1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WMI Basics

Discussion in 'T&T - Scripting' started by nchernoff, Jun 3, 2008.

  1. nchernoff

    nchernoff Administrator
    Staff Member

    Joined:
    May 16, 2008
    Messages:
    42
    Likes Received:
    2
    Migrated From JP Software Wiki

    When I learned, during the private beta testing of version 8, of 4NT's Windows Management Instrumentation query capabilities, I was very excited. I had some idea how much information was available from WMI and had (painfully) delved once or twice into WMI programming. Let me give a brief tutorial on the subject. I hope to give sufficient examples so users might continue to explore on their own. I hope those more versed in WMI will add to our appreciation of this powerful feature.

    4NT's interface to WMI is not meant to be all-encompassing but I suspect that with it the user has access to over 99% of the information in the WMI repository. It has two aspects. First there's the interactive WMIQUERY command which allows for listing the classes of information available and for querying the values of members of those classes. Second is @WMI[] which will return the values of specified members a specified classes.

    Here's a good starting point for learning about WMI classes:

    Microsoft WMI CLasses

    The largest "namespace" in the WMI repository and the one most likely to be useful is called "root\cimv2" which can be abbreviated ".". The command


    wmiquery /c . "*"​

    shows me the names of 896 classes, nearly all of which fall into one of the categories "Win32_*" and "CIM_*".

    Here,


    wmiquery /c . "win32_*"​

    shows some 462 clases in the first of those categories. Here's one with its output:
    Code:
        v:\> wmiquery /c . "win32_operating*"
        Win32_OperatingSystem
        Win32_OperatingSystemAutochkSetting
        Win32_OperatingSystemQFE
    
    The Win32_OperatingSystem class and the Win32_Process class are very interesting, and most, perhaps all the remaining examples will deal with them. There are also several interesting classes of PERF data; try


    wmiquery /c . "win32_*perf*"​

    Querying is done using a subset of WQL (Windows Query Language) which is itself a subset of ANSI-SQL. The basic form of a query is:


    "select properties from <class> [where ...]"​

    It should be noted that if several properties are requested the are returned in alphabetical order (not in the order requested). Here, for example, are all the properties of Win32_OperatingSystem:
    Code:
        v:\> wmiquery . "select * from Win32_OperatingSystem"
    
        BootDevice = \Device\HarddiskVolume2
        BuildNumber = 2600
        BuildType = Uniprocessor Free
        Caption = Microsoft Windows XP Professional
        CodeSet = 1252
        CountryCode = 1
        CreationClassName = Win32_OperatingSystem
        CSCreationClassName = Win32_ComputerSystem
        CSDVersion = Service Pack 2
        CSName = JJ
        CurrentTimeZone = -240
        DataExecutionPrevention_32BitApplications = False
        DataExecutionPrevention_Available = False
        DataExecutionPrevention_Drivers = False
        DataExecutionPrevention_SupportPolicy = 2
        Debug = False
        Description =
        Distributed = False
        EncryptionLevel = 168
        ForegroundApplicationBoost = 2
        FreePhysicalMemory = 733344
        FreeSpaceInPagingFiles = 1829044
        FreeVirtualMemory = 2056712
        InstallDate = 20021227212114.000000-300
        LargeSystemCache = 0
        LastBootUpTime = 20060822171910.144297-240
        LocalDateTime = 20060902171332.307000-240
        Locale = 0409
        Manufacturer = Microsoft Corporation
        MaxNumberOfProcesses = -1
        MaxProcessMemorySize = 2097024
        Name = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
        NumberOfProcesses = 22
        NumberOfUsers = 2
        Organization = Syracuse University Mathematics
        OSLanguage = 1033
        OSType = 18
        Primary = True
        ProductType = 1
        QuantumLength = 0
        QuantumType = 0
        RegisteredUser = Vincent Fatica
        SerialNumber = 55274-OEM-0011903-00102
        ServicePackMajorVersion = 2
        ServicePackMinorVersion = 0
        SizeStoredInPagingFiles = 1998364
        Status = OK
        SuiteMask = 272
        SystemDevice = \Device\HarddiskVolume5
        SystemDirectory = F:\WINDOWS\system32
        SystemDrive = F:
        TotalVirtualMemorySize = 2097024
        TotalVisibleMemorySize = 1047532
        Version = 5.1.2600
        WindowsDirectory = F:\WINDOWS
    
    Had I wanted only a couple bits of info, I could have:
    Code:
        v:\> wmiquery . "select lastbootuptime,localdatetime from
        Win32_OperatingSystem"
    
        LastBootUpTime = 20060822171910.144297-240
        LocalDateTime = 20060902171828.152000-240
    
    Many classes have several instances. A good example is the Win32_Process class. This command


    wmiquery /a . "select * from win32_process"​

    would give every property of every process of the current machine (more info than I wish to include here).

