Hubbry Logo
Windows Management InstrumentationWindows Management InstrumentationMain
Open search
Windows Management Instrumentation
Community hub
Windows Management Instrumentation
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Windows Management Instrumentation
Windows Management Instrumentation
Windows Management Instrumentation
View on Wikipedia
from Wikipedia
Windows Management Instrumentation
DeveloperMicrosoft
Operating systemMicrosoft Windows
PlatformIA-32, x86-64, and ARM (historically Itanium, DEC Alpha, MIPS, and PowerPC)
TypeSystems management
LicenseSame as Microsoft Windows
Websitelearn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Windows Management Instrumentation (WMI) is a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF).

WMI allows scripting languages (such as VBScript or PowerShell) to manage Microsoft Windows personal computers and servers, both locally and remotely. WMI comes preinstalled in Windows 2000 and later. It is available as a download for Windows NT 4.0,[1] Windows 95, and Windows 98.[2]

Also included with Windows was Windows Management Instrumentation Command-line (WMIC), a CLI utility to interface with WMI.[3] However, starting with Windows 10, version 21H1 and Windows Server 2022, WMIC is deprecated in favor of PowerShell.[4]

Purpose of WMI

[edit]

The purpose of WMI is to define a proprietary set of environment-independent specifications that enable sharing management information between management apps. WMI prescribes enterprise management standards and related technologies for Windows that work with existing management standards, such as Desktop Management Interface (DMI) and Simple Network Management Protocol (SNMP). WMI complements these other standards by providing a uniform model for accessing management data from any source.

Development process

[edit]

Because WMI abstracts the manageable entities with Common Information Model (CIM) and a collection of providers, the development of a provider implies several steps. The major steps can be summarized as follows:

  1. Create the manageable entity model
    1. Define a model
    2. Implement the model
  2. Create the WMI provider
    1. Determine the provider type to implement
    2. Determine the hosting model of the provider
    3. Create the provider template with the ATL wizard
    4. Implement the code logic in the provider
    5. Register the provider with WMI and the system
  3. Test the provider
  4. Create consumer sample code.

Providers

[edit]

Since the release of the first WMI implementation during the Windows NT 4.0 SP4 era (as an out-of-band download), Microsoft has consistently added WMI providers to Windows:

Many customers have interpreted the growth in numbers of providers as a sign that Microsoft envisions WMI as the ubiquitous management layer of Windows.

Beyond the scripting needs, most leading management solutions, such as Microsoft Operations Manager (MOM), System Center Configuration Manager (SCCM), Active Directory Services (ADS), HP OpenView (HPOV), and the various offerings of BMC Software and CA, Inc. are WMI-enabled, i.e., capable of consuming and providing WMI information. This enables administrators who lack WMI coding skills to benefit from WMI.

Features

[edit]

WMI offers many features out of the box. Here are the most important advantages:

  • Automation interfaces: WMI comes with a set of automation interfaces ready to use. Beyond the WMI class design and the provider development, the Microsoft development and test teams are not required to create, validate or test a scripting model as it is already available from WMI.
  • .NET management interfaces: The System.Management namespace[7] makes WMI classes available to all .NET apps and scripts written in C# or PowerShell. Beyond the WMI class design and the provider development, the Microsoft development and test teams are not required to create, validate and test new assemblies to support a new namespace in .NET as this support is already available from WMI.
  • COM interfaces: Unmanaged code in Microsoft Windows (e.g., apps written in C or C++ languages) can interact with the standard set of WMI interfaces for the Component Object Model (COM) to access WMI providers and their supported WMI classes. Developers of WMI providers can leverage the same COM interfaces in their projects to furnish said classes.
  • Remoting capabilities over DCOM and SOAP: In addition to local management via COM, WMI supports remoting via Distributed COM (DCOM) and SOAP. The latter is available in Windows Server 2003 R2 and later, through the WS-Management initiative led by Microsoft, Intel, Sun Microsystems, and Dell. This initiative allows running any scripts remotely or to consume WMI data through interfaces that handle SOAP requests and responses. WS-Management can consume everything that a WMI provider generates, although embedded objects in WMI instances were not supported until Windows Vista. WS-Management later became an integral part of PowerShell. Unlike SOAP-based remoting, DCOM-based remoting requires a proxy DLL deployed on each client machine.
  • Support for queries: WMI offers support for WQL queries.[8] This means WMI can still filter the results of a provider that doesn't implement filtering or queries.
  • Event-handling capabilities: WMI can notify a subscriber of events of interest. WMI uses the WQL to submit event queries and define the type of events to be returned. Anyone writing a WMI provider can have the benefit of this functionality at no cost for their customers. It will be up to consumers to decide how they desire to consume the management information exposed by the WMI provider.

To speed up the process of writing a WMI provider, the WMI team developed the WMI ATL Wizard to generate the code template implementing a provider. The code generated is based on the WMI class model initially designed by the developer. The WMI provider developer will be able to interface the pre-defined COM or DCOM interfaces for the WMI provider with its set of native APIs retrieving the management information to expose.

WMI is based on an industry standard called Common Information Model (CIM) defined by the Distributed Management Task Force (DMTF). The CIM class-based schema is defined by a consortium of manufacturers and software developers for the requirements of the industry. Any developer can write code that fits into this model. For instance, Intel develops WMI providers for its network adapters. HP leveraged existing WMI providers and developed custom WMI providers for its OpenView enterprise management solutions. IBM's Tivoli management suite consumes WMI. Starting with Windows XP SP2, Microsoft leverages WMI to get status information from antivirus software and firewalls.

