Module 4

Windows Management
Instrumentation

Module Overview
Explain the structure of the WMI repository
Configure and inspect WMI security

Retrieve WMI information using Windows PowerShell

Manipulate WMI objects within the Windows PowerShell

pipeline

Locate and use WMI documentation on the Internet

Specify WMI filtering criteria

Lesson 1: Windows Management Instrumentation

Overview
Explain the structure of the WMI repository
Configure and inspect WMI security

Locate and use WMI documentation on the Internet

About WMI
WMI is a management technology that was first

implemented in Windows NT 4.0

WMI seeks to present information in a standardized manner

WMI presents information in a manner consistent with the

Common Information Model (CIM)

Consistency does not equal standardized

Few hard-and fast rules for software developers

WMI is implemented differently across different Microsoft and

third-party products

Many WMI implementations are not well-documented

Many PowerShell cmdlets wrap around WMI functionality

More administrator-friendly and task-specific uses. Hides

WMIs underlying complexities
You will primarily use WMI for retrieving management
information about Windows, hardware, and applications

WMI Communications
WMI communications take place using the Remote

Procedure Call (RPC) protocol

Leverages an endpoint mapper on the remote computer

This endpoint mapper enables WMI communications to start

over a well-known TCP port, then shift to a random TCP port
for the remainder of the conversation

This randomness makes firewall configuration challenging

The Windows Firewall supports a dynamic Remote

Management exception

This exception will follow WMIs RPC traffic as it changes ports

WMI Structure
WMI is not a single piece of software.

Several different providers contribute its parts, each of which

connects the WMI service to a given product, technology,
feature, and so on.

Each WMI Provider gives the WMI Service access to various

portions of Windows and other products.

Information made available by a provider is registered into

the WMI repository.

The repository is a centralized configuration database that tells

WMI what information is available.

The repository is organized into namespaces, which

roughly correspond to products and technologies. These

can be different based on the computers configuration.
Root\Cimv2
Root\MicrosoftDNS
Root\MicrosoftActiveDirectory
Root\SecurityCenter

Classes
Within each WMI namespace are one or more classes. A

class is an abstract definition of a manageable component.

WMI classes generally relate to operating system and

hardware components, containing properties and methods.

Properties: Provide access to management configuration

information. All classes have at least one property.

Methods: Cause some action to be taken. Not in every class.

Win32_Account
Win32_BIOS
Win32_Desktop
Win32_Fan
Win32_Group
Win32_Keyboard
Win32_LogicalDisk
Win32_NetworkAdapterConfiguration
Win32_NTDomain
Win32_Product
Win32_Service

Instances
Instances are real-world occurrences of a class

If your computer has four logical disks,

you have four instances of Win32_LogicalDisk

Instances contain the properties and methods that are

defined by their class

Many instances are read-only, allowing retrieval of data only

Other instances can be updated, allowing data to be changed

Namespaces, classes, and instances are often very

different. Some sleuthing is often required to find the data
or methods that you want

Finding the Class You Want

Finding the right class involves research

There is no central repository of WMI classes

There are few tools that enable searching for WMI classes
based on keywords

PowerShell can display a list of classes:

Get-WmiObject list
Get-WmiObject list class *user*
Three techniques for finding your class (and data):

Experience: Previous experience, educated guesses, and

Internet Web sites that document class information

Exploration: WMI explorer or browser tools

Examples: Using Internet search engines to search for taskrelated keywords will assist in finding examples

Be Aware of Changes
WMI is constantly evolving, constantly changing as

products and operating systems change

This means that a particular WMI class may behave

slightly differently on different versions of Windows

Greater or fewer properties

Presence or absence of methods

Presence of absence of the entire class itself

Namespaces can be different as well

Client and server computers typically have different

namespaces

Namespaces are created when the product they serve is

installed to the individual computer

Documentation
There is no central documentation repository for every

WMI namespace and class

Core operating system classes in Root\Cimv2 are consistently

documented

This documentation is available on the Internet within the

Microsoft Developer Network (MSDN) library

Searching the library for your needed class is an effective way

to locate the properties and methods you need

Pay close attention to the product or Windows

version associated with the class

Demonstration: Finding and Using the Documentation

Locate and interpret WMI class documentation on

the Internet

WMI Security
WMI security can be defined on an entire namespace or

down to an individual class attribute.

By default, much of WMIs security is configured on the Root

namespace. Other namespaces and classes inherit that root
permission.

WMI security tends to allow nonadministrative users access to

read local information.

Administrative users are permitted to remotely query

information.

WMI security is viewed and modified using the WMI

Control MMC snap-in.

WMI is sensitive to User Account Control.

Important: Default WMI settings are
appropriate for most situations.
It is not a good idea to manipulate default WMI
security except for very specific reasons.

Demonstration: WMI Security

Learn how to view and configure security on WMI

namespaces

Discussion: WMI Explorers

What sorts of management information might you want to

query from WMI?

Given the type of information, what might a related WMI

class be named?

Can you locate the class in the WMI repository, perhaps

using a WMI explorer or browser tool?

