แชร์ผ่าน


WMI recipes

See also: all the recipes and the intro

WMI is an RPC interface that allows to control the arbitrary processes, including the Windows kernel and subsystems.

 # WMI browsing (doesn't seem to work well)
https://www.microsoft.com/en-us/download/details.aspx?id=24045
# With powershell
get-WmiObject -class Msft_Providers | fl -property *
get-wmiObject -list | select-string Provider
# Developing a WMI provider
https://msdn.microsoft.com/en-us/library/aa390359%28v=vs.85%29.aspx
# __Win32Provider class
https://msdn.microsoft.com/en-us/library/aa394688%28v=vs.85%29.aspx
# instance provider registration
https://msdn.microsoft.com/en-us/library/aa394653%28v=vs.85%29.aspx
# MOF syntax for WMI classes
https://msdn.microsoft.com/en-us/library/windows/hardware/ff556400%28v=vs.85%29.aspx
# MOF data types
https://msdn.microsoft.com/en-us/library/aa392392%28v=vs.85%29.aspx
# MOF compiler
https://msdn.microsoft.com/en-us/library/aa392389%28v=vs.85%29.aspx
# WMI MOF provider review procedure
https://microsoft.sharepoint.com/teams/stdmgmt/Partner%20FAQ/Provider%20Reviews.aspx
# Powershell and WMI
https://www.powershellpro.com/powershell-tutorial-introduction/powershell-scripting-with-wmi/
# WMI errors and how to format them
https://msdn.microsoft.com/en-us/library/aa394559%28v=vs.85%29.aspx
call FormatMessage and specify C:\Windows\System32\wbem\wmiutils.dll as the message module.

# read WMI from powershell
get-wmiObject -list -namespace "root\cimv2" | fl
get-wmiObject -list -namespace "root\cimv2" | select-string Terminal
get-wmiObject Win32_DiskDrive -namespace "root\cimv2"
Get-WmiObject -Class "TargetForwarding" -namespace "root\cimv2\my"
Get-WmiObject -Class "TargetForwardingHistory" -namespace "root\cimv2\my"
get-wmiObject -Class "StopCollector" -namespace "root\cimv2\my"
# the new interface instead of Get-WmiObject
Get-CimInstance


# tool to enumerate WMI
wbemtest.exe

# Windows Management Instrumentation (WMI) Command-Line Utility 
# controls a lot of things
wmic.exe
# example:
setlocal
:: $KEY broken for better readability
set "$KEY=SOFTWARE\Microsoft\Windows\CurrentVersion"
set "$KEY=%$KEY%\Authentication\LogonUI\Background"
set "$VALNAME=OEMBackground"
set "VAL=1"
set "HIVE=&H80000001"                 &:: "&H80000001 = HKEY_LOCAL_MACHINE"
wmic.exe /NAMESPACE:\\root\default Class StdRegProv Call^
    SetDWORDValue^
    hDefKey="%HIVE%"^
    sSubKeyName="%$KEY%"^
    sValueName="%$VALNAME%"^
    uValue="%VAL%"^
    && echo Success.||echo failed.
endlocal