A quick guide to Windows Management Instrumentation (WMI)
The platform for managing information and activities in Windows-based operating systems is called Windows Management Instrumentation (WMI).
WMI also provides management data for other operating system components and products such as SCOM (System Center Operations Manager) or Windows Remote Management.
What is Windows Management Instrumentation (WMI?)
WMI is a platform for managing and monitoring the operating system and other Microsoft applications and services on personal computers, servers, and other network devices.
WMI provides a comprehensive, scalable, and easy-to-use programming interface that provides programmatic access to information and services on Microsoft-managed computers and other network devices.
It is used to detect and monitor the operating system, services and applications on a computer, as well as registry and file system data. It is also used to create and manage scripts and programs that automate the management and administration of a computer.
It uses the WQL (Windows Query Language) programming language to query information and perform operations on the operating system, computers, and devices.
It also gives you access to PowerShell, one of the most powerful and flexible administration tools for Windows, which you can use to create automation scripts.
In addition, WMI allows you to create custom applications that provide additional functionality for managing and administering Windows systems and applications.
Users who need to monitor the health of their computers, troubleshoot basic problems, and collect performance data will find WMI handy.
What is the purpose of WMI?
WMI is useful in a Windows corporate network because it simplifies the operation and management of corporate network components by passing data to other products for further expansion and scaling.
The whole purpose of WMI is to provide a unified control structure for all aspects of the Windows system such as:
- Operating system components
- Processes and Threads
- Services
- Devices
- Drivers
- Applications
- user accounts
- Security Settings
The purpose of the invention of WMI is to reduce the cost and time of operations and development associated with Windows systems. WMI also allows you to monitor system events and collect performance data. You can use this data for troubleshooting or to track trends over time.
WMI is most often used to automate administrative work and gain access to data without interacting directly with the operating system. As a result, WMI is a fantastic alternative for administrators and software developers who need to automate time-consuming processes.
Everything is possible with it, from system performance monitoring to application data collection. This allows developers to create smarter and smarter applications and also ensures that IT administrators can complete their tasks with minimal effort.
WMI provides a reference implementation for accessing system information and is a key tool for managing and monitoring Windows systems. It is the cornerstone of Azure Machine Learning and AzureML and is used to support a wide range of third party products.
Using WMI
Windows Management Instrumentation (WMI) is Microsoft's Web-based Enterprise Management (WBEM), an industry initiative to develop standardized technologies for accessing corporate governance information.
WMI represents systems, applications, networks, devices, and other managed components using the Common Information Model (CIM) industry standard. The Distributed Management Task Force (DMTF) creates and maintains the CIM.
The WMI framework is versatile, supports a wide range of administration and management tasks, and provides a flexible and extensible architecture that allows vendors to create new WMI providers to support new devices, applications, and other enhancements.
Other use:
- Comprehensive management of the Windows operating system and Microsoft network devices and services.
- It can be used to connect remote computers to access WMI data.
- Discovers information about the system, such as what programs are running and what services are configured.
- For information about hardware specifications and to perform actions such as shutting down or rebooting the system.
- Launch applications, start, stop, configure services, and access data.
- Management application developers can use this API to create scripts in Visual Basic or Windows Scripting Host (WSH).
Architecture WMI
WMI (Windows Management Instrumentation) is a Microsoft technology originally introduced with Windows 2000. It allows programmers to create management programs that work with any system that supports WMI.
Let's take a look at the WMI architecture and terminology.
The WMI architecture flow starts with objects: A component such as a hard drive, network card, operating system, or service is a managed object (that can be managed through WMI). The WMI infrastructure receives data from an object through a provider. It provides and receives messages from WMI and passes them to the object.
The WMI provider includes a DLL and a Managed Object Format (MOF) file that tracks events and data from objects. WMI classifies providers according to the functionality provided by the provider's interface.
Windows has many built-in WMI providers, including the Active Directory provider, Boot Configuration Data (BCD) WMI provider, Distributed File System (DFS) provider, Event Log provider, Hyper-V WMI provider, Win32 provider, Registry provider, and SNMP -provider.
The WMI infrastructure is a component of the Microsoft Windows operating system known as the WMI service (winmgmt). The WMI Core and the WMI Repository are two parts of the WMI infrastructure.
A WMI repository is a hierarchical data store organized by WMI namespaces, often referred to as a Common Information Model (CIM). The WMI service sets up a number of namespaces at system startup, including the default rootspace, rootcimv2, and the root subscription.
In addition, the service creates a default set of class definitions that includes the Win32 and WMI system classes. Other WMI namespaces can be created by additional WMI providers, and each namespace contains multiple WMI objects.
The WMI service acts as an intermediary between providers, managing applications, and the WMI repository. The repository only stores static data about objects, such as classes defined by providers. WMI dynamically receives most of the data from the provider when the client requests it.
A WMI consumer is a control application or script that interacts with the WMI infrastructure. Using the COM API for WMI or the Scripting API for WMI, the control program can query, drill down on data, run provider methods, and subscribe to events.
WMI provides a standardized interface for obtaining control data remotely and locally. The single interface abstracts away from the application programming interfaces (APIs) of the operating system. This allows applications and scripts to collect control data without having to know about the operating system APIs.
How to run a WMI query?
A feature of the WMI platform's versatility is the ability to query its repository for detailed information about a class, instance, or schema data. These metrics are related to the inventory of local and remote systems, operating systems, software, and other administrative activities.