    Here's one with more manageable output:
    Code:
        v:\> wmiquery /a . "select processid,name from win32_process"
        Name = System Idle Process
        ProcessId = 0
        Name = System
        ProcessId = 4
        Name = smss.exe
        ProcessId = 456
        Name = csrss.exe
        ProcessId = 508
        Name = winlogon.exe
        ProcessId = 532
        Name = services.exe
        ProcessId = 576
        Name = lsass.exe
        ProcessId = 588
        Name = svchost.exe
        ProcessId = 744
        Name = svchost.exe
        ProcessId = 800
        Name = svchost.exe
        ProcessId = 916
        Name = svchost.exe
        ProcessId = 928
        Name = svchost.exe
        ProcessId = 1028
        Name = spoolsv.exe
        ProcessId = 1044
        Name = DKService.exe
        ProcessId = 1212
        Name = dnews.exe
        ProcessId = 1396
        Name = mercury.exe
        ProcessId = 2000
        Name = explorer.exe
        ProcessId = 1856
        Name = powerpro.exe
        ProcessId = 192
        Name = winpm-32.exe
        ProcessId = 884
        Name = agent.exe
        ProcessId = 1236
        Name = 4nt.exe
        ProcessId = 2032
        Name = wmiprvse.exe
        ProcessId = 2012
    
    I could get info on the current 4NT like this:
    Code:
        v:\> wmiquery . "select * from win32_process where processid = '%_pid'"
        Caption = 4nt.exe
        CommandLine = "E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe"
        CreationClassName = Win32_Process
        CreationDate = 20060902165926.806805-240
        CSCreationClassName = Win32_ComputerSystem
        CSName = JJ
        Description = 4nt.exe
        ExecutablePath = E:\Users\vefatica\Desktop\4ntbeta\Beta8\{app}\4nt.exe
        Handle = 2032
        HandleCount = 135
        KernelModeTime = 2500000
        MaximumWorkingSetSize = 1413120
        MinimumWorkingSetSize = 204800
        Name = 4nt.exe
        OSCreationClassName = Win32_OperatingSystem
        OSName = Microsoft Windows XP Professional|F:\WINDOWS|\Device\Harddisk0\Partition5
        OtherOperationCount = 701
        OtherTransferCount = 12063
        PageFaults = 4913
        PageFileUsage = 6340608
        ParentProcessId = 1856
        PeakPageFileUsage = 7213056
        PeakVirtualSize = 98697216
        PeakWorkingSetSize = 9867264
        Priority = 8
        PrivatePageCount = 6340608
        ProcessId = 2032
        QuotaNonPagedPoolUsage = 20360
        QuotaPagedPoolUsage = 44800
        QuotaPeakNonPagedPoolUsage = 21168
        QuotaPeakPagedPoolUsage = 46136
        ReadOperationCount = 127
        ReadTransferCount = 170040
        SessionId = 0
        ThreadCount = 6
        UserModeTime = 4218750
        VirtualSize = 98697216
        WindowsVersion = 5.1.2600
        WorkingSetSize = 9789440
        WriteOperationCount = 483
        WriteTransferCount = 14082
    
    I could have gotten such info on all 4NT processes like this:


    wmiquery /a . "select * from win32_process where name = '4nt.exe'"
    If I happened to know that I was interested in the 21st instance of Win32_Process, I might have:
    Code:
        v:\> wmiquery . "select name,processid from win32_process" 21
        Name = 4nt.exe
        ProcessId = 2032
    
    One last note on @WMI[]. Quite simply, it can be used to pick out any collection of values (one per line) of properties of a single class instance value. Here are a couple of examples illustrating the difference between formatted perf data (seconds uptime) and raw perf date (an "age" (FILETIME) of the last boot):
    Code:
        v:\> echo The system has been up for %@wmi[.,"select systemuptime from    
        Win32_PerfFormattedData_PerfOS_System"] seconds.
    
        The system has been up for 953245 seconds.
    
    Code:
        v:\> echo The system was last booted %@agedate[%@wmi[.,"select
        systemuptime from Win32_PerfRawData_PerfOS_System"]]
    
        The system was last booted 2006-08-22,21:19:10.500
    
    I hope I've gotten you interested!

    Vincent Fatica
     

Share This Page