Content

Introduction to WMI Basics with PowerShell Part 2 (Exploring WMI using WMI and CIM Cmdlets)

In the previous blog post I covered how to explorer WMI using a GUI tool, now lets look at how to explorer WMI first using the WMI Cmdlets that are found in PowerShell v2 and PowerShell v3, then we will look at how to use CIM Cmdlets that where introduced in PowerShell v3 and the improvements Microsoft did to make using WMI even better in PowerShell v3.

Exploring WMI with WMI Cmdlets

Lets first lets look at the WMI Cmdlets that are available to us using the Get-Command cmdlet:

Get-Command-nounwmi*

PS C:> Get-Command -Noun wmi*

CommandType Name ModuleName
———– —- ———-
Cmdlet Get-WmiObject Microsoft.PowerShell.Management
Cmdlet Invoke-WmiMethod Microsoft.PowerShell.Management
Cmdlet Register-WmiEvent Microsoft.PowerShell.Management
Cmdlet Remove-WmiObject Microsoft.PowerShell.Management
Cmdlet Set-WmiInstance Microsoft.PowerShell.Management

When working with WMI Cmdlets the most used one is the Get-WmiObject. Lets start by exploring and enumerating the different Namespaces. On the GUI this are the ones shown in a folder structure:

image

Lets look at all the Namespaces under Root by looking at the __namespace class:

Get-WmiObject-Class__Namespace-Namespaceroot|selectname

PS C:> Get-WmiObject -Class __Namespace -Namespace root | select name

name
—-
subscription
DEFAULT
CIMV2
msdtc
Cli
nap
SECURITY
SecurityCenter2
RSOP
StandardCimv2
WMI
directory
Policy
Interop
Hardware
ServiceModel
SecurityCenter
ThinPrint
Microsoft
aspnet

Now that we enumerated the namespaces under root we can look at the other namespaces by just appending them to the original namespace we queried allowing us to navigate the namespaces:

Get-WmiObject-Class__Namespace-NamespacerootCIMV2|selectname

PS C:> Get-WmiObject -Class __Namespace -Namespace rootCIMV2 | select name

name
—-
Security
power
ms_409
TerminalServices
Applications

Now lets look at enumerating the Classes under the namespace, this is done by using the –list parameter. The list parameter does provide one flexibility most free GUI do not provide and this is filtering the class names using wildcards:

Get-WmiObject-list*account*

PS C:> Get-WmiObject -list *account*

NameSpace: ROOTcimv2

Name Methods Properties
—- ——- ———-
MSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_Account {} {Caption, Description, Domain, InstallDate…
Win32_UserAccount {Rename} {AccountType, Caption, Description, Disabled.
Win32_SystemAccount {} {Caption, Description, Domain, InstallDate…
Win32_AccountSID {} {Element, Setting}

To list all the classes we just use * as the wildcard to have it list all classes, we can choose what name space to enumerate using the –namespace parameter.

Get-WmiObject-list*sensor*-Namespacerootcimv2power

PS C:> Get-WmiObject -list *sensor* -Namespace rootcimv2power

NameSpace: ROOTcimv2power

Name Methods Properties
—- ——- ———-
CIM_Sensor {RequestStateChan… {AdditionalAvailability, Availability, AvailableRequestedStates,…
CIM_NumericSensor {RequestStateChan… {Accuracy, AdditionalAvailability, Availability, AvailableReques…

To get details on a class it is not as simple as a single command:

(gwmi-listwin32_service-Amended).qualifiers |Selectname,value|ft-AutoSize-Wrap

PS C:> (gwmi -list win32_service -Amended).qualifiers | Select name, value | ft -AutoSize -Wrap

Name Value
—- —–
Description The Win32_Service class represents a service on a Win32 computer system. A service application conforms to
the interface rules of the Service Control Manager (SCM) and can be started by a user automatically at
system boot through the Services control panel utility, or by an application that uses the service functions
included in the Win32 API. Services can execute even when no user is logged on to the system.
DisplayName Services
dynamic True
Locale 1033
provider CIMWin32
SupportsUpdate True
UUID {8502C4D9-5FBB-11D2-AAC1-006008C78BC7}

To simplify the process of getting information on a class I recommend that you create a function like the following and place it in your user PowerShell profile in %UserProfile%My DocumentsWindowsPowerShellprofile.ps1 :

functionGet-WMIClassInfo

{

 

param(

 

[string]$className

)

(

Get-WmiObject-list$className-Amended).qualifiers |Select-Objectname,value

}

This will make the function available to aid in getting information about classes:

Get-WMIClassInfowin32_process|ft-AutoSize-Wrap

PS C:> Get-WMIClassInfo win32_process | ft -AutoSize -Wrap

Name Value
—- —–
CreateBy Create
DeleteBy DeleteInstance
Description The Win32_Process class represents a sequence of events on a Win32 system. Any sequence consisting of the
interaction of one or more processors or interpreters, some executable code, and a set of inputs, is a
descendent (or member) of this class.
Example: A client application running on a Win32 system.
DisplayName Processes
dynamic True
Locale 1033
provider CIMWin32
SupportsCreate True
SupportsDelete True
UUID {8502C4DC-5FBB-11D2-AAC1-006008C78BC7}

In WMI a class can have 2 types of states:

 

  • Class it self with its own list of Static Methods and Properties.

