Skip to main contentdfsdf

WMIC

from web site

baseboard

get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon

bios

get name, version, serialnumber

bootconfig

get BootDirectory, Caption, TempDirectory, Lastdrive

cdrom

get Name, Drive, Volumename

computersystem

get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list

cpu

get Name, Caption, MaxClockSpeed, DeviceID, status

datafile

where name='c:\\boot.ini' get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version

dcomapp

get Name, AppID /format:list

desktop

get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list

desktopmonitor

get screenheight, screenwidth

diskdrive

get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType

diskquota

get User, Warninglimit, DiskSpaceUsed, QuotaVolume

environment

get Description, VariableValue

fsdir

where name='c:\\windows' get Archive, CreationDate, LastModified, Readable, Writeable, System, Hidden, Status

group

get Caption, InstallDate, LocalAccount, Domain, SID, Status

idecontroller

get Name, Manufacturer, DeviceID, Status

irq

get Name, Status

job

get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status

loadorder

get Name, DriverEnabled, GroupOrder, Status

logicaldisk

get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName

memcache

get Name, BlockSize, Purpose, MaxCacheSize, Status

memlogical

get AvailableVirtualMemory, TotalPageFileSpace, TotalPhysicalMemory, TotalVirtualMemory

memphysical

get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices

netclient

get Caption, Name, Manufacturer, Status

netlogin

get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupID

netprotocol

get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, Status

netuse

get Caption, DisplayType, LocalName, Name, ProviderName, Status

nic

get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID,PowerManagementSupported, Speed, StatusInfo

nicconfig

get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain

nicconfig

get MACAddress, IPAddress, DHCPEnabled, DHCPLeaseExpires, DHCPLeaseObtained, DHCPServer

nicconfig

get MACAddress, IPAddress, DNSHostName, DNSDomain, DNSDomainSuffixSearchOrder, DNSEnabledForWINSResolution, DNSServerSearchOrder

nicconfig

get MACAddress, IPAddress, WINSPrimaryServer, WINSSecondaryServer, WINSEnableLMHostsLookup, WINSHostLookupFile

ntdomain

get Caption, ClientSiteName, DomainControllerAddress, DomainControllerName, Roles, Status

ntevent

where (LogFile='system' and SourceName='W32Time') get Message, TimeGenerated

ntevent

where (LogFile='system' and SourceName='W32Time' and Message like '%timesource%') get Message, TimeGenerated

ntevent

where (LogFile='system' and SourceName='W32Time' and EventCode!='29') get TimeGenerated, EventCode, Message

onboarddevice

get Description, DeviceType, Enabled, Status

os

get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list

os

get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpTime, NumberofProcesses, NumberofUsers, Organization, RegisteredUser, Status

pagefile

get Caption, CurrentUsage, Status, TempPageFile

pagefileset

get Name, InitialSize, MaximumSize

partition

get Caption, Size, PrimaryPartition, Status, Type

printer

get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution

printjob

get Description, Document, ElapsedTime, HostPrintQueue, JobID, JobStatus, Name, Notify, Owner, TimeSubmitted, TotalPages

process

get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount

product

get Description, InstallDate, Name, Vendor, Version

qfe

get description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect

quotasetting

get Caption, DefaultLimit, Description, DefaultWarningLimit, SettingID, State

recoveros

get AutoReboot, DebugFilePath, WriteDebugInfo, WriteToSystemLog

Registry

get CurrentSize, MaximumSize, ProposedSize, Status

scsicontroller

get Caption, DeviceID, Manufacturer, PNPDeviceID

server

get ErrorsAccessPermissions, ErrorsGrantedAccess, ErrorsLogon, ErrorsSystem, FilesOpen, FileDirectorySearches

service

get Name, Caption, State, ServiceType, StartMode, pathname

share

get name, path, status

sounddev

get Caption, DeviceID, PNPDeviceID, Manufacturer, status

startup

get Caption, Location, Command

sysaccount

get Caption, Domain, Name, SID, SIDType, Status

sysdriver

get Caption, Name, PathName, ServiceType, State, Status

systemenclosure

get Caption, Height, Depth, Manufacturer, Model, SMBIOSAssetTag, AudibleAlarm, SecurityStatus, SecurityBreach, PoweredOn, NumberOfPowerCords

systemslot

get Number, SlotDesignation, Status, SupportsHotPlug, Version, CurrentUsage, ConnectorPinout

tapedrive

get Name, Capabilities, Compression, Description, MediaType, NeedsCleaning, Status, StatusInfo

timezone

get Caption, Bias, DaylightBias, DaylightName, StandardName

useraccount

get AccountType, Description, Domain, Disabled, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID

*UPDATE* 12/13/2012

memorychip

get BankLabel, Capacity, Caption, CreationClassName, DataWidth, Description, Devicelocator, FormFactor, HotSwappable, InstallDate, InterleaveDataDepth, InterleavePosition, Manufacturer, MemoryType, Model, Name, OtherIdentifyingInfo, PartNumber, PositionInRow, PoweredOn, Removable, Replaceable, SerialNumber, SKU, Speed, Status, Tag, TotalWidth, TypeDetail, Version

 

 

 

The PROCESS alias can be used to start a new installation process, if doing this across the network, place the installer files on a share with permissions EVERYONE : Read Only. This is because network credentials will be dropped when jumping from one remote machine to another (unless you have kerberos configured).

Examples

WMIC /locale:ms_409 OS 

WMIC OS LIST BRIEF

WMIC OS GET csname, locale, bootdevice

WMIC OS GET osarchitecture /value

WMIC OS GET localdatetime

WMIC /locale:ms_409 NTEVENT where LogFile='system'

WMIC NTEVENT where "LogFile='system' and Type>'0'" 

WMIC SERVICE where (state=”running”) GET caption, name, state > services.tsv

WMIC SERVICE where caption='TELNET' CALL STARTSERVICE

WMIC PRINTER LIST STATUS

WMIC PRINTER where PortName="LPT1:" GET PortName, Name, ShareName
 
WMIC /INTERACTIVE:ON PRINTER where PortName="LPT1:" DELETE

WMIC PROCESS where name='evil.exe' delete

WMIC /output:"%computername%.txt" MEMORYCHIP where "memorytype=17" get Capacity

WMIC /node:@workstns.txt /failfast:on PROCESS call create "\\server\share\installer.cmd"

Interactive mode:
C:> START "Windows Management" WMIC
wmic:root\cli> /locale:ms_409
wmic:root\cli> OS get csname
wmic:root\cli> quit

Notes

WMIC is available on XP Professional and Windows 2003 or later versions of Windows.

The availability of WMI information does vary across different versions of Windows
e.g. ODBC, SNMP, Windows Installer.

To run WMIC requires administrator rights.

The last element returned by WMIC is a single  character (an empty line), when running WMIC in a FOR loop you may need toremove this, particularly if delayed expansion is involved.

In Windows 2000, around 4,000 properties can be monitored, and around 40 can be configured.
In Windows XP around 6,000 properties can be monitored, and around 140 can be configured.

Windows 2003 offers a few improvements and bug fixes: the global option /locale:ms_409 is not required (it defaults to English US.)

When you type WMIC for the first time in Windows 2003 all the aliases are compiled. The second, and subsequent times you run WMIC, it will start immediately. Under XP WMIC is slower to initialise, therefore to run several WMI queries it can be quicker to use interactive mode.

Running WMIC within a batch file it may sometimes hang, possible workarounds for this:
START "" /W CMD /C WMIC options...
WMIC options... <NUL

* WMI information for installed software packages (PACKAGE and SOFTWAREFEATURE) is often incomplete and inconsistent for a variety of historical reasons. A more reliable method is to retrieve a list of installed programs directly from the Add/Remove list in the registry, with a WSH script like this from Torgeir Bakken.

wmic baseboard get product,manufacturer

wmic bios get name

wmic product list brief

wmic service list brief

wmic process list brief

wmic startup list brief

Obviously these details can be found elsewhere, but one advantage of WMIC is that it can save its output for reference later.   Use the command:

wmic service get /format:hform > c:\folder\services.html

-- and WMIC will create a formatted HTML page detailing your running services (replace "C:\folder" with an appropriate path for your system). If you have PC problems a few months later you can then look back at this record and see what's  changed.

Uninstall Automatically

WMIC isn't just about reporting on system information, though. Use the appropriate CALL command and it can also carry out a variety of useful maintenance tasks.