Service

[edit]

On the Windows NT family of operating systems, WMI runs as a Windows service called WinMgmt. On the Windows 9x family, WMI runs in the context of the WinMgmt.exe executable file. On both Windows 9x and Windows NT families, WinMgmt.exe is available as a command-line utility for servicing the WMI repository.[9]

WMI tools

[edit]

Microsoft provides the following WMI tools for developers and IT pros:

  • MOF compiler (MOFComp.exe): The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and objects defined in the file to the CIM repository. The MOF format is a specific syntax to define CIM class representation in an ASCII file. MOF's role for CIM is comparable to MIB's role for SNMP. MOFComp.exe is included in every WMI installation. Every definition existing in the CIM repository is initially defined in an MOF file. MOF files are located in %SystemRoot%\System32\WBEM. During the WMI setup, they are loaded in the CIM repository.
  • WMI Administrative Tools: This suite of tool consists of WMI CIM Studio, WMI Object Browser, WMI Event Registration, and WMI Event Viewer. The most important tool for a WMI provider developer is WMI CIM Studio as it helps in the initial WMI class creation in the CIM repository. It uses a web interface to display information and relies on a collection of ActiveX components installed on the system when it runs for the first time. WMI CIM Studio can:
    • Connect to a chosen system and browse the CIM repository in any namespace available.
    • Search for classes by their name, by their descriptions or by property names.
    • Review the properties, methods, and associations related to a given class.
    • See the instances available for a given class of the examined system.
    • Perform Queries in the WQL language.
    • Generate an MOF file based on selected classes.
    • Compile an MOF file to load it in the CIM repository.
  • WBEMTest.exe is a WMI tester tool delivered with WMI. This tool allows an administrator or a developer to perform most of the tasks from a graphical interface that WMI provides at the API level. Although available under all Windows NT-based operating systems, this tool is not officially supported by Microsoft. WBEMTest provides the ability to:
    • Enumerate, open, create, and delete classes.
    • Enumerate, open, create, and delete instances of classes.
    • Select a namespace.
    • Perform data and event queries.
    • Execute methods associated to classes or instances.
    • Execute every WMI operation asynchronously, synchronously or semi-asynchronously.
  • WMI command line tool (WMIC) is a scripting and automation utility that allows information retrieval and system administration via WMI, using some simple keywords (aliases). WMIC.exe is available on all Windows versions since Windows XP. Starting with Windows 10, version 21H1 and Windows Server 2022, WMIC is deprecated in favor of PowerShell.[4] In Windows 11, version 24H2, WMIC is not installed by default. A Linux port of WMIC, wmi-client, is written in Python and is based on Samba4.[10]
  • WBEMDump.exe: This command-line tool is a component of the Platform SDK and comes a corresponding Visual C++ project. The tool can show the CIM repository classes, instances, or both. It is possible to retrieve the same information WMIC retrieves. WBEMDump.exe requires more specific knowledge about WMI, as it doesn't abstract WMI as WMIC. It is also possible to execute methods exposed by classes or instances. Even if it is not a standard WMI tool delivered with the system installation, this tool can be quite useful for exploring the CIM repository and WMI features.
  • WMIDiag.vbs (discontinued): The WMI Diagnosis Tool is a VBScript for testing and validating WMI on Windows 2000 and later. This script was downloadable from Microsoft until August 2020.[11] The download includes pretty thorough documentation and the tool supports numerous switches. When run, it will generate up to four text files which: list the steps taken (the LOG file), an overview of the results (REPORT file), a statistics file (in comma separated values format), and optionally a file listing of the providers registered on the machine (PROVIDERS, also in comma separated values format). The report file that is generated includes a list of the issues identified and potential ways to fix them.

Wireless networking example

[edit]

In the .NET Framework, the ManagementClass class represents a Common Information Model (CIM) management class. A WMI class can be a Win32_LogicalDisk in the case of a disk drive, or a Win32_Process, such as a running program like Notepad.exe.

This example shows how MSNdis_80211_ServiceSetIdentifier WMI class is used to find the SSID of the Wi-Fi network that the system is currently connected to in the language C#: 

ManagementClass mc = new ManagementClass("root\\WMI", "MSNdis_80211_ServiceSetIdentifier", null);
ManagementObjectCollection moc = mc.GetInstances();

foreach (ManagementObject mo in moc)
{
    string wlanCard = (string)mo["InstanceName"];
    bool active;
    if (!bool.TryParse((string)mo["Active"], out active))
    {
       active = false;
    }
    byte[] ssid = (byte[])mo["Ndis80211SsId"];
}

The MSNdis_80211_ServiceSetIdentifier WMI class is only supported on Windows XP and Windows Server 2003.

WMI driver extensions

[edit]

The WMI extensions to WDM provide kernel-level instrumentation such as publishing information, configuring device settings, supplying event notification from device drivers, and allowing administrators to set data security through a WMI provider known as the WDM provider. The extensions are part of the WDM architecture; however, they have broad utility and can be used with other types of drivers as well (such as SCSI and NDIS).

The WMI Driver Extensions service monitors all drivers and event trace providers that are configured to publish WMI or event trace information. Instrumented hardware data is provided by way of drivers instrumented for WMI extensions for WDM. WMI extensions for WDM offer a set of Windows device driver interfaces for instrumenting data within the driver models native to Windows, so OEMs and IHVs can easily extend the instrumented data set and add value to a hardware/software solution. The WMI Driver Extensions, however, are not supported by Windows Vista and later operating systems.[12]

See also

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Windows Management Instrumentation

View on Grokipedia
from Grokipedia
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems, serving as Microsoft's implementation of the Web-Based Enterprise Management (WBEM) standard to provide a unified interface for accessing and manipulating system information. Introduced as a core component of , WMI enables developers and administrators to automate administrative tasks, monitor system performance, and manage hardware and software resources through a common set of classes and providers based on the Distributed Management Task Force's (DMTF) Common Information Model (CIM). At its core, WMI operates through a repository of managed objects represented as CIM classes, which describe system elements like processes, services, and network configurations, allowing queries and modifications via (COM) interfaces or scripting languages such as and . WMI providers—dynamic or static extensions—supply the actual data from sources including the , performance counters, and device drivers, while supporting both local and remote access over protocols like (DCOM) or (WinRM). This architecture facilitates interoperability in enterprise environments, integrating with tools like the WMI command-line utility (WMIC) for quick diagnostics and the .NET Framework for more complex application development. Over time, WMI has evolved with enhancements in later Windows versions, including the introduction of Windows Management Infrastructure (MI) in and Server 2012, which adds support for RESTful APIs and improved scalability while maintaining . Despite the removal of certain legacy components like WMIC in (version 25H2), WMI remains a foundational technology for system management, powering features in products such as System Center and Azure Arc.

