WMI - WQL

Preface

WMI Query Language, is used for requesting WMI data it is using SQL like syntax. According to this sometimes it's most effective way to request WMI data. In our case we will use WQL in context of Linux based WMI Client called “ wmic “.

Effectively

In some cases it is possible to request data from your MS Windows system in several ways. According to this it is really important to know what the most effective way of data collection is. In some cases where you are going to periodically collect this data it is most important to do it in most effective way to prevent higher utilization of your systems.

On another hand the most effective way is not any time the safest way. According to this we need to look for solution that will satisfy our needs.

time - WINEXE:

[root@Linux-WMI-Client ~]# time /bin/winexe -U wmiuser%wmipasswd //wmi-server.localnet "ipconfig /all"

...
real    0m0.101s
user    0m0.009s
sys     0m0.008s

time - WQL:

[root@Linux-WMI-Client ~]# time /bin/wmic -U wmiuser%wmipasswd //wmi-server.localnet "select * from Win32_NetworkAdapterConfiguration"

...
real    0m0.264s
user    0m0.010s
sys     0m0.010s

time - SNMP:

[root@Linux-WMI-Client ~]# time /usr/bin/snmptable -v2c -c public wmi-server.localnet if
...
real    0m0.078s
user    0m0.060s
sys     0m0.007s

Result

I know this are not really relevant data as I would need to do this tests at least 1000 time to get average of measured data to have really relevant information.

Any way as it is possible to see that I was requesting nearly the same data from same remote server.

According to the results I can say that SNMP is faster way for data collection. On another hand sometime we will still need to use as well WMI or to execute remote command to get data that we are looking for. The question is what format and way we'll prefer. In some cases we will get the particular information that can be provided at WMI much faster as with SNMP. According to this please test your query each time if it is the most effective way to get your data.

WQL Query Types

Data

WMI data query with help of WQL is the most common way to use WMI and WQL. It is used for querying of data values related to WMI classes (objects).

Example:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT Size FROM Win32_LogicalDisk"       # What is the size of All my logical disks?
CLASS: Win32_LogicalDisk
DeviceID|Size
C:|26736586752
D:|3166720000

Event

The main idea of using WQL for event management is related to using WQL with PowerShell. In this way it is possible to identify interesting event that will start automatically action. In some cases it is really handy way to handle events.

List of “classes” that is possible to query (run this in PowerShell):

PS C:\> Get-WMIObject -Query "Select * from meta_class Where (__This ISA '__Event')"

This will write a notice to your PowerShell each time when any new application will start:

Register-WmiEvent -Class Win32_ProcessStartTrace -SourceIdentifier "Process Started" `
  -Action { Write-Host "$($Event.SourceEventArgs.NewEvent.ProcessName) just started" }

Example:

PS C:\> Register-WmiEvent -Class Win32_ProcessStartTrace -SourceIdentifier "Process Started" `
        -Action { Write-Host "$($Event.SourceEventArgs.NewEvent.ProcessName) just started" }

Id              Name            State      HasMoreData     Location             Command
--              ----            -----      -----------     --------             -------
1               Process Started NotStarted False                                 Write-Host "$($Event....

PS C:\> cmd.exe just started
conhost.exe just started
taskeng.exe just started
coetl32.exe just started

Schema

In this case WQL is used for classes definition query. We need to keep in mind that WQL is only SQL like way to get WMI data. According to this it has many limitations. I tis not possible to do INSERT or UPDATE like modification of WMI data with help of WQL.

Example:

Start -> Run -> powershell.exe -> Enter                                                  # Start PowerShell interface

PS C:\Users\user> Get-WmiObject -list | format-list>  \Desktop\list.txt                  # List all WMI classes from your OS and redirect them in to file

WQL - Keywords

Keyword Description
AND Combines two Boolean expressions, and returns TRUE when both expressions are TRUE.
ASSOCIATORS OF Retrieves all instances that are associated with a source instance. Use this statement with schema queries and data queries.
__CLASS References the class of the object in a query.
FROM Specifies the class that contains the properties listed in a SELECT statement. WMI supports data queries from only one class at a time.
GROUP Causes WMI to generate one notification to represent a group of events.
HAVING Filters the events that are received during the grouping interval that is specified in the WITHIN clause.
IS Comparison operator used with NOT and NULL. The syntax for this statement is the following: IS [NOT] NULL (where NOT is optional)
ISA Operator that applies a query to the subclasses of specified class
KEYSONLY Used in REFERENCES OF and ASSOCIATORS queries to ensure that the resulting instances are only populated with the keys of the instances. This reduces the overhead of the call.
LIKE Operator that determines whether or not a given character string matches a specified pattern.
NOT Comparison operator that use in a WQL SELECT query
NULL Indicates an object does not have an explicitly assigned value. NULL is not equivalent to zero (0) or blank.
OR Combines two conditions. When more than one logical operator is used in a statement, the OR operators are evaluated after the AND operators.
REFERENCES OF Retrieves all association instances that refer to a specific source instance. The REFERENCES OF statement is similar to the ASSOCIATORS OF statement. However, it does not retrieve endpoint instances; it retrieves the association instances.
SELECT Specifies the properties that are used in a query.
TRUE Boolean operator that evaluates to -1 (minus one).
WHERE Narrows the scope of a data, event, or schema query.
WITHIN Specifies polling or grouping interval.
FALSE Boolean operator that evaluates to 0 (zero).

WQL - Operators

Operator Description
= Equal to
< Less than
> Greater than
Less than or equal to
>= Greater than or equal to
!= or < > Not equal to


Navigation
Print/export
QR Code
QR Code wiki:infrastructure_tools:wmi:wmi-wql (generated for current page)