Request type
In general, there are two types of queries used to retrieve information from a WMI repository:
Synchronous Request: This is a request that controls how your application runs for the duration of the request. This is simpler than an asynchronous call since only one interface call is required. However, for large searches or network requests, this can cause your application to freeze.
Asynchronous request: When the system or network speed will be affected by the request of a large amount of data, asynchronous request is the preferred method to use.
WQL (WMI Query Language)
One of the popular WMI query methods is the WMI Query Language.
SQL (Structured Query Language) is used in the database environment and WQL is used in WMI. They both have a similar syntactic structure.
Select, From, and Where are the main WQL operators that are used to run a query.
A typical WMI query starts by selecting all properties from a WMI class using the Select command. An asterisk ("*") is used to select each property from the WMI class. You can use the "From" keyword to specify the WMI class to query after selecting properties (one or more properties, or all of them). You can check the exact syntax in the SQL cheat sheet.
WQL can be launched through WMI Tester (wbemtest.exe), which is installed by default with the Windows operating system. WMI queries can also be made using Windows PowerShell, VBScript, and the C language.
WQL query type
WQL queries are used to retrieve three different types of information.
Object Queries: These queries can be used to get information about Windows system resources.
Event Queries: These queries are used to monitor changes in event logs, process startups, service status, computer availability or free disk space, and other objects or events.
schema requests. These queries are used to obtain detailed information about the WMI schema structure.
Execution of a request
Let's see how to run an object query.
The following method shows how to check for WIN_32 processes on the local system.
The WMI Tester tool is launched through the command line by typing wbemtest.exe.
The following window will appear.
To connect to the WMI namespace that contains the class you want to query (RootCimv2 in most cases): click the connections tab.
To execute a query, click the Query tab as shown below:
Then enter the request for which you want to receive information. For example, let's get all the processes running on the local system by running:
select * From Win32_process
After clicking on the Apply tab, you will get the following results.
The above GUI-based execution can also be done on the command line via PowerShell:
In PowerShell, to get a list of all win_32 processes, use the following code:
Get-WmiObject -Class Win32_Process
To get all the PowerShell query options, visit the Manage Microsoft PowerShell page.
To run this query in VBScript and C, the Microsoft Documentation Page will give you a complete understanding.
Another way to query the WMI repository is with the WMIC command:
- Run CMD from Command Prompt
- Enter WMIC and type to run the program
- The command line will then change to wmic:rootcli>
Administrators can run WMI queries from this prompt.
For example, to load information about the processor of the local system, the command would be:
wmic:rootcli> WMIC CPU
The results/information will be displayed on the command line.
AddressWidth Architecture AssetTag Availability Caption Characteristics ConfigManagerErrorCode ConfigManagerUserConfig CpuStatus CreationClassName CurrentClockSpeed CurrentVoltage DataWidth Description DeviceID ErrorCleared ErrorDescription ExtClock Family InstallDate L2CacheSize L2CacheSpeed L3CacheSize L3CacheSpeed LastErrorCode Level LoadPercentage Manufacturer MaxClockSpeed Name NumberOfCores NumberOfEnabledCore NumberOfLogicalProcessors OtherFamilyDescription PartNumber PNPDeviceID PowerManagementCapabilities PowerManagementSupported ProcessorId ProcessorType Revision Role SecondLevelAddressTranslationExtensions SerialNumber SocketDesignation Status StatusInfo Stepping SystemCreationClassName SystemName ThreadCount UniqueId UpgradeMethod Version VirtualizationFirmwareEnabled VMMonitorModeExtensions VoltageCaps64 9 To Be Filled By O.E.M. 3 Intel64 Family 6 Model 142 Stepping 10 252 1 Win32_Processor 1801 7 64 Intel64 Family 6 Model 142 Stepping 10 CPU0 100 205 1024 6144 0 6 31 GenuineIntel 1801 Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz 4 4 8 To Be Filled By O.E.M. FALSE BFEBFBFF000806EA 3 CPU TRUE To Be Filled By O.E.M. U3E1 OK 3 Win32_ComputerSystem RENEE-HP 8 51 FALSE TRUE
For more information about WMIC aliases and verbs, visit the Microsoft wmic website .
Frequently Asked Questions About WMI
What ports are used in WMI?
Ports 49152 and 65535 are used. The Distributed Component Object Model (DCOM), on which WMI is based, uses a randomly selected TCP port for connections between 49152 and 65535 by default.
Is WMI deprecated?
WMI is still supported. Starting with Windows 10 version 21H1 and Windows Server 21H1 Semi-Annual Channel, the WMI Command Line Tool (WMIC) is no longer supported.
What are WMI monitoring tools?
There are many tools for monitoring WMI. However, some of them are especially popular: SolarWinds WMI Monitor with Server and Application Monitor Paessler WMI service sensor with PRTG Nagios XI Sapien WMI Browser Free Tools: WMI Explorer, Adrem Free WMI Tools
How to fix problems with WMI
When you try to access local or remote WMI data in an application or script, you may see errors ranging from missing classes to access violations. Check the Microsoft WMI Troubleshooting Guide to get solutions to such errors.
Summary
All in all, Windows Management Instrumentation is a powerful tool that can be used to manage a wide range of different functions related to the Windows system. WMI can be a very useful tool for anyone dealing with Windows systems, even though it may seem intimidating at first.