Overview

Definition and Purpose

Windows Management Instrumentation (WMI) is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) standard, providing infrastructure for management data and operations on Windows-based operating systems. As 's implementation of the Web-Based Enterprise Management (WBEM) initiative, WMI leverages the Common Information Model (CIM) standard developed by the (DMTF) to represent management information in a uniform, object-oriented format. This framework serves as the core infrastructure for accessing and manipulating system data across Windows-based environments, enabling consistent interaction with hardware, software, networks, and other managed entities. The primary purpose of WMI is to facilitate local and remote management of Windows PCs and servers through scripting languages such as and , allowing administrators to automate routine tasks without relying on disparate, vendor-specific APIs. It consolidates various management interfaces into a single, cohesive framework, supporting operations like system monitoring, configuration changes, and diagnostics. For instance, scripts can query real-time data on resource usage or trigger events for proactive maintenance, streamlining enterprise-wide administration. Key benefits of WMI include its broad interoperability across Windows versions—it is preinstalled on and later editions, while downloadable core components are available for older systems like with 4 or higher. The framework's extensibility allows developers to create custom providers for specialized management needs, and it integrates seamlessly with enterprise tools such as System Center Configuration Manager (SCCM) for scaled deployment and oversight. This design promotes efficiency in heterogeneous environments by standardizing data access and reducing the complexity of cross-platform management.

History and Development

Windows Management Instrumentation (WMI) originated in the late 1990s as Microsoft's response to the fragmented landscape of Windows management tools, which included disparate APIs such as (SNMP) for network device monitoring, often lacking interoperability. This profusion made enterprise-wide system administration inefficient, prompting to develop a unified infrastructure for accessing and manipulating management data. Influenced by the (DMTF)'s Web-Based Enterprise Management (WBEM) initiative and Common Information Model (CIM) standards, WMI provided a standardized, object-oriented framework to consolidate these capabilities. WMI was first released as a downloadable add-on, version 1.5, for 4 in October 1998, enabling management data access on earlier systems without native support. It became natively integrated in , released in February 2000, as a core component of the operating system's management features, including , to facilitate scalable enterprise administration. Key milestones marked WMI's evolution toward enhanced interoperability and security. Windows XP, launched in October 2001, improved remote connectivity through refined Distributed Component Object Model (DCOM) support and firewall configurations, simplifying cross-machine queries. Windows Server 2003 R2, released in December 2005, introduced SOAP-based remoting via an early implementation of the WS-Management protocol, allowing HTTP/HTTPS transport for firewall-friendly operations. This was fully standardized in Windows Vista, released in January 2007, where WS-Management became a native service for broader WMI access across diverse network environments. Windows 8 and Windows Server 2012 introduced Windows Management Infrastructure (MI), an evolution of WMI based on the Open Management Infrastructure (OMI), adding support for RESTful APIs via CIM over HTTP and improved scalability while maintaining backward compatibility. In recent years, has focused on deprecating legacy components to promote modern alternatives like . The WMI Command-Line (WMIC) utility, a popular scripting tool, was deprecated in Windows 10 version 21H1 and in May 2021, with users encouraged to migrate to CIM cmdlets for equivalent functionality. The WMI Diagnosis Tool (WMIDiag.vbs), used for troubleshooting repository issues, was discontinued, with support ending starting with and , as built-in Event Tracing for Windows (ETW) and diagnostics took precedence. WMIC was further restricted, disabled by default in version 24H2 (October 2024), and slated for complete removal in version 25H2. Post-Windows 10, WMI has seen no fundamental architectural overhauls but has emphasized cloud-hybrid integration and . Azure Arc, introduced in 2020, extends WMI querying to on-premises and multicloud Windows servers via its Connected Machine agent, enabling centralized management through Azure services without major protocol changes. Security enhancements have targeted abuse vectors, such as unauthorized execution documented in MITRE ATT&CK technique T1047, including stricter namespace permissions, Just-In-Time (JIT) activation limits, and integration with Windows Defender to mitigate lateral movement risks in enterprise environments.

Architecture

Core Components

The Common Information Model (CIM) serves as the foundational object-oriented in Windows Management Instrumentation (WMI), providing a standardized way to represent managed entities such as systems, devices, networks, and applications. Developed and maintained by the (DMTF), CIM employs an extensible data model that includes classes to define object types, instances as specific occurrences of those classes, properties to hold data values, methods to encapsulate behaviors, and associations to model relationships between entities. WMI implements CIM version 2.x schemas, extending them with Windows-specific classes like the Win32 schema (e.g., Win32_ComputerSystem, which inherits from CIM_UnitaryComputerSystem to describe a computer's hardware and configuration). This structure enables a vendor-neutral over Windows internals, allowing applications to interact with diverse components in a consistent, platform-independent manner without direct dependency on proprietary APIs. The WMI Repository, also known as the CIM Object Repository (CIMOM), acts as the persistent storage for CIM-based data within WMI, housing class definitions and static instances of managed objects. Located at %SystemRoot%\System32\wbem\Repository, it consists of a collection of files rather than a single database, compiled from definitions during system initialization. This repository ensures that core metadata—such as class hierarchies, properties, and qualifiers—remains accessible for querying and management operations, while dynamic data is supplied on-demand by providers. By organizing static information in this manner, the repository supports efficient retrieval and maintains the integrity of the CIM model across system reboots. Namespaces provide the hierarchical organization within the WMI Repository, functioning as logical partitions that group related classes and instances while enabling isolated contexts for security and localization. For instance, root\cimv2 contains standard Win32 classes for system management, root\default holds schema definitions, and custom namespaces can be created for specialized providers. Each namespace supports multiple locales through techniques that store localized versions of classes in the repository, allowing display names, descriptions, and qualifiers to adapt to different languages. Additionally, namespaces integrate with Windows security descriptors, using access control lists to enforce permissions for users and groups, such as granting execute methods and read access to Authenticated Users by default. This design promotes modularity and scalability in managing enterprise environments. The Managed Object Format (MOF) is the declarative language used to define CIM classes and integrate them into the WMI Repository, facilitating provider development without runtime code execution for schema creation. MOF files describe class structures using a C++-like syntax, specifying properties, methods, qualifiers, and associations, which are then compiled by the MOF Compiler (Mofcomp.exe) directly into the repository. This compilation process registers the classes for provider implementation, enabling seamless data exposure through WMI interfaces. For example, a provider's MOF file might define a custom class extending Win32_LogicalDisk to include vendor-specific properties, ensuring the remains extensible for third-party hardware and software. By prioritizing MOF for schema definition, WMI maintains consistency with the DMTF standard while supporting Windows extensions.

