knowledge base


WMI with Powershell

wmic useraccount get name,sid wmic diskdrive get name,size,model,SerialNumber
Model Name SerialNumber Size INTEL SSDPEKKF256G7H \\.\PHYSICALDRIVE0 0000_0000_0100_0000_E4D2_5CFF_459F_4D01. 256052966400
Get-WmiObject -List
Get-WmiObject -Class Win32_OperatingSystem -Namespace root/cimv2 -ComputerName . | Format-Table -Property TotalVirtualMemorySize,TotalVisibleMemorySize,FreePhysicalMemory,FreeVirtualMemory,FreeSpaceInPagingFiles

wbemtest
Show WMI Repository in:     C:\Windows\System32\wbem\Repository
WMIC useraccount where (name=´Username´ and domain=´%userdomain%´) get name, sid

wmic os list brief /Format:HTABLE >C:\system.html WMIC /Output:c:\bios.html BIOS Get Manufacturer,Name,Version /Format:htable wmic product list brief /Format:HTABLE >C:\product.html WMIC NTEVENT List Brief /Format:HTABLE >C:\ntevent.html ------------------------------------------------------------------------------------------------------------------------------------------------ Invoke-Command { Get-WMIObject Win32_Logicaldisk -filter "deviceid='$($env:SystemDrive)' AND Freespace <=$(5GB)" | Select DeviceID, @{Name="FreeGB";Expression={[math]::Round($_.Freespace/1GB,2)}}, @{Name="SizeGB";Expression={$_.Size/1GB -as [int]}} } -computername $pinged | Sort Freespace | Select * -ExcludeProperty RunspaceID Get-Service -name $svcs -ComputerName $dcs | Select @{Name="Computername";Expression={$_.Machinename}},DisplayName,Status | Format-Table -AutoSize Get-Service -name $svcs -ComputerName $dcs | Sort Displayname | Format-Table -group @{Name="Service";Expression={"$($_.Displayname) [$($_.name)]"}} -Property @{Name="Computername";Expression={$_.Machinename.toUpper()}},Status -AutoSize Get-WmiObject -Class Win32_service -filter $filter -ComputerName $dcs | Select PSComputername,Name,Displayname,State,StartMode | format-table -autosize Check if stopped Get-Service -name $svcs -ComputerName $dcs | where {$_.Status -ne "running"} | Select Machinename,Name,Displayname,Status | format-table -AutoSize ------------------------------------------------------------------------------------------------------------------------------------------------ WMIC /node:computer64,computer65 PROCESS call create "netstat.exe -ano > C:\output.txt" WMIC /node:@computers.txt /failfast:on PROCESS call create "\\server\share\installer.cmd" WMIC /node:computer64 /output:shares.html SHARE get name,path /format:htable WMIC /node:computer64 SHARE where name="Share1" ------------------------------------------------------------------------------------------------------------------------------------------------ wmic process get workingsetsize,commandline /format:csv This lists the program and the memory usage C:\>wmic process | sort alg.exe C:\WINDOWS\System32\alg.exe ccApp.exe "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ccEvtMgr.exe "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" ccSetMgr.exe "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" cmd.exe "C:\WINDOWS\system32\cmd.exe" csrss.exe C:\WINDOWS\system32\csrss.exe \ DefWatch.exe "C:\Program Files\Symantec AntiVirus\DefWatch.exe" explorer.exe C:\WINDOWS\Explorer.EXE lsass.exe C:\WINDOWS\system32\lsass.exe mozilla.exe "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo nvsvc32.exe C:\WINDOWS\system32\nvsvc32.exe pine.exe "D:\Program Files\pine\pine.exe" Rtvscan.exe "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" rundll32.exe "C:\WINDOWS\system32\RUNDLL32.EXE" \ services.exe C:\WINDOWS\system32\services.exe smss.exe \SystemRoot\System32\smss.exe sort.exe sort spoolsv.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost -k rpcss svchost.exe C:\WINDOWS\System32\svchost.exe -k LocalService svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\System32\svchost.exe -k NetworkService VPTray.exe "C:\PROGRA~1\SYMANT~1\VPTray.exe" wdfmgr.exe C:\WINDOWS\system32\wdfmgr.exe winlogon.exe winlogon.exe wmic.exe wmic process wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\>wmic wmic:root\cli>partition get name,bootable,size,type Bootable Name Size Type TRUE Disk #0, Partition #0 4194860544 Installable File System Disk #0, Partition #1 9475522560 Extended Partition TRUE Disk #1, Partition #0 8389753344 Unknown Disk #1, Partition #1 11630545920 Unknown More Examples wmic diskdrive get name,size,model Model Name Size Hitachi HTS721080G9AT00 \\.