Table of Contents
WMI - wmic
Syntax: " wmic -U domain/user%password //host "<query>" "
Preface
WMIC in our case it will be Linux WMI client, as MS Windows has application called with similar name wmic.exe . It is WMI client application that is using ExecQuery WMI method for requesting data from remote MS Windows server.
WMIC options:
[root@Linux-WMI-Client test]# wmic --help Usage: //host query Example: wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem" --namespace=STRING WMI namespace, default to root\cimv2 --delimiter=STRING delimiter to use when querying multiple values, default to '|' Help options: -?, --help Show this help message --usage Display brief usage message Common samba options: -d, --debuglevel=DEBUGLEVEL Set debug level --debug-stderr Send debug output to STDERR -s, --configfile=CONFIGFILE Use alternative configuration file --option=name=value Set smb.conf option from command line -l, --log-basename=LOGFILEBASE Basename for log/debug files --leak-report enable talloc leak reporting on exit --leak-report-full enable full talloc leak reporting on exit Connection options: -R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only -O, --socket-options=SOCKETOPTIONS socket options to use -n, --netbiosname=NETBIOSNAME Primary netbios name -W, --workgroup=WORKGROUP Set the workgroup name --realm=REALM Set the realm name -i, --scope=SCOPE Use this Netbios scope -m, --maxprotocol=MAXPROTOCOL Set max protocol level Authentication options: -U, --user=[DOMAIN\]USERNAME[%PASSWORD] Set the network username -N, --no-pass Don't ask for a password --password=STRING Password -A, --authentication-file=FILE Get the credentials from a file -S, --signing=on|off|required Set the client signing state -P, --machine-pass Use stored machine account password (implies -k) --simple-bind-dn=STRING DN to use for a simple bind -k, --kerberos=STRING Use Kerberos --use-security-mechanisms=STRING Restricted list of authentication mechanisms available for use with this authentication Common samba options: -V, --version Print version
WMIC Query
WMIC is using WMI Query Language (WQL).
WMI is using “classes” that are providing information related to MS Windows system. For better understanding how it's working, please think about this structure like about an standard SQL database:
- Database (server): “WMI” server - Database (database name): “Class Section” (Win32 Classes, WMI System Classes, MSFT Classes, CIM Classes, Standard Consumer Classes, MSMCA Classes, WMI C++ Classes). To see more details visit official MS support web site: http://msdn.microsoft.com/en-us/library/aa394554 - Database table: Is particular “Class” in each “Class Section” (group). - Data: Is provided as Select query to particular “WMI” server and his “Class Section” including “Class”.
According to this it is possible to customize the query and filter particular values like in standard SQL. For more details check MS official web site: http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606
WMIC - Query Example
List of all running processes on my remote MS Windows Server:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "select caption, name, parentprocessid, processid from win32_process" CLASS: Win32_Process Caption|Handle|Name|ParentProcessId|ProcessId System Idle Process|0|System Idle Process|0|0 System|4|System|0|4 smss.exe|212|smss.exe|4|212 csrss.exe|288|csrss.exe|280|288 csrss.exe|340|csrss.exe|332|340 wininit.exe|348|wininit.exe|280|348 winlogon.exe|376|winlogon.exe|332|376 services.exe|436|services.exe|348|436 lsass.exe|444|lsass.exe|348|444 lsm.exe|452|lsm.exe|348|452 svchost.exe|548|svchost.exe|436|548 svchost.exe|624|svchost.exe|436|624 svchost.exe|712|svchost.exe|436|712 svchost.exe|744|svchost.exe|436|744 svchost.exe|792|svchost.exe|436|792 svchost.exe|832|svchost.exe|436|832 svchost.exe|876|svchost.exe|436|876 svchost.exe|976|svchost.exe|436|976 spoolsv.exe|256|spoolsv.exe|436|256 svchost.exe|692|svchost.exe|436|692 dns.exe|868|dns.exe|436|868 svchost.exe|1036|svchost.exe|436|1036 snmp.exe|1076|snmp.exe|436|1076 svchost.exe|1784|svchost.exe|436|1784 msdtc.exe|1820|msdtc.exe|436|1820 sppsvc.exe|1892|sppsvc.exe|436|1892 taskhost.exe|1676|taskhost.exe|436|1676 dwm.exe|2000|dwm.exe|832|2000 explorer.exe|1264|explorer.exe|2024|1264 Oobe.exe|1372|Oobe.exe|1340|1372 WMIC.exe|1436|WMIC.exe|1264|1436 conhost.exe|1552|conhost.exe|340|1552 cmd.exe|1512|cmd.exe|1264|1512 conhost.exe|1772|conhost.exe|340|1772 winexesvc.exe|1388|winexesvc.exe|436|1388 WmiPrvSE.exe|1624|WmiPrvSE.exe|548|1624
“select caption, name, parentprocessid, processid from win32_process”
As well I was not going to print all object (caption, name, parentprocessid, processed) of the class (win32_process) only the interesting objects.
WMIC - ExecQuery Error codes
In the case that you are going to use WMIC (with help of ExecQuer on MS Windows site) it is any time really handy to have the possibility to test your query if it is wailed. In our case WMIC is providing error code in cause of failure.
Error Name | Errot dec. | Error hex. | Meaning |
---|---|---|---|
wbemErrAccessDenied | 2147749891 | (0x80041003) | Current user does not have the permission to view the result set. |
wbemErrFailed | 2147749889 | (0x80041001) | Unspecified error. |
wbemErrInvalidParameter | 2147749896 | (0x80041008) | Invalid parameter was specified. |
wbemErrInvalidQuery | 2147749911 | (0x80041017) | Query syntax is not valid. |
wbemErrInvalidQueryType | 2147749912 | (0x80041018) | Requested query language is not supported. |
wbemErrOutOfMemory | 2147749894 | (0x80041006) | Not enough memory to complete the operation. |
Example
[root@Linux-WMI-Client ~]# wmic -d 1 -U wmiuser%wmipasswd //wmi-server.localnet "cmd" # "cmd" is not valid WMI Class (it is command to start CLI at MS WIN) [lib/com/dcom/main.c:1172:bind_new_pipe()] lib/com/dcom/main.c:1172: dcom_get_pipe: host=wmi-server.localnet, similar=wmi-server.localnet[49155] [wmi/wmic.c:196:main()] OK : Login to remote object. # Logging to remote MS Win Server is OK [wmi/wmic.c:200:main()] OK : WMI query execute. # Requesting "cmd" data from remote MS Win server [wmi/wmic.c:203:main()] OK : Reset result of WMI query. [wmi/wmic.c:212:main()] ERROR: Retrieve result data. # Remote MS Win Server is providing Error message as "cmd" is not valid NTSTATUS: NT code 0x80041017 - NT code 0x80041017 # "0x80041017" Hex. Error code
URL's
WMI Classes: http://msdn.microsoft.com/en-us/library/aa394554
ExecQuery method: http://msdn.microsoft.com/en-us/library/aa393866
WQL (SQL for WMI): http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606