Providers

Windows Management Instrumentation (WMI) providers are COM-based components, typically implemented as dynamic-link libraries (DLLs) or executable (EXE) files hosted by the WMI service, that map Common Information Model (CIM) classes to actual system resources and data sources such as the registry, performance counters, and hardware devices. These providers act as intermediaries, supplying dynamic data and operations to WMI consumers by interpreting CIM schemas in the context of the underlying Windows environment. WMI providers are categorized into several types based on their scope and functionality. Core providers, which are built into the Windows operating system, handle fundamental system management tasks; for example, the CIMWin32 provider exposes operating system information through classes like Win32_OperatingSystem. Extended providers add specialized capabilities for particular Windows features or applications, such as the provider (located in the root\MicrosoftActiveDirectory namespace), which maps objects to WMI for directory services management, or the SQL Server provider for database-related data. Aggregator providers combine data from multiple underlying sources into a unified view, facilitating complex queries across disparate system elements without direct consumer access to individual components. Providers fulfill critical roles in the WMI ecosystem by implementing key COM interfaces to deliver data and services. They primarily use interfaces such as IWbemServices to support operations like enumerating class instances, retrieving specific instance data, and executing class methods defined in the CIM model. Additionally, providers manage data persistence by storing and retrieving information in the WMI repository and handle event generation to notify consumers of changes in managed objects, ensuring real-time management capabilities. Developers create custom WMI providers to extend management for proprietary hardware or software by implementing the necessary COM interfaces in languages like C++ with Component Object Model (COM) or .NET using the System.Management namespace. The development process involves defining the provider's schema in a Managed Object Format (MOF) file, which describes the classes, properties, and methods, followed by compiling the MOF using the Mofcomp.exe tool to integrate it into the WMI repository. Registration occurs through the MOF or direct COM API calls, enabling the provider to be hosted either in-process (DLL) or out-of-process (EXE under WMIPRVSE.exe) for isolation and scalability. Over time, WMI has evolved to include dozens of built-in providers in Windows, with the operating system supplying approximately 40 core and extended providers for areas like networking, , and , as listed in official documentation. This extensibility allows third-party developers to add custom providers for specialized needs, supporting the growing complexity of Windows ecosystems from onward. Providers populate CIM classes, providing the foundation for without altering the underlying model.

WMI Service

The Windows Management Instrumentation (WMI) service, known as Winmgmt, serves as the core runtime environment that mediates between management applications and WMI data providers on Windows systems. On Windows NT-based operating systems, the service operates in-process via the Winmgmt.dll loaded within the service host, while on legacy systems, it runs as a standalone , Winmgmt.exe, due to the absence of native service support. In modern Windows versions, including and Server editions, Winmgmt is hosted within the shared process under the LocalSystem account, enabling efficient resource sharing among system services while starting automatically during system boot. The WMI service supports multiple hosting models for providers to balance security, performance, and stability. In-process hosting loads provider DLLs directly into the WMI service process space, providing tight integration but requiring trusted code to avoid compromising the host. Out-of-process hosting launches providers as separate files, isolating potentially untrusted or unstable code from the core service to prevent crashes or exploits from affecting broader system operations. Starting with and Server 2008, isolated hosting via the WmiPrvSE.exe process was introduced, creating dedicated per-user or per-namespace host instances that further enhance stability by containing provider failures within bounded environments. During its lifecycle, the WMI service initializes by loading the repository from the %systemroot%\System32\wbem\Repository directory, which stores class definitions and instance data in a CIM-compliant format. It then registers and loads providers based on entries in the system registry, making their managed objects available for querying. The service also handles DCOM activation requests to support remote connections, ensuring secure activation of components across the network. Configuration of the service, including backup and restore of the repository or adjustment of namespace settings, is managed through the WMI Control snap-in, accessible via wmimgmt.msc. Security is integral to the WMI service, which defaults to running under the highly privileged LocalSystem account to access system-wide resources. It supports client impersonation, allowing providers to execute under the caller's security context to enforce least-privilege access and prevent unauthorized elevation. Resource quotas, such as memory and handle limits for provider hosts, are configurable via registry keys under HKLM\SOFTWARE[Microsoft](/page/Microsoft)\WBEM\CIMOM or WMI classes like __ProviderHostQuotaConfiguration, helping mitigate denial-of-service risks from resource exhaustion. Misconfigurations, such as overly permissive namespace security or inadequate provider isolation, can expose the service to vulnerabilities, as seen in historical issues like those addressed in security updates. For diagnostics, the WMI service logs failures and operational events to the Windows Event Log under the Microsoft-Windows-WMI-Activity/Operational channel, capturing errors like provider load issues or query timeouts. Performance tracing is enabled using the Wevtutil command-line tool to activate Event Tracing for Windows (ETW) sessions, allowing detailed analysis of service activity, such as query execution times or provider interactions, without significant overhead when disabled.