Do you regularly have to uninstall and reinstall particular programs, for instance?  Doing this manually via Control Panel is tedious, but WMIC can automatically uninstall many applications with a single command. To see how, enter:

wmic product get name

-- and look for the name of the program you'd like to remove. Then enter the name as it appears in that list, in a second command, like this:

wmic product where name="windows live writer" call uninstall

-- and your specified program will be uninstalled automatically, without you even seeing the uninstall program.  (Which is convenient, but also risky as there probably will be no chance to cancel your action, so use this with extreme care.)

Process Management

WMIC can, say, also close all the instances of a particular program. So if you want to shut down all Internet Explorer windows, for instance, then the command:

wmic process where name="iexplore.exe" call terminate

-- would do the trick, closing every instance immediately. (Though again, beware, programs closed in this way probably won't prompt you to save files you're working on, so use the command carelessly and data may be lost.)

Or maybe you'd prefer to optimise your system by setting your process CPU priorities? WMIC can handle that, too.  Entering:

wmic process where name="notepad.exe" call setpriority 64

-- will set every running Notepad process to the Idle priority, for instance (see MSDN for the numbers to use to set other priorities).

This is barely scratches the surface. WMIC can also give you useful information about your PCs user accounts, change the Start mode of particular services, retrieve useful information from your event logs, change a static IP address, reboot or shut down a PC, and a whole lot more.

And best of all, you can even apply the commands to a remote system by applying the NODE switch and a network name, like:

wmic /node:steve-pc service list brief

 

There's a huge amount of power on offer here, then.  See the Tech-Wreck InfoSec Blog for more great WMIC examples, then open a command window and try a few for yourself.

 

wmic logicaldisk get name

Display each of the logical disk drives on the computer, as shown below.

wmic os list brief

This command would give you brief information about the operating system, as shown in the below example.

BuildNumber Organization RegisteredUser SerialNumber SystemDirectory Version
7601 Computer Hope Mrhope 00123-045-6789012-34567 C:\Windows\system32 6.1.7601

wmic printer list status

List the printer status of each of the printers installed on the computer.

WMIC /Output:bios.html BIOS Get Manufacturer,Name,Version /Format:htable

The above command is a little may appear involved, but is still relatively simple. First the /Output: is outputting the commands output to the bios.html file, which will be saved into the directory you're currently in. Next, the wmic BIOS get command will get the Manufacturer, Name, Serial Number, and Version of the BIOS. Finally, the /format:htable will format the results into an HTML table. Below, is an example of how the output may appear in the bios.html file.

1 Instances of Win32_BIOS

Node Manufacturer Name SerialNumber Version
HOPE-PC DELL INC.. Default System BIOS. 123AB12. DELL - 20081105.

 

wmic product list brief

List each of the programs that have been installed on the computer with brief details. Note: This command could take a minute or two to complete depending on on how many programs you have installed on the computer and may exceed the limit of what can be displayed in the window. This command can also be made into an HTML table as explained in the previous example.

wmic diskdrive get model,name,size

Display the model, name, and size of the hard drives installed on the computer, as shown in the below example.

 

Model Name Size    
WDC WD3000HLFS-75G6U1 ATA Device \\.\PHYSICALDRIVE0 300066439680    
TRUSTED Mass Storage USB Device \\.\PHYSICALDRIVE1 2199020382720  

 

  • Do not use WMIC's CALL command unless you are absolutely sure about the consequences.

Now let's try the following commands:

WMIC BIOS
WMIC BIOS Get Manufacturer
WMIC BIOS Get Manufacturer,Name,Version /Format:csv
WMIC BIOS Get Manufacturer,Name,Version /Format:list
WMIC BIOS Get /Format:list
WMIC BIOS Get Manufacturer,Name,Version /Format:htable

You may want to save the latter to a HTML file to view it in a browser:

WMIC /Output:bios.html BIOS Get Manufacturer,Name,Version /Format:htable
START "" "%CD%.\bios.html"

Need the result pasted in another window?

Use /Output:CLIPBOARD

 

One Step Further With HTML Output

The following batch file will query the specified wmi class, output the results to the specified file, add an .html extension, start the default application, presumably a browser, and open the specified file. The result is the ability to view the output in a readable html form in a browser.

This batch file is very simple (no error checking, help, etc.). It can be placed in any directory in listed in the path environment variable, etc. I suggest the name: wmic2browser.bat.