\PHYSICALDRIVE0 80023749120 wmic partition get name,size,type Name Size Type Disk #0, Partition #0 65769984 Unknown Disk #0, Partition #1 79957946880 Installable File System wmic bios get name,serialnumber,version Name SerialNumber Version Phoenix ROM BIOS PLUS Version 1.10 A06 99L9891 DELL - 27d50a02 SerialNumber is the Dell Service Tag wmic csproduct get name,vendor,identifyingNumber IdentifyingNumber Name Vendor 99L9891 Latitude D610 Dell Inc. yet another service tag report wmic qfe get description,installedOn /format:csv This produces a long list of Windows Patches and when they were installed PCPC3-D610,Security Update for Windows XP (KB929969),3/14/2007 PCPC3-D610,Security Update for Windows XP (KB930178),4/11/2007 PCPC3-D610,Update for Windows XP (KB930916),5/10/2007 PCPC3-D610,Security Update for Windows XP (KB931261),4/11/2007 PCPC3-D610,Security Update for Windows XP (KB931768),5/10/2007 PCPC3-D610,Security Update for Windows XP (KB931784),4/11/2007 PCPC3-D610,Update for Windows XP (KB931836),3/14/2007 PCPC3-D610,Security Update for Windows XP (KB932168),4/11/2007 PCPC3-D610,Update for Windows XP (KB933360),8/29/2007 PCPC3-D610,Security Update for Windows XP (KB933566),6/18/2007 PCPC3-D610,Security Update for Windows XP (KB935839),6/18/2007 PCPC3-D610,Security Update for Windows XP (KB935840),6/18/2007 PCPC3-D610,Security Update for Windows XP (KB936021),8/15/2007 PCPC3-D610,Update for Windows XP (KB936357),7/12/2007 PCPC3-D610,Security Update for Windows XP (KB937143),8/15/2007 PCPC3-D610,Security Update for Windows XP (KB938127),8/15/2007 PCPC3-D610,Update for Windows XP (KB938828),8/15/2007 PCPC3-D610,Security Update for Windows XP (KB938829),8/15/2007 PCPC3-D610,XML Paper Specification Shared Components Pack 1.0, wmic COMPUTERSYSTEM get TotalPhysicalMemory,caption Caption TotalPhysicalMemory PCPC3-D610 1073074176 wmic nic get macaddress,description Description MACAddress Infrared Port Bluetooth Device (Personal Area Network) 00:xxxxxxxxxxx:19 RAS Async Adapter WAN Miniport (L2TP) WAN Miniport (PPTP) 50:xxxxxxxxxxx:30 WAN Miniport (PPPOE) 33:xxxxxxxxxxx:30 Direct Parallel WAN Miniport (IP) Packet Scheduler Miniport 8C:xxxxxxxxxxx:53 Intel(R) PRO/Wireless 215ABG Network Connection Packet Scheduler Miniport Broadcom NetXtreme 57xx Gigabit Controller 00:xxxxxxxxxxx:C4 Packet Scheduler Miniport 00:xxxxxxxxxxx:C4 ------------------------------------------------------------------------------------------------------------------------------------------------ wmic startup list brief ------------------------------------------------------------------------------------------------------------------------------------------------ Update static IP address wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0") Change network gateway wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2) Enable DHCP wmic nicconfig where index=9 call enabledhcp Service Management wmic service where caption="DHCP Client" call changestartmode "Disabled" Start an application wmic process call create "calc.exe" Terminate an application wmic process where name="calc.exe" call terminate Change process priority wmic process where name="explorer.exe" call setpriority 64 Get list of process identifiers wmic process where (Name='svchost.exe') get name,processid Information about harddrives wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber Information about os wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm Information about files wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:wbemfiles.txt Process list wmic process get /format:htable > c:process.htm Retrieve list of warning and error events not from system or security logs WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:appevent.htm ------------------------------------------------------------------------------------------------------------------------------------------------ $strComputer = "Computer_B" $colSettings = Get-WmiObject Win32_OperatingSystem -ComputerName $strComputer ------------------------------------------------------------------------------------------------------------------------------------------------ Display information about all processes: PS C:\> gwmi win32_process Display service names that starts with 'Oracle': PS C:\> gwmi win32_service -filter "name like 'Oracle%'" | select name Display services running on the machine 'Server64': PS