Features

Querying and Data Access

Windows Management Instrumentation (WMI) provides mechanisms for querying and accessing data through the , an SQL-like syntax designed specifically for retrieving instances and associations from Common Information Model (CIM) classes. WQL supports SELECT statements to fetch data, such as SELECT * FROM Win32_Process WHERE Name='notepad.exe', which retrieves all properties of running processes named notepad.exe. It also enables associative joins to link related classes, like querying processes associated with specific modules, and qualifiers to filter or qualify results based on metadata. This language builds on the WMI architecture by allowing clients to interact with providers that expose CIM classes, such as those in the root\cimv2 namespace, without directly manipulating underlying data stores. Access to WMI data occurs through multiple APIs tailored to different development environments. The (COM) API uses the IWbemServices::ExecQuery method to execute WQL queries asynchronously, returning an enumerator (IEnumWbemClassObject) that iterates over result instances. In .NET applications, the System.Management namespace provides the ManagementObjectSearcher class, which encapsulates a WQL query and scope (e.g., a specific namespace), executing it via Get() to yield a ManagementObjectCollection of results. For scripting, the WMI Scripting API employs GetObject with a moniker string prefixed by "winmgmts:", such as GetObject("winmgmts:") to obtain an SWbemServices object for subsequent queries like ExecQuery. These methods ensure consistent data retrieval across languages while adhering to WMI's security context and impersonation levels. Instance management in WMI involves enumerating classes and their instances, modifying properties, and invoking class or instance methods. Enumeration uses API-specific calls, such as IWbemServices::EnumInstances in COM to list all instances of a class like Win32_Process, or ManagementObjectSearcher in .NET for filtered enumeration. Properties can be retrieved via Get (e.g., accessing the ProcessId of a Win32_Process instance) or set using Put for modifiable properties, with changes persisted through the provider. Method invocation, such as calling Terminate on a Win32_Process instance to end a process, is handled by IWbemServices::ExecMethod in COM or InvokeMethod in .NET, passing input parameters and receiving outputs. These operations require valid connections to the WMI service and appropriate permissions, often checked via the object's security descriptor. WMI object paths and moniker strings facilitate direct access to specific instances without full enumeration. A moniker string follows the format winmgmts:\\<server>\<namespace>:<class>.<property>='<value>', for example, winmgmts:\\.\root\cimv2:Win32_Service.Name='Spooler' to reference the Spooler service instance. This syntax incorporates server, , class, and key properties, enabling quick binding in APIs like GetObject for scripting or ManagementPath in .NET. Paths must conform to WMI's object path requirements, using escaped characters for special values and forward slashes for namespace components. Error handling is integral to WMI querying, with common issues like WBEM_E_NOT_FOUND (0x80041002) indicating that a specified class, instance, or does not exist, often due to repository or invalid paths. APIs return HRESULT codes for failures, requiring clients to check results from methods like ExecQuery and implement retries or fallbacks, such as verifying existence before querying. Proper handling ensures robust applications, especially when dealing with dynamic system states where instances may appear or disappear.

Event Management

Windows Management Instrumentation (WMI) provides an event infrastructure that enables applications to receive asynchronous notifications about changes in managed data and system states, facilitating reactive monitoring without constant polling. This system supports various event types, subscription mechanisms, and delivery interfaces, allowing developers to respond to system events in real time. Events are generated by WMI itself or by providers, and consumers can filter them using WMI Query Language (WQL) queries for targeted notifications. WMI events are categorized into three primary types: intrinsic, extrinsic, and timer events. Intrinsic events notify of changes within the , such as the creation, modification, or deletion of instances, classes, or namespaces; for example, the __InstanceCreationEvent class signals the addition of a new instance, like a Win32_LogicalDisk representing a mounted drive. Extrinsic events are custom events defined by providers and not directly tied to data model alterations, such as the RegistryValueChangeEvent from the System Registry Provider, which reports modifications to registry keys. Timer events, meanwhile, are scheduled occurrences generated at fixed intervals or absolute times using classes like __IntervalTimerInstruction or __AbsoluteTimerInstruction, producing instances of __TimerEvent for periodic tasks without relying on external timers. Subscriptions to WMI events follow a model that includes temporary and permanent options to suit different persistence needs. Temporary subscriptions are in-memory and exist only while the consuming application or script is running; they are typically created using methods like SWbemServices.ExecNotificationQueryAsync in scripting environments or IWbemServices::ExecNotificationQueryAsync in C++ applications. Permanent subscriptions, in contrast, are stored persistently in the WMI repository (often in the \root\subscription namespace) and survive system reboots; they rely on standard consumers such as __EventFilter for query definition and __FilterToConsumerBinding to associate filters with actions like script execution. Event delivery in WMI occurs through sink interfaces that handle notifications from the WMI service. The primary COM interface is IWbemObjectSink, implemented by consumers to receive event objects and status updates, often in a separate thread to avoid blocking. Scripting languages use the SWbemSink object for similar purposes, enabling asynchronous callbacks. Filtering is applied via WQL in event queries, such as SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_LogonSession', to deliver only relevant events and reduce overhead. Common use cases for WMI event management include monitoring user logons by subscribing to creation events for Win32_LogonSession instances, which can trigger security audits or session management scripts. Performance alerts, such as low disk space notifications via __InstanceModificationEvent on Win32_LogicalDisk, enable proactive . WMI integrates with the Windows Event Log through consumers like NTEventLogEventConsumer, which automatically logs matching events to the system log for centralized auditing and analysis. Despite its flexibility, WMI event management has notable limitations, including the absence of built-in queuing for undelivered events, which can lead to dropped notifications during high-volume scenarios if internal thresholds are exceeded (e.g., default queue limits of 10,000,000 to 20,000,000 bytes (10 MB to 20 MB)). Subscription quotas restrict scalability, capping total temporary and permanent subscriptions at 10,000 system-wide (1,000 per user) and polling memory at 10,000,000 bytes (5,000,000 per user), potentially causing overload or failures in resource-intensive environments.