***********************************************
rem Parameters:
rem     %1 is the wmi class name
rem     %2 is the file name for the output

wmic /output:%2.html path %1 get * /format:hform
START "" "%CD%.\%2.html"
***********************************************

The result is similar to the following:

System, BIOS, Motherboard

This first example shows a few variations of the most common WMI query. We ask a WMI object (computersystem, or bios, or baseboard in the examples below) to return the values for a few of its properties. It returns the results in its default tabular format.

C:\Tools>wmic computersystem get domain, EnableDaylightSavingsTime, Manufacturer, Model, PartOfDomain, TotalPhysicalMemory, username
Domain       EnableDaylightSavingsTime  Manufacturer  Model     PartOfDomain  TotalPhysicalMemory  UserName
cojones.org  TRUE                       INTEL_        D865GLC_  TRUE          2146148352           PURGATORY\quux

C:\Tools>wmic bios get Caption, Manufacturer, SMBIOSBIOSVersion, Version
Caption                                     Manufacturer  SMBIOSBIOSVersion                 Version
BIOS Date: 10/14/03 10:38:21 Ver: 08.00.09  Intel Corp.   BF86510A.86A.0049.P11.0310141038  INTEL  - 20031014

C:\Tools>wmic baseboard get Manufacturer, Model, Product, SerialNumber, Version
Manufacturer       Model  Product  SerialNumber  Version
Intel Corporation         D865GLC  ABLC32421808  AAC28909-404

Processor Info 

C:\Tools>wmic cpu get deviceID, Addresswidth, MaxClockSpeed, Name, Manufacturer, ProcessorID
AddressWidth  DeviceID  Manufacturer  MaxClockSpeed  Name                               ProcessorId
32            CPU0      GenuineIntel  2992           Intel(R) Pentium(R) 4 CPU 3.00GHz  BFEBFBFF00000F29
32            CPU1      GenuineIntel  2992           Intel(R) Pentium(R) 4 CPU 3.00GHz  BFEBFBFF00000F29

Hard Drives 

C:\Tools>wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
FileSystem  FreeSpace     Name  Size          SystemName  VolumeSerialNumber
NTFS        53473411072   C:    120023252992  GOOD        B0400204
NTFS        114517245952  E:    500105216000  GOOD        94AE4BE9

The drivetypes are

 Member nameDescription

0

 Unknown The type of drive is unknown.

1

 NoRootDirectory The drive does not have a root directory.

2

 Removable The drive is a removable storage device, such as a floppy disk drive or a USB flash drive.

3

 Fixed The drive is a fixed disk.

4

 Network The drive is a network drive.

5

 CDRom The drive is an optical disc device, such as a CD or DVD-ROM.

6

 Ram The drive is a RAM disk.

Here is a bonus: S.M.A.R.T. information!

C:\Tools>WMIC /NAMESPACE:\\root\wmi PATH  MSStorageDriver_FailurePredictStatus get * /format:list
Active=TRUE
InstanceName=IDE\DiskG.SKILL_128GB_SSD_______________________02.10104\4&8188e1b&0&0.0.0_0
PredictFailure=FALSE
Reason=0

You can also experiment with 

 

  • MSStorageDriver_FailurePredictData
  • MSStorageDriver_FailurePredictEvent
  • MSStorageDriver_FailurePredictFunction
The best docs I have found for these are here. They're sparse, and probably a bit out of date.

 

Memory

I can't really explain why the output below gives me more available virtual memory than total virtual memory. 

C:\Tools>wmic memlogical get AvailableVirtualMemory, TotalPhysicalMemory, TotalVirtualMemory
AvailableVirtualMemory  TotalPhysicalMemory  TotalVirtualMemory
2049300                 2095848              1939180

 

NIC properties

In the first example below, I query for all NICs. Yikes, too much info!

In the second example I use a where IPEnabled='TRUE' clause to narrow things down, but it's still too much. Here we have several IPEnabled devices which we don't really care about; the system runs VMware, has a TV card, and had a disabled 100bT NIC.

In the third example, I only care about the NIC that is enabled and connected! Could have used DHCPEnabled as the second test, but we might want to get this info from systems with static IPs. I would have compared the IPAddress value to good IPs (or eliminated 192.168 and 169.* addresses), but sadly I have not figured out a way to do WHERE queries on IPAddress; apparently the {} brackets indicate it is an array value, and I have found no way to do WQL queries that compare array values. Please use the comments link if you know how to do this! So, by adding the extra query condition (shown in red), I get only the currently 'live' connection. Although I can imagine cases where DNSDomain would be null and the NIC would still be the live connection. YMMV!