C:\> gwmi win32_service -computername Server64 passing username credentials: PS C:\> gwmi win32_service -credential SS64\Simon -computer Server64 List services that are set to start automatically: PS C:\> gwmi win32_service -filter "startmode='auto'" | select name,startmode List services that are set to start automatically (same as above but written in WQL): PS C:\> gwmi -query "select * from win32_service where startmode='auto'" | select name,startmode Display information about the Alerter service: PS C:\> gwmi -query "select * from win32_service where name='alerter'" Stop the Alerter service: PS C:\> (gwmi win32_service -filter "name='alerter'").StopService() List the 32 bit programs installed on workstation64: PS C:\> gwmi -class "win32reg_addremoveprograms" -computername "workstation64" | select-object -property DisplayName Display svchost processes: PS C:\> gwmi win32_process -filter "name='svchost.exe'" | select commandline, name Get the computer serial number (or Dell service tag) for a remote PC and convert it to a string: PS C:\> (gwmi win32_systemenclosure -computername wkstn64).SerialNumber or PS C:\> gwmi win32_bios -computername wkstn64 | fl SerialNumber Display BIOS and Memory information: PS C:\> gwmi win32_bios | format-list * PS C:\> gwmi Win32_ComputerSystem PS C:\> gwmi Win32_PhysicalMemory Display the per-computer printers installed on workstation64: PS C:\> Get-WMIObject -Class Win32_Printer -ComputerName "workstation64" List the file shares on the remote server: SERVER64 (PowerShell equivalent of the RMTShare utility). $shares = Get-WmiObject -class Win32_Share -computername SERVER64 -filter "Type=0" $shares | foreach { $path=($_.path) $Description=($_.Description) $name=($_.name) $Caption=($_.Caption) "Share Name : $name Source Folder: $path Description : $Description Caption : $Caption" } Uninstall a program (Paint.NET) from an elevated prompt, note the wildcard (%) is used to match multiple versions 3.1, 3.2 PS C:\> $appToRemove = gwmi Win32_Product -Filter "Name LIKE 'Paint.net v3%'" PS C:\> $appToRemove[1].Uninstall() ------------------------------------------------------------------------------------------------------------------------------------------------ Oft m&ouml;chte man nicht nur von einem Rechner Informationen einsammeln, sondern von einer Liste von Rechnern oder einer OU aus dem ActiveDirectory. Beispiel: In der Datei server.txt sind die Servernamen untereinander aufgelistet. for /f %i in (server.txt) do wmic /node:%i service where name='rpcss' get name, state /value >>rpc.log Anmerkung: Verwendet man diesen Befehl in einer Batchdatei, so m&uuml;ssen vor die Variable i zwei %-Zeichen gesetzt werden. also %%i. Beispiel: Von allen Computer der ou "Test" wird die Biosversion abgefragt FOR /F usebackq %%a IN (`dsquery computer "ou=test,dc=domain,dc=de" -o rdn`) DO wmic /node:%%a path win32_bios get biosversion /format:hform >>bios.html Weitere Beispiele WMIC /Node:dc1 service get Name, State WMIC /Node:dc1 service get Name, State /Value WMIC /Node:dc1 path Win32_Service get Name, State WMIC /Node:dc1 path Win32_Service get Name, State /Value WMIC /Node:dc1 service WMIC /Node:dc1 service get * /Value WMIC /Node:dc1 share get * /Value WMIC /Node:dc1 service WMIC /Node:dc1 service get * WMIC /Node:dc1 service get * /Value WMIC /Node:dc1 service WMIC /Node:dc1 service get Name, State WMIC /Node:dc1 service get Name, State /Value WMIC /Node:dc1 service where "Name='SNMP'" get name, state WMIC /Node:dc1 service where "Name='SNMP'" get name, state /Value WMIC /Node:dc1 service where "Name='SNMP'" get * /Format:RAWXML WMIC /Node:dc1 service where "Name='SNMP'" get * /Format:HTABLE WMIC /Node:dc1 service where name='SNMP' Call StopService WMIC /Node:dc1 service where name='SNMP' Call StartService WMIC /Node:dc1 service Where name='SNMP' Get Name, State /Every:10 WMIC /Node:dc1 share Where Name='Home$' Call SetShareInfo MaximumAllowed=10 WMIC /Node:dc1 share Where Name='Home$' Get Name, MaximumAllowed /Every:10 wmic path win32_systemdriver get * /Format:HTABLE >c:\drivers.html wmic alias get friendlyname, target wmic /USER:<USER> /NODE:<RECHNER> path win32_terminalservicesetting where servername!=NULL CALL SetAllowTSConnections 1 ----- einschalten wmic /USER:<USER> /NODE:<RECHNER> path win32_terminalservicesetting where servername!=NULL CALL SetAllowTSConnections 0 ----- ausschalten