Remoting and Protocols

Windows Management Instrumentation (WMI) supports local access by default through the (DCOM) on the same machine, allowing applications to interact with WMI namespaces without network configuration. For remote access, WMI initially relied on DCOM starting with , which requires opening TCP port 135 for the endpoint mapper and dynamic high ports (typically 1024-65535) for RPC communication, though fixed ports can be configured to reduce firewall complexity. Beginning with and , WMI introduced support for (WinRM), an implementation of the protocol that uses HTTP or for transport and SOAP-based messaging, enabling more firewall-friendly remoting over standard ports 80 and 443. Configuration for remote WMI access is managed through the WMI Control tool (wmimgmt.msc), where administrators can enable remote connections, set authentication levels (such as Packet Privacy for signing and ), and configure via descriptors to control read, write, and execute permissions for users or groups. Authentication defaults to for non-domain scenarios or Kerberos in domain environments, with impersonation levels ensuring the remote process runs under the caller's context to prevent . The WMI service hosts these remote calls, routing them to appropriate providers while enforcing these settings. The evolution of WMI protocols addressed early limitations of DCOM, such as poor and firewall traversal issues; Windows Server 2003 R2 introduced initial SOAP-based remoting via WinRM for simpler HTTP access, marking a shift toward web services standards. Post-Vista, full compliance became the preferred method, supporting broader , including with non-Windows systems like through open-source implementations such as OpenWSMan, which enable CIM-based management across heterogeneous environments. Security for WMI remoting emphasizes encryption via in to protect data in transit, alongside DCOM's built-in signing and sealing options to mitigate man-in-the-middle attacks. However, misconfigurations can expose risks, such as lateral movement in cyberattacks where attackers exploit WMI for remote execution using valid credentials, as documented in techniques like T1047 in the framework. Hardening involves settings to restrict DCOM access (e.g., via "Windows Management Instrumentation (WMI)" rules), disabling unused namespaces to limit attack surfaces, and applying updates like DCOM hardening patches to address vulnerabilities such as CVE-2021-26414.

Tools and Development

Built-in Tools

Windows Management Instrumentation (WMI) includes several built-in tools that enable administrators and developers to interact with its namespaces, classes, and data without requiring custom scripting or programming. These utilities facilitate testing, querying, configuration, and maintenance tasks directly from the Windows environment. WBEMTest.exe serves as a graphical interface for exploring and testing WMI components. It allows users to connect to specific namespaces, enumerate classes and instances, execute WQL queries, and monitor events, making it particularly valuable for debugging WMI providers and verifying data access. To launch it, administrators can run wbemtest.exe from the command prompt or Run dialog, then use its dialog-based controls to perform operations like object enumeration or method invocation. The Windows Management Instrumentation Command-line (WMIC) provides a command-line interface for executing common WMI queries using predefined aliases, such as wmic process list to retrieve running processes. However, WMIC has been deprecated since Windows 10 version 21H1 and the corresponding semi-annual channel release of , with recommending migration to cmdlets for equivalent functionality. In version 24H2, WMIC is disabled by default as a Feature on Demand, though it can be re-enabled if needed; WMIC was fully removed in version 25H2, released in September 2025. For instance, the alias-based queries in WMIC can be replaced by Get-CimInstance -ClassName Win32_Process in , which uses the more modern CIM (Common Information Model) sessions over protocol. WMI Control, accessible via wmimgmt.msc as a (MMC) snap-in, offers centralized configuration of the WMI service. It supports tasks such as backing up and restoring the WMI repository, adjusting permissions on namespaces, and enabling or disabling logging for auditing purposes. Users can launch it from the Run dialog or Computer Management console, then right-click WMI Control (Local) to access properties for global settings like automatic restart options or quota management. For schema registration, the Managed Object Format (MOF) Compiler, mofcomp.exe, compiles MOF files into the WMI repository, adding new classes and instances as defined in the syntax. This tool is essential for providers to extend WMI with custom data models; for example, running mofcomp.exe filename.mof parses the file and registers it in the default root namespace unless otherwise specified with switches like /namespace. It connects to the WMI service for compilation but operates in check-only mode with the /check option to validate without applying changes. WMI maintenance tasks, such as pruning or resetting the repository, can be performed using the winmgmt command-line tool, particularly the /resetrepository switch to rebuild a corrupted or bloated repository from its baseline state. This operation stops the WMI service, discards inconsistent data, and reinitializes the repository, which is recommended as a last-resort measure for resolving issues like query failures or performance degradation; it should be run from an elevated command prompt after backing up critical data via /backuprepository. Administrators are advised to verify repository consistency first with /verifyrepository before resorting to a reset.

