Alexis Kestler
Windows Management Instrumentation (WMI) is a framework for management information and activities on Windows-based operating systems. WMI provides management data to other components of the operating system and products, such as System Center Operations Manager (SCOM) or Windows Remote Management.
What is Windows Management Instrumentation (WMI)?
WMI is a platform for managing and monitoring the operating system and other Microsoft applications and services on personal computers, servers, and other network devices.
WMI provides a comprehensive, scalable, and easy-to-use programming interface that delivers programmatic access to information and services on Microsoft-managed computers and other network devices.
It is used to discover and monitor the operating system, services, and applications on the computer, as well as registry and file system data. It is also used to create and manage scripts and programs that automate the management and administration of the computer.
It utilizes the WQL (Windows Query Language) programming language to query information and conduct operations on the operating system, computers, and devices.
It also provides access to PowerShell, one of the most powerful and flexible administration tools for Windows, which you can use to create automation scripts.
Furthermore, WMI enables you to build custom applications that provide additional functionality for the management and administration of Windows systems and applications.
Users who need to monitor their machines‘ state, do basic troubleshooting, and collect performance data will find WMI useful.
What is the purpose of WMI?
WMI is useful in a Windows enterprise network because it simplifies the operation and management of enterprise network components by providing data to other products for further enhancement and scalability. The whole purpose of WMI is to deliver a unified management framework experience across all aspects of a Windows system, such as:
- Operating system components
- Processes and threads
- Services
- Devices
- Drivers
- Applications
- User accounts
- Security settings
The purpose of the WMI invention leads to reduced cost and time in operations and development related to Windows systems. WMI also enables you to monitor system events and collect performance data. This data can be used to troubleshoot problems or track trends over time.
WMI is most commonly used to automate administrative chores and gain access to data without dealing directly with the operating system API. As a result, WMI is a great alternative for administrators and software developers who need to automate time-consuming processes.
Everything from monitoring system performance to acquiring application data is possible with it. It allows developers to create smarter, more intelligent applications while also ensuring IT administrators can complete their tasks with minimal effort.
WMI provides a reference implementation for accessing system information and is a key tool for managing and monitoring Windows systems. It‘s the cornerstone for Azure Machine Learning and AzureML, and it‘s used to power a wide range of third-party products.
Use of WMI
Windows Management Instrumentation (WMI) is Microsoft‘s implementation of Web-Based Enterprise Management (WBEM), an industry initiative to develop standardized technologies for accessing enterprise management information.
WMI represents systems, applications, networks, devices, and other managed components using the Common Information Model (CIM) industry standard. The Distributed Management Task Force (DMTF) creates and maintains CIM.
WMI‘s design is versatile, supporting a wide range of management and administration tasks, as well as providing a flexible and extensible architecture that allows manufacturers to write new WMI providers to support new devices, applications, and other advancements.
Other uses are:
- Comprehensive management of Windows operating system and Microsoft networking devices and services.
- It can be used to connect to remote computers to access WMI data
- Discovers information about the system, such as what programs are running and what services are set up.
- To retrieve information about hardware specifications and perform actions, such as shutting down or rebooting the system.
- Launching applications, starting, stopping, configuring services, and accessing data.
- Developers of management applications can use this API to create scripts in Visual Basic or Windows Scripting Host (WSH).
WMI Architecture
WMI (Windows Management Instrumentation) is a Microsoft technology initially introduced in Windows 2000. It allows programmers to build management applications that work with any system supporting WMI.
Let‘s look at the architecture and terminology of WMI.
The flow of WMI architecture starts from Objects: A component such as a hard drive, network card, Operating System, or service is a managed object (that can be managed via WMI). WMI infrastructure receives data from an object through a provider. It provides and receives messages from WMI and passes them to the object.
A WMI provider consists of a DLL and a Managed Object Format (MOF) file that monitors events and data from objects. WMI categorizes providers according to the functionality provided by the provider’s interface. There are numerous built-in WMI providers in Windows, including an Active Directory provider, Boot Configuration Data (BCD) WMI provider, Distributed File System (DFS) provider, Event Log provider, Hyper-V WMI provider, Win32 provider, Registry provider, and SNMP provider.
The WMI infrastructure is a component of the Microsoft Windows operating system known as the WMI service (winmgmt). The WMI Core and the WMI Repository are the two parts of the WMI infrastructure.
The WMI repository is a hierarchical data store organized by WMI namespaces, often known as the Common Information Model (CIM). The WMI service establishes several namespaces upon system startup, including root\default, root\cimv2, and root\subscription.
In addition, the service produces a default set of class definitions, including the Win32 and WMI system classes. Other WMI namespaces may be created by additional WMI providers, and each namespace contains multiple WMI objects.
The WMI service acts as an intermediary between the providers, management applications, and the WMI repository. Only static data about objects is stored in the repository, such as the classes defined by providers. WMI obtains most data dynamically from the provider when a client requests it.
A WMI consumer is a management application or script that communicates with the WMI infrastructure. Using the COM API for WMI or the Scripting API for WMI, a management program can query, enumerate data, invoke provider methods, and subscribe to events.
WMI creates a standardized interface for locally and remotely retrieving management data. The uniform interface abstracts from the operating system‘s application programming interfaces (APIs). This allows applications and scripts to collect management data without needing to know about the operating system API.
How to Run a WMI Query
A feature of the WMI platform‘s versatility is the ability to query its repository to obtain details about the class, instance, or schema data. These metrics relate to the inventory of local and remote systems, operating systems, software, and other administrative activities.
Types of Queries
Broadly there are two types of queries used to retrieve information from the WMI repository:
Synchronous Query: It is a query that keeps control of your application‘s flow throughout the query. It is easier than an asynchronous call because it only takes one interface call. For large queries or network-based queries, however, it may freeze up your application.
Asynchronous Query: When the speed of a system or network will be impacted by querying a large amount of data, an Asynchronous query is a preferable type to use.
WQL (WMI Query Language)
One of the popular methods to query WMI is the WMI Query Language. SQL (Structured Query Language) is used in the database environment, and WQL is used in WMI. They both have similar syntax structures.
Select, From, and Where are the fundamental WQL statements used to initiate the query.
A typical WMI query starts by selecting all the properties from a WMI class using the "Select" command. The asterisk ("*") is used to select every property from a WMI class. You can use the "From" keyword to specify the WMI class to query after choosing the properties (one or more properties, or all of them). You can check the SQL cheatsheet for the exact syntax.
WQL can be executed through WMI Tester (wbemtest.exe), which is installed by default with the Windows operating system. WMI queries can also be executed through Windows PowerShell, VBScript, and C language.
Types of WQL Queries
The WQL queries are used to retrieve three different types of information:
Object Queries: Information about Windows system resources can be retrieved using these queries.
Event Queries: These queries are used to track changes to event logs, the starting of processes, the status of services, the availability of computers, or the amount of free disk space, among other entities or occurrences.
Schema Queries: These queries are used to obtain details about the structure of the WMI schema.
Running a Query
Let‘s see how to run an object query.
The following method shows how to check WIN_32 processes on a local system. The tool WMI Tester is run from the command line by entering wbemtest.exe.
The following window will pop up:
To connect to the WMI namespace that contains the class you want to query (Root\Cimv2 in most cases): click on the connect tab.
To run the query, click on the ‘Query‘ tab as shown below:
Then enter the query for which you want to retrieve the information. For example, let‘s retrieve all processes running on the local system by running:
select * From Win32_process After clicking the apply tab, you will get the below results:
The above GUI-based execution can also be carried out at the command prompt through PowerShell:
In the PowerShell platform, to get the list of all win_32 processes, the below code is used:
Get-WmiObject -Class Win32_ProcessTo get all the PowerShell query parameters, visit the Microsoft PowerShell Management page.
To run this query in VBScript and C language, the Microsoft documentation page would provide complete insights.
One other method to query the WMI repository is through the WMIC command:
- Run CMD from a command prompt
- Type WMIC and enter to start the program
- Then the command prompt will change to
wmic:root\cli>
Admins can run WMI queries from this prompt.
For example, to load CPU information of a local system, the command will be:
wmic:root\cli> WMIC CPUThe results/information will be displayed in the command prompt:
AddressWidth Architecture AssetTag Availability Caption Characteristics ConfigManagerErrorCode ConfigManagerUserConfig CpuStatus CreationClassName CurrentClockSpeed CurrentVoltage DataWidth Description DeviceID ErrorCleared ErrorDescription ExtClock Family InstallDate L2CacheSize L2CacheSpeed L3CacheSize L3CacheSpeed LastErrorCode Level LoadPercentage Manufacturer MaxClockSpeed Name NumberOfCores NumberOfEnabledCore NumberOfLogicalProcessors OtherFamilyDescription PartNumber PNPDeviceID PowerManagementCapabilities PowerManagementSupported ProcessorId ProcessorType Revision Role SecondLevelAddressTranslationExtensions SerialNumber SocketDesignation Status StatusInfo Stepping SystemCreationClassName SystemName ThreadCount UniqueId UpgradeMethod Version VirtualizationFirmwareEnabled VMMonitorModeExtensions VoltageCaps
9 To Be Filled By O.E.M. 3 Intel64 Family 6 Model 142 Stepping 10 252 1 Win32_Processor 1801 7 64 Intel64 Family 6 Model 142 Stepping 10 CPU0 100 205 1024 6144 0 6 31 GenuineIntel 1801 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz 4 4 8 To Be Filled By O.E.M. FALSE BFEBFBFF000806EA 3 CPU TRUE To Be Filled By O.E.M. U3E1 OK 3 Win32_ComputerSystem RENEE-HP 8 51 FALSE TRUEFor more information about WMIC Alias and verbs, visit Microsoft wmic.
FAQs on WMI
What are the ports used in WMI?
The ports used are 49152 and 65535. The Distributed Component Object Model (DCOM), on which WMI is based, employs a randomly chosen TCP port for connections between the range of 49152 and 65535 by default.
Is WMI Deprecated?
WMI is still supported. As of Windows 10, version 21H1, and the 21H1 semi-annual channel release of Windows Server, the WMI command-line (WMIC) program is no longer supported.
What are WMI monitoring tools?
There are many tools available to monitor WMI. However, a handful of particularly popular ones are:
- SolarWinds WMI Monitor with Server and Application Monitor
- Paessler WMI Service Sensor with PRTG
- Nagios XI
- Sapien WMI Explorer
- Free Tools are WMI Explorer, Adrem Free WMI Tools
How to troubleshoot WMI issues
You may see errors ranging from missing classes to access violations while attempting to access WMI local or remote data in an application or script. Check the Microsoft WMI troubleshooting guide to get solutions to such errors.
Conclusion
In general, Windows Management Instrumentation is a powerful tool that can be used to manage a wide range of different Windows system-related capabilities. WMI can be a very helpful tool for anyone working with Windows systems, despite initially seeming daunting.
