WMI - wmic

Syntax: "  wmic -U domain/user%password //host "<query>"   "

Preface

WMIC in our case it will be Linux WMI client, as MS Windows has application called with similar name wmic.exe . It is WMI client application that is using ExecQuery WMI method for requesting data from remote MS Windows server.

WMIC options:

[root@Linux-WMI-Client test]# wmic --help
Usage: //host query

Example: wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"
  --namespace=STRING                          WMI namespace, default to
                                              root\cimv2
  --delimiter=STRING                          delimiter to use when querying
                                              multiple values, default to '|'
Help options:
  -?, --help                                  Show this help message
  --usage                                     Display brief usage message

Common samba options:
  -d, --debuglevel=DEBUGLEVEL                 Set debug level
  --debug-stderr                              Send debug output to STDERR
  -s, --configfile=CONFIGFILE                 Use alternative configuration
                                              file
  --option=name=value                         Set smb.conf option from command
                                              line
  -l, --log-basename=LOGFILEBASE              Basename for log/debug files
  --leak-report                               enable talloc leak reporting on
                                              exit
  --leak-report-full                          enable full talloc leak
                                              reporting on exit
Connection options:
  -R, --name-resolve=NAME-RESOLVE-ORDER       Use these name resolution
                                              services only
  -O, --socket-options=SOCKETOPTIONS          socket options to use
  -n, --netbiosname=NETBIOSNAME               Primary netbios name
  -W, --workgroup=WORKGROUP                   Set the workgroup name
  --realm=REALM                               Set the realm name
  -i, --scope=SCOPE                           Use this Netbios scope
  -m, --maxprotocol=MAXPROTOCOL               Set max protocol level

Authentication options:
  -U, --user=[DOMAIN\]USERNAME[%PASSWORD]     Set the network username
  -N, --no-pass                               Don't ask for a password
  --password=STRING                           Password
  -A, --authentication-file=FILE              Get the credentials from a file
  -S, --signing=on|off|required               Set the client signing state
  -P, --machine-pass                          Use stored machine account
                                              password (implies -k)
  --simple-bind-dn=STRING                     DN to use for a simple bind
  -k, --kerberos=STRING                       Use Kerberos
  --use-security-mechanisms=STRING            Restricted list of
                                              authentication mechanisms
                                              available for use with this
                                              authentication
Common samba options:
  -V, --version                               Print version

WMIC Query

WMIC is using WMI Query Language (WQL).

WMI is using “classes” that are providing information related to MS Windows system. For better understanding how it's working, please think about this structure like about an standard SQL database:

- Database (server):        “WMI” server

- Database (database name): “Class Section”
                            (Win32 Classes, WMI System Classes, MSFT Classes, CIM Classes,
                            Standard Consumer Classes, MSMCA Classes, WMI C++ Classes).
                            To see more details visit official MS support web site:
                            http://msdn.microsoft.com/en-us/library/aa394554

- Database table:           Is particular “Class”
                            in each “Class Section” (group).

- Data:                     Is provided as Select query to particular “WMI” server and his “Class Section” including “Class”.

According to this it is possible to customize the query and filter particular values like in standard SQL. For more details check MS official web site: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606

WMIC - Query Example

List of all running processes on my remote MS Windows Server:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "select caption, name, parentprocessid, processid from win32_process"
CLASS: Win32_Process
Caption|Handle|Name|ParentProcessId|ProcessId
System Idle Process|0|System Idle Process|0|0
System|4|System|0|4
smss.exe|212|smss.exe|4|212
csrss.exe|288|csrss.exe|280|288
csrss.exe|340|csrss.exe|332|340
wininit.exe|348|wininit.exe|280|348
winlogon.exe|376|winlogon.exe|332|376
services.exe|436|services.exe|348|436
lsass.exe|444|lsass.exe|348|444
lsm.exe|452|lsm.exe|348|452
svchost.exe|548|svchost.exe|436|548
svchost.exe|624|svchost.exe|436|624
svchost.exe|712|svchost.exe|436|712
svchost.exe|744|svchost.exe|436|744
svchost.exe|792|svchost.exe|436|792
svchost.exe|832|svchost.exe|436|832
svchost.exe|876|svchost.exe|436|876
svchost.exe|976|svchost.exe|436|976
spoolsv.exe|256|spoolsv.exe|436|256
svchost.exe|692|svchost.exe|436|692
dns.exe|868|dns.exe|436|868
svchost.exe|1036|svchost.exe|436|1036
snmp.exe|1076|snmp.exe|436|1076
svchost.exe|1784|svchost.exe|436|1784
msdtc.exe|1820|msdtc.exe|436|1820
sppsvc.exe|1892|sppsvc.exe|436|1892
taskhost.exe|1676|taskhost.exe|436|1676
dwm.exe|2000|dwm.exe|832|2000
explorer.exe|1264|explorer.exe|2024|1264
Oobe.exe|1372|Oobe.exe|1340|1372
WMIC.exe|1436|WMIC.exe|1264|1436
conhost.exe|1552|conhost.exe|340|1552
cmd.exe|1512|cmd.exe|1264|1512
conhost.exe|1772|conhost.exe|340|1772
winexesvc.exe|1388|winexesvc.exe|436|1388
WmiPrvSE.exe|1624|WmiPrvSE.exe|548|1624

As you can see I have used SQL like syntax for getting the interesting data:

“select caption, name, parentprocessid, processid from win32_process”

As well I was not going to print all object (caption, name, parentprocessid, processed) of the class (win32_process) only the interesting objects.

WMIC - ExecQuery Error codes

In the case that you are going to use WMIC (with help of ExecQuer on MS Windows site) it is any time really handy to have the possibility to test your query if it is wailed. In our case WMIC is providing error code in cause of failure.

Error Name Errot dec. Error hex. Meaning
wbemErrAccessDenied 2147749891 (0x80041003) Current user does not have the permission to view the result set.
wbemErrFailed 2147749889 (0x80041001) Unspecified error.
wbemErrInvalidParameter 2147749896 (0x80041008) Invalid parameter was specified.
wbemErrInvalidQuery 2147749911 (0x80041017) Query syntax is not valid.
wbemErrInvalidQueryType 2147749912 (0x80041018) Requested query language is not supported.
wbemErrOutOfMemory 2147749894 (0x80041006) Not enough memory to complete the operation.

Example

[root@Linux-WMI-Client ~]# wmic -d 1 -U wmiuser%wmipasswd //wmi-server.localnet "cmd"     # "cmd" is not valid WMI Class (it is command to start CLI at MS WIN)

[lib/com/dcom/main.c:1172:bind_new_pipe()] lib/com/dcom/main.c:1172: dcom_get_pipe: host=wmi-server.localnet, similar=wmi-server.localnet[49155]
[wmi/wmic.c:196:main()] OK   : Login to remote object.                                    # Logging to remote MS Win Server is OK
[wmi/wmic.c:200:main()] OK   : WMI query execute.                                         # Requesting "cmd" data from remote MS Win server
[wmi/wmic.c:203:main()] OK   : Reset result of WMI query.
[wmi/wmic.c:212:main()] ERROR: Retrieve result data.                                      # Remote MS Win Server is providing Error message as "cmd" is not valid
NTSTATUS: NT code 0x80041017 - NT code 0x80041017                                         # "0x80041017" Hex. Error code

According to error message (0x80041017) provided at WMIC. It is possible to say that “Query syntax is not valid” and we need to investigate why.


URL's

Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:wmi:wmi-wmic (generated for current page)