Development Interfaces

The (COM) serves as the foundational interface for developing WMI clients and providers in unmanaged code, primarily using C++. Developers initialize COM and use the IWbemLocator interface to connect to a WMI on a local or remote host, obtaining an IWbemServices pointer for subsequent operations such as querying classes, enumerating instances, executing methods, and subscribing to events. Key interfaces like IEnumWbemClassObject facilitate enumeration, while IWbemClassObject handles property access and modifications; applications must link against wbemuuid.lib and include headers such as wbemcli.h for UUID definitions and HRESULT error codes. In managed code, the .NET Framework's System.Management provides a wrapper for WMI access, enabling developers to create clients without direct COM interaction. The ManagementScope class represents a WMI scope for connecting to local or remote systems, while ManagementClass allows retrieval and manipulation of WMI classes like Win32_Process. Starting with WMI , enhancements in this support advanced through ManagementEventWatcher for subscribing to queries and ManagementOperationObserver for asynchronous callbacks, improving responsiveness in event-driven applications. Scripting languages offer lightweight access to WMI without compiling binaries. VBScript and JScript utilize the winmgmts moniker to instantiate SWbemServices objects for querying and method invocation, as in Set locator = CreateObject("WbemScripting.SWbemLocator"). integrates WMI via cmdlets like Get-WmiObject for instance retrieval and Invoke-WmiMethod for execution, with type accelerators such as [wmi] simplifying syntax; however, these have transitioned to CIM cmdlets (e.g., Get-CimInstance) for better cross-platform compatibility in PowerShell Core. For provider development, WMI Provider Extensions enable C++ implementations using headers like wbemprov.h to define COM objects that expose custom classes and data to the WMI repository. Developers implement interfaces such as IWbemProviderInit and IWbemServices to handle queries and events, registering the provider via MOF files for integration with the WMI service. In .NET, managed providers leverage the System.Management. namespace, deriving from BaseManagement types and applying attributes like ManagementEntity to instrument applications without COM dependencies. Best practices emphasize robust error handling with HRESULT codes from wbemcli.h, mapping them to descriptive messages via macros like WBEM_S_NO_ERROR, and implementing try-catch blocks in .NET or COM exception handling in C++. Asynchronous patterns are recommended for long-running operations, using callbacks in COM (e.g., IWbemObjectSink) or event observers in .NET to avoid blocking; tools like the WMI Code Creator utility aid prototyping by generating sample code for queries and providers. Development assumes familiarity with WMI features like querying and events, with migration to CIM standards advised for cross-platform scenarios beyond Windows-specific WMI dependencies.

Applications and Extensions

Practical Examples

One practical application of WMI involves querying wireless network information, such as the Service Set Identifier (SSID) of connected networks. The MSNdis_80211_ServiceSetIdentifier class in the root\WMI namespace provides access to this data on supported systems. For instance, in C#, developers can use the System.Management namespace to connect to the WMI repository and enumerate instances of this class. The following code snippet demonstrates retrieving SSID values:

csharp

using System; using System.Management; class Program { static void Main() { ManagementObjectSearcher searcher = new ManagementObjectSearcher("root\\WMI", "SELECT * FROM MSNdis_80211_ServiceSetIdentifier"); foreach (ManagementObject queryObj in searcher.Get()) { Console.WriteLine("SSID: {0}", queryObj["Ndis80211ServiceSetID"]); } } }

using System; using System.Management; class Program { static void Main() { ManagementObjectSearcher searcher = new ManagementObjectSearcher("root\\WMI", "SELECT * FROM MSNdis_80211_ServiceSetIdentifier"); foreach (ManagementObject queryObj in searcher.Get()) { Console.WriteLine("SSID: {0}", queryObj["Ndis80211ServiceSetID"]); } } }

This approach allows applications to monitor or log wireless connections programmatically. In process management, WMI enables enumeration and control of running processes through the Win32_Process class in the root\cimv2 . Administrators can active processes or terminate specific ones using cmdlets that interface with WMI. For example, to find and terminate instances of Notepad.exe, the following PowerShell command filters and invokes the Terminate method:

powershell

Get-WmiObject -Class Win32_Process -Filter "Name='notepad.exe'" | ForEach-Object { $_.Terminate() }

Get-WmiObject -Class Win32_Process -Filter "Name='notepad.exe'" | ForEach-Object { $_.Terminate() }

This is useful for scripts that enforce limits or respond to policies. Modern equivalents use CIM cmdlets for improved and cross-platform compatibility, such as Get-CimInstance -ClassName Win32_Process -Filter "Name='notepad.exe'" | Invoke-CimMethod -MethodName Terminate. System inventory tasks leverage WMI to gather hardware details for and compliance reporting. The Win32_Processor class retrieves CPU information, including model, speed, and core count, from the root\cimv2 namespace. A PowerShell example to collect processor data across multiple machines is:

powershell

Get-WmiObject -Class Win32_Processor | Select-Object Name, NumberOfCores, MaxClockSpeed

Get-WmiObject -Class Win32_Processor | Select-Object Name, NumberOfCores, MaxClockSpeed

This output can feed into inventory databases, helping IT teams track hardware configurations without manual inspection. CIM sessions extend this to remote or distributed environments efficiently. WMI's event infrastructure supports monitoring system changes, such as service startups, via intrinsic events like __InstanceCreationEvent. To detect new instances of the Win32_Service class, a WQL query can be registered in .NET applications or scripts. The following C# example sets up an event watcher for service creations:

csharp

using System; using System.Management; class Program { static void Main() { string query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service'"; ManagementEventWatcher watcher = new ManagementEventWatcher(query); watcher.EventArrived += new EventArrivedEventHandler(HandleEvent); watcher.Start(); Console.WriteLine("Monitoring service starts..."); Console.ReadLine(); watcher.Stop(); } private static void HandleEvent(object sender, EventArrivedEventArgs e) { Console.WriteLine("New service started: {0}", e.NewEvent["TargetInstance"]["Name"]); } }

using System; using System.Management; class Program { static void Main() { string query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service'"; ManagementEventWatcher watcher = new ManagementEventWatcher(query); watcher.EventArrived += new EventArrivedEventHandler(HandleEvent); watcher.Start(); Console.WriteLine("Monitoring service starts..."); Console.ReadLine(); watcher.Stop(); } private static void HandleEvent(object sender, EventArrivedEventArgs e) { Console.WriteLine("New service started: {0}", e.NewEvent["TargetInstance"]["Name"]); } }

Such monitoring aids in real-time alerting for service dependencies or failures. WMI integrates with enterprise tools like System Center Configuration Manager (SCCM) for deployment queries, where WQL statements retrieve device compliance or software status from the SMS Provider. For example, queries against classes like SMS_DeploymentSummary assess application rollout success across endpoints. In security auditing, WMI accesses event logs via the Win32_NTLogEvent class to query logon events in the Security log, filtering for EventCode 4624 (successful logons) to track user access patterns. A PowerShell example for auditing recent logons is:

powershell

Get-WmiObject -Class Win32_NTLogEvent -Filter "Logfile='[Security](/page/Security)' AND EventCode=4624 AND TimeGenerated > '20250101'" | Select-Object TimeGenerated, Message

Get-WmiObject -Class Win32_NTLogEvent -Filter "Logfile='[Security](/page/Security)' AND EventCode=4624 AND TimeGenerated > '20250101'" | Select-Object TimeGenerated, Message

This facilitates forensic analysis and policy enforcement without direct event log parsing. CIM cmdlets provide a recommended alternative for these operations in contemporary environments.

