ProcessId = 2032
QuotaNonPagedPoolUsage = 20360
QuotaPagedPoolUsage = 44800
QuotaPeakNonPagedPoolUsage = 21168
QuotaPeakPagedPoolUsage = 46136
ReadOperationCount = 127
ReadTransferCount = 170040
SessionId = 0
ThreadCount = 6
UserModeTime = 4218750
VirtualSize = 98697216
WindowsVersion = 5.1.2600
WorkingSetSize = 9789440
WriteOperationCount = 483
WriteTransferCount = 14082
wmiquery /a . "select * from win32_process where name = '4nt.exe'"
If I happened to know that I was interested in the 21st instance of Win32_Process, I might have:
Code:
v:\> wmiquery . "select name,processid from win32_process" 21
Name = 4nt.exe
ProcessId = 2032
Code:
v:\> echo The system has been up for %@wmi[.,"select systemuptime from
Win32_PerfFormattedData_PerfOS_System"] seconds.
The system has been up for 953245 seconds.
Code:
v:\> echo The system was last booted %@agedate[%@wmi[.,"select
systemuptime from Win32_PerfRawData_PerfOS_System"]]
The system was last booted 2006-08-22,21:19:10.500
Vincent Fatica