The final query gets a fair amount of NIC information in list format.

C:\Tools>wmic nicconfig get caption, macaddress, ipaddress, DefaultIPGateway
Caption                                                  DefaultIPGateway  IPAddress           MACAddress
[00000001] 1394 Net Adapter
[00000002] RAS Async Adapter
[00000003] WAN Miniport (L2TP)
[00000004] WAN Miniport (PPTP)                                                                 50:50:54:50:30:30
[00000005] WAN Miniport (PPPOE)                                                                33:50:6F:45:30:30
[00000006] Direct Parallel
[00000007] WAN Miniport (IP)
[00000008] Packet Scheduler Miniport                                                           38:C7:20:52:41:53
[00000009] Microsoft TV/Video Connection                                   {"169.254.246.73"}  00:07:E9:5D:BC:F4
[00000010] Intel(R) PRO/1000 CT Network Connection                         {"169.254.246.73"}  00:07:E9:5D:BC:F4
[00000011] Packet Scheduler Miniport                                                           00:07:E9:5D:BC:F4
[00000012] VMware Virtual Ethernet Adapter for VMnet1                      {"192.168.199.1"}   00:50:56:C0:00:01
[00000013] VMware Virtual Ethernet Adapter for VMnet8                      {"192.168.226.1"}   00:50:56:C0:00:08
[00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T  {"10.0.0.10"}     {"10.0.0.55"}       00:0F:B5:4F:78:73
[00000015] Packet Scheduler Miniport                                                           00:0F:B5:4F:78:73

C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE'" get caption, macaddress, ipaddress, DefaultIPGateway
Caption                                                  DefaultIPGateway  IPAddress           MACAddress
[00000009] Microsoft TV/Video Connection                                   {"169.254.246.73"}  00:07:E9:5D:BC:F4
[00000010] Intel(R) PRO/1000 CT Network Connection                         {"169.254.246.73"}  00:07:E9:5D:BC:F4
[00000012] VMware Virtual Ethernet Adapter for VMnet1                      {"192.168.199.1"}   00:50:56:C0:00:01
[00000013] VMware Virtual Ethernet Adapter for VMnet8                      {"192.168.226.1"}   00:50:56:C0:00:08
[00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T  {"10.0.0.10"}     {"10.0.0.55"}       00:0F:B5:4F:78:73

C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE' and DNSDomain IS NOT NULL" get caption, macaddress, ipaddress, DefaultIPGateway
Caption                                                  DefaultIPGateway  IPAddress      MACAddress
[00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T  {"10.0.0.10"}     {"10.0.0.55"}  00:0F:B5:4F:78:73

C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE' and DNSDomain IS NOT NULL" get DefaultIPGateway, DHCPServer, DNSDomain, DNSHostName, DNSServerSearchOrder, IPAddress, IPSubnet, MACAddress, WINSEnableLMHostsLookup, WINSPrimaryServer, WINSSecondaryServer /format:list

DefaultIPGateway={"10.0.0.10"}
DHCPServer=10.0.0.3
DNSDomain=cojones.org
DNSHostName=good
DNSServerSearchOrder={"10.0.0.3","10.0.0.2"}
IPAddress={"10.0.0.55"}
IPSubnet={"255.255.255.0"}
MACAddress=00:0F:B5:4F:78:73
WINSEnableLMHostsLookup=TRUE
WINSPrimaryServer=
WINSSecondaryServer=

Video 

C:\Tools>wmic path Win32_VideoController get  caption, CurrentHorizontalResolution, CurrentVerticalResolution, Description, DriverVersion, AdapterRAM /format:list

AdapterRAM=67108864
Caption=MOBILITY RADEON 9600/9700 (Microsoft Corporation - WDDM)
CurrentHorizontalResolution=1400
CurrentVerticalResolution=1050
Description=MOBILITY RADEON 9600/9700 (Microsoft Corporation - WDDM)
DriverVersion=7.01.01.569

C:\Tools>

Printers 

C:\Tools>

Would you like to comment?

Join Diigo for a free account, or sign in if you are already a member.

Stéphane-Gabriel Mérizzi

Saved by Stéphane-Gabriel Mérizzi

on Aug 16, 13