Driver Extensions

Windows Management Instrumentation (WMI) provides extensions to the Windows Driver Model (WDM) that enable kernel-mode device drivers to act as WMI providers, exposing hardware-specific data and events to management applications. These extensions allow minidrivers to register data blocks and event blocks, facilitating integration with WMI's query and notification mechanisms without requiring full user-mode provider development. To implement these extensions, drivers use the WMIGUID_REGINFO structure during initialization to register GUIDs associated with data or event blocks, specifying details such as block size, version, and callback entry points for handling WMI requests. The driver must define required callbacks, including DpWmiQueryReginfo for providing registration information and DpWmiQueryDataBlock for retrieving data instances, while optional callbacks like DpWmiExecuteMethod support method invocation and DpWmiFunctionControl enable tracing control. These routines are invoked via the WMI library's WmiSystemControl function, which processes WMI IRPs (such as IRP_MN_QUERY_ALL_DATA or IRP_MN_CHANGE_SINGLE_ITEM) sent to the driver. For event handling, drivers register event blocks and fire notifications using WmiFireEvent, which serializes event data and delivers it to registered WMI consumers. This architecture supports up to 32 event logger instances, with events defined in Managed Object Format (MOF) files for compilation into the WMI repository. These extensions, part of WMI's kernel-mode support, have been available since , enabling drivers to integrate seamlessly with WMI's event tracing infrastructure from that version onward. Common use cases include hardware monitoring, where drivers expose device status and performance metrics; for example, the Win32_IDEController WMI class retrieves IDE controller properties, including SMART status indicators like "Pred Fail" for predictive failure warnings on hard disk drives. In power management scenarios, drivers can notify WMI of state changes, such as transitions to low-power modes, enabling system-wide power event propagation through classes like Win32_PowerManagementEvent. Such integrations support tasks like monitoring disk health or coordinating device power states across the system. While the Windows Driver Framework (WDF) provides a modernized WMI provider model recommended for new development starting from Windows Vista, using framework objects and callbacks (e.g., EvtWmiProviderFunctionControl) and simplifying development while maintaining compatibility with WMI data blocks and events defined in MOF files, WDM-based WMI extensions remain supported for legacy drivers. Legacy WDM-based implementations remain viable in modern Windows versions for backward compatibility but are not recommended for new driver development. Developing WMI-enabled drivers requires the (WDK), which includes headers like wmilib.h and samples for kernel-mode providers. Examples in the WDK demonstrate registration via IoWMIRegistrationControl and event logging with IoWMIWriteEvent, emphasizing proper IRP completion with WmiCompleteRequest to avoid resource leaks. Since these extensions operate in kernel context, providers must handle requests atomically to prevent deadlocks or invalid memory access; faulty implementations can crash the entire system, underscoring the need for rigorous testing with tools like Driver Verifier.

References

  1. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
  2. https://learn.microsoft.com/en-us/windows/win32/wmisdk/about-wmi
  3. https://learn.microsoft.com/en-us/archive/msdn-magazine/2000/april/windows-management-instrumentation-a-simple-powerful-tool-for-scripting-windows-management
  4. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic
  5. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/wmi_v2/windows-management-infrastructure
  6. https://support.microsoft.com/en-us/topic/windows-management-instrumentation-command-line-wmic-removal-from-windows-e9e83c7f-4992-477f-ba1d-96f694b8665d
  7. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_wmi?view=powershell-5.1
  8. https://learn.microsoft.com/en-us/windows/win32/wmisdk/operating-system-availability-of-wmi-components
  9. https://www.dmtf.org/standards/cim
  10. https://www.itprotoday.com/devops/adding-wmi-to-nt-4-0-and-win95-systems
  11. https://news.microsoft.com/source/2000/01/26/leading-management-solutions-companies-support-windows-2000-and-windows-management-instrumentation/
  12. https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
  13. https://download.microsoft.com/download/5/d/6/5d6eaf2b-7ddf-476b-93dc-7cf0072878e6/wsm.doc
  14. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsman/7cab93d8-22e8-4880-9123-80b42bb38df1
  15. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
  16. https://learn.microsoft.com/en-us/answers/questions/103858/wmi-diagnosis-tool-no-more-available-for-download
  17. https://www.bleepingcomputer.com/news/microsoft/microsoft-wmic-will-be-removed-after-windows-11-25h2-upgrade/
  18. https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
  19. https://attack.mitre.org/techniques/T1047/
  20. https://learn.microsoft.com/en-us/windows/win32/wmisdk/securing-a-remote-wmi-connection
  21. https://learn.microsoft.com/en-us/windows/win32/wmisdk/common-information-model
  22. https://learn.microsoft.com/en-us/windows/win32/wmisdk/cimclas
  23. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture
  24. https://learn.microsoft.com/en-us/windows/win32/wmisdk/winmgmt
  25. https://learn.microsoft.com/en-us/windows/win32/wmisdk/access-to-wmi-namespaces
  26. https://learn.microsoft.com/en-us/windows/win32/wmisdk/localizing-wmi-class-information
  27. https://learn.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
  28. https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
  29. https://learn.microsoft.com/en-us/windows/win32/wmisdk/providing-data-to-wmi
  30. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers
  31. https://learn.microsoft.com/en-us/windows/win32/srvnodes/wmi-mi-omi-providers
  32. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-infrastructure
  33. https://learn.microsoft.com/en-us/archive/msdn-magazine/2000/may/windows-management-instrumentation-administering-windows-and-applications-across-your-enterprise
  34. https://learn.microsoft.com/en-us/windows/win32/wmisdk/provider-hosting-and-security