Demonstration: Exploring WMI

See how to use a WMI explorer tool to browse the WMI

repository on a computer

Listing Classes from Within the Shell

The Get-WmiObject cmdlet

Can be used to list the classes in the default namespace for

either the local computer or a remote computer

Can use alternate credentials for remote connections

Can generate a list of all namespaces

Get-WmiObject namespace root\cimv2 list

Get-WmiObject namespace root\cimv2 list

computername SEA-DC1
Get-WmiObject namespace root\cimv2 list
computername SEA-DC1 credential
CONTOSO\Administrator
Get-WmiObject namespace root class
__namespace | ft name

Lesson 2: Using Windows Management

Instrumentation
Manipulate WMI objects within the Windows PowerShell

pipeline

Retrieve WMI information using Windows PowerShell

Specify WMI filtering criteria

Querying WMI
The Get-WmiObject cmdlet also

Retrieves WMI class and instance information from local and

remote computers

Is aliased with the command gwmi

Get-WmiObject Win32_Service
gwmi Win32_Service

Functionality within WMI classes often overlaps with

existing PowerShell cmdlets

In some cases, WMI provides more information or exposes

additional methods

WMI Properties and methods are exposed using Get-Member

Gwmi

Win32_Service | Get-Member

Multiple Computers?
Get-WmiObject also has an extremely useful ability in

interrogating multiple computers in a single command

This ability uses its computerName parameter in combination

with a comma-separated list

Gwmi Win32_Service
computerName "LON-DC1", "SEA-DC2"

Multiple computers can also be identified in a text file, which is

read into Get-WmiObject using the Get-Content cmdlet

Gwmi Win32_Service
(Get-Content c:\names.txt)
Lists of multiple computers are interrogated sequentially

Nonresponsive or powered down computers will cause a delay,

present an error message, and continue processing

Demonstration: Querying WMI

Review how to query WMI from within the shell

Tips and Tricks

Use PowerShells computational capabilities to gather and

format data to exactly how you need it

For example, use calculations to display free space in

gigabytes rather than bytes:

gwmi win32_logicaldisk |
select deviceid,drivetype,
@{Label='freespace(gb)';Expression={$_.freespace/1GB}}

Or, supply values for one query by using another query:

Gwmi win32_operatingsystem |
select caption,
@{Label='PhysMemory';
Expression={(gwmi
win32_computersystem).totalphysicalmemory}}

Filtering the Data

Gathering large amounts of data is computationally

expensive with WMI. Filtering that data is important to

creating optimized queries.

Filtering with WMI can occur using Where-Object (inefficient)

or through the filter parameter (optimized).

Get-WmiObjects filter parameter submits the filter criteria to

the WMI Service, which performs the filtering on behalf of the
request.
Gwmi Win32_Service | Where { $_.Name eq 'BITS' }
Gwmi Win32_Service filter "Name = 'BITS'"

Using the filter parameter requires a slightly different

syntax than traditional PowerShell comparison operators.

Refer to the special filter syntax in your student guide for

details and operators.

Already Have a Query?

WMI has its own query language called WMI Query

Language or WQL

These queries can also be used with Get-WmiObject by using

the query parameter

Gwmi query SELECT * FROM Win32_Process

There tends to be no performance advantage or

disadvantage in using the query parameter over other

forms of Get-WmiObject

System Properties
Some properties have names that begin with a double-

underscore

__SERVER

__PATH

These properties are attached by WMI itself, and contain

valuable information

__SERVER contains the name of the computer where the WMI

object came from

__PATH contains a designator to uniquely reference a WMI

object

You can use these system properties in your queries to

gather and compute information, in the same manner as

standard results

WMI and ForEach-Object

It is common to retrieve more than one WMI object. It is

also common to need to accomplish some action with each

of those objects as they are retrieved.

Unfortunately, WMI is not a part of Windows PowerShell.

Thus, the shell contains limited cmdlets for working with

WMI objects.

In some situations, PowerShell itself may have cmdlets that

accomplish the task you need.

In other situations, you may be forced to resort to ForEachObject to accomplish the necessary task.
Gwmi Win32_Process | ForEach-Object { Something }

It is a best practice to use any available PowerShell

cmdlets prior to resorting to ForEach-Object.

Demonstration: WMI Filtering and Queries

Learn how to use WMI filtering and the query parameter

Lab: Using Windows Management

Instrumentation in Windows PowerShell
Exercise 1: Building Computer Inventory
Exercise 2: Discovering WMI Classes and Namespaces

Exercise 3: Generating a Logical Disk Report for All

Computers

Exercise 4: Listing Local Users and Groups

Logon information
Virtual machine

LON-DC1

Logon user
name
Password

LON-SVR1

LON-SVR2

LON-CLI1

Contoso\Adminis Contoso\Administ
trator
rator

Contoso\Administ
rator

Contoso\Administ
rator

Pa$$w0rd

Pa$$w0rd

Pa$$w0rd

Pa$$w0rd

Estimated time: 45 minutes

Lab Scenario
You work as a systems administrator, and you need to

perform certain tasks against the computers, users, and

groups that you manage.

You need to check inventory of your computers including

the operating system versions, service pack versions and

asset tags. Your organization uses the BIOS serial number
as an asset tag tracking system.

You need to monitor logical drive space on multiple remote

computers.

You also need to generate reports showing local users and

groups on those machines for audit purposes.

Lab Review
How do you list WMI classes in a specific namespace?
What is the WMI class to retrieve operating system

information called?

How do you use a server-side filter when using Get-

WmiObject?

Module Review and Takeaways

Where is the best place to use filtering criteria with WMI?
When can alternate credentials be used with WMI

connections?

What protocol does WMI use, and how can you enable it to

pass through a local firewall?

In the Companion Content

Advanced WMI Techniques

Invoke a WMI method on the local computer

Explain the purpose and operating of WMI events

Create a WMI event registration that runs a command in response to a

WMI event

Remove a WMI event registration