 

  • Class Instances  these are the representation of state of several components of the OS or Hardware that are reference under the class.

 

 

One good way to illustrate this would be to look at the Win32_Process class, lets look at the class it self for thise we use with the Get-WmiObject cmdlet the –list paramter and the name of the class to get only the class itself and look at the methods we have available:

Get-WmiObject-listwin32_process|Get-Member-MemberTypeMethod

PS C:> Get-WmiObject -list win32_process  | Get-Member -MemberType Method

TypeName: System.Management.ManagementClass#ROOTcimv2Win32_Process

Name MemberType Definition
—- ———- ———-
Create Method System.Management.ManagementBaseObject Create(System.String Commandline …

As we can see we only have one and it is to create a process. We can even use it to create say a notepad.exe process:

$win32proc=Get-WmiObject-listwin32_process$win32proc.Create(“notepad.exe”)

PS C:> $win32proc = Get-WmiObject -list win32_process
PS C:> $win32proc.Create("notepad.exe")

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 2
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ProcessId : 3332
ReturnValue : 0
PSComputerName :

A return value of 0 means that it ran successfully and notepad should pop in you taskbar on Windows. When we look at instances we just use the –Class parameter with the Get-WmiObject cmdlet and give it the class we want to get the instances off, when we look at the methods we see we get a different set of methods since we are now working with an instance of each of the running processes on the system:

Get-WmiObject-Classwin32_process|Get-Member-MemberTypemethod

PS C:> Get-WmiObject -Class win32_process | Get-Member -MemberType method

TypeName: System.Management.ManagementObject#rootcimv2Win32_Process

Name MemberType Definition
—- ———- ———-
AttachDebugger Method System.Management.ManagementBaseObject AttachDebugger()
GetOwner Method System.Management.ManagementBaseObject GetOwner()
GetOwnerSid Method System.Management.ManagementBaseObject GetOwnerSid()
SetPriority Method System.Management.ManagementBaseObject SetPriority(System.Int32 Priority)
Terminate Method System.Management.ManagementBaseObject Terminate(System.UInt32 Reason)

 

Exploring WMI with CIM cmdlets

We can see on the latest versions of Windows (Windows 8 and Windows 2012) that Microsoft is advancing its implementation of an open standard for management with Common Information Model (CIM) by integrating it with Windows Remote Management v3 that are part of the Windows Management Framework 3. We can see this in the new Server Manager tool where it uses WinRM for management on Windows 2012. WinRM being based on Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate. This is a shift to provide more interoperability with other platforms and products and Microsoft provides a new set of cmdlets for this.

We can use the Get-Command cmdlet to list the CIM cmdlets that are available in PowerShell v3:

Get-Command-moduleCimCmdlets

PS C:> Get-Command -module CimCmdlets

CommandType Name ModuleName
———– —- ———-
Cmdlet Get-CimAssociatedInstance CimCmdlets
Cmdlet Get-CimClass CimCmdlets
Cmdlet Get-CimInstance CimCmdlets
Cmdlet Get-CimSession CimCmdlets
Cmdlet Invoke-CimMethod CimCmdlets
Cmdlet New-CimInstance CimCmdlets
Cmdlet New-CimSession CimCmdlets
Cmdlet New-CimSessionOption CimCmdlets
Cmdlet Register-CimIndicationEvent CimCmdlets
Cmdlet Remove-CimInstance CimCmdlets
Cmdlet Remove-CimSession CimCmdlets
Cmdlet Set-CimInstance CimCmdlets

Another advantage in addition to using WinRM and also being able to connect to other platforms like Linux or Network equipment that conforms to the CIM standard Microsoft added tab completion for class names and properties in the CIM cmdlets allowing for simpler discovery of classes.  To list namespaces we would use the Get-CimInstance cmdlet, we can use the tab completion by doing Get-CimInstance __name<tab> and have it auto complete it:

Get-CimInstance__namespace

PS C:> Get-CimInstance __namespace

Name PSComputerName
—- ————–
Security
power
ms_409
TerminalServices
Applications

If we do not specify a namespace with the –namespace parameter it will enumerate the default one of RootCIMv2.

For enumerating classes we use the Get-CimClass cmdlet:

Get-CimClass-ClassName*account*

PS C:> Get-CimClass -ClassName *account*

NameSpace: ROOT/CIMV2

CimClassName CimClassMethods CimClassProperties
———— ————— ——————
MSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_Account {} {Caption, Description, InstallDate, Name…}
Win32_UserAccount {Rename} {Caption, Description, InstallDate, Name…}
Win32_SystemAccount {} {Caption, Description, InstallDate, Name…}
Win32_AccountSID {} {Element, Setting}

As we can see Microsoft even made it simpler for us by showing the Class Methods and Class properties. But in addition to allowing us to search by class name we can also search by property name and method name giving us more flexibility because there is so much less to type:

Get-CimClass-MethodNamecreate

PS C:> Get-CimClass -MethodName create

NameSpace: ROOT/cimv2

CimClassName CimClassMethods CimClassProperties
———— ————— ——————
Win32_Process {Create, Terminat… {Caption, Description, InstallDate, Name…}
Win32_ScheduledJob {Create, Delete} {Caption, Description, InstallDate, Name…}
Win32_DfsNode {Create} {Caption, Description, InstallDate, Name…}
Win32_BaseService {StartService, St… {Caption, Description, InstallDate, Name…}
Win32_SystemDriver {StartService, St… {Caption, Description, InstallDate, Name…}
Win32_Service {StartService, St… {Caption, Description, InstallDate, Name…}
Win32_TerminalService {StartService, St… {Caption, Description, InstallDate, Name…}
Win32_Share {Create, SetShare… {Caption, Description, InstallDate, Name…}
Win32_ClusterShare {Create, SetShare… {Caption, Description, InstallDate, Name…}
Win32_ShadowCopy {Create, Revert} {Caption, Description, InstallDate, Name…}
Win32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace…}

For getting the instances of a class we use the Get-CimInstance, as you can see in the WMI cmdlets the Get-WmiObject is the Swiss Army knife that allows you to do most of the  tasks related to WMI while on CIM the tasks have been split in to cmdlets. Lets use the cmdlet to get all the instances for Win32_DiskDrive that represent each of the disk on the system:

PS C:> Get-CimInstance -ClassName Win32_DiskDrive | fl

Partitions : 2
DeviceID : \.PHYSICALDRIVE0
Model : VMware, VMware Virtual S SCSI Disk Device
Size : 64420392960
Caption : VMware, VMware Virtual S SCSI Disk Device

Now when it comes to the use of methods with CIM cmdlets the flexibility we had with WMI cmdlets is sadly missing, with WMI cmdlets when we got the class or the instances of the class as part of the object that was returned we also had methods to each that allowed us to invoke the method and have actions taken against what the class instace represented, with CIM objects we need to use the Invoke-CimMethod cmdlet. Lets look at the same example we used above where we created a notepad.exe process:

Invoke-CimMethodWin32_Process-MethodNamecreate-Arguments @{CommandLine=‘notepad.exe’}


x
PS C:> Invoke-CimMethod Win32_Process -MethodName create -Arguments @{CommandLine='notepad.exe'}

ProcessId ReturnValue PSComputerName
——— ———– ————–
2684 0

As it can be seen when a method is invoked with the CIM cmdlet we must provide it the name of the method and if this method takes a parameter we must specify the parameter in a Hash where the key is the parameter name. In WMI cmdlets we would use the invoke-wmimethod, they are similar in operation and getting used to CIM cmdlets just takes a little practice if you have been using WMI cmdlets on PowerShell v2 for a while. Lets look terminating all notepad.exe processes with WMI cmdlet and then with CIM cmdlets so you can see the similarities:

# WMI Cmdlet exampleInvoke-WmiMethod-Classwin32_Process-Namecreate-ArgumentListnotepad.exeGet-WmiObjectwin32_process-Filter“name=’notepad.exe'”|foreach {$_.terminate()}

 

 

# CIM Cmdlet exampleInvoke-CimMethodWin32_Process-MethodNamecreate-Arguments @{CommandLine=‘notepad.exe’}

 

Get-CimInstanceWin32_Process-Filter“name=’notepad.exe'”|Invoke-CimMethod-MethodNameterminate

PS C:> Invoke-WmiMethod -Class win32_Process -Name create -ArgumentList notepad.exe

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 2
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ProcessId : 2668
ReturnValue : 0
PSComputerName :

PS C:> Get-WmiObject win32_process -Filter “name=’notepad.exe'” | foreach {$_.terminate()}

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ReturnValue : 0
PSComputerName :

 

PS C:> Invoke-CimMethod Win32_Process -MethodName create -Arguments @{CommandLine=’notepad.exe’}

ProcessId ReturnValue PSComputerName
——— ———– ————–
3316 0

PS C:> Get-CimInstance Win32_Process -Filter “name=’notepad.exe'” | Invoke-CimMethod -MethodName terminate

ReturnValue PSComputerName
———– ————–
0

As you can see the cmdlets operate very similarly.

I invite you to use the Get-Help cmdlet against each of the cmdlets mentioned here to learn more about them. As always I hope you found the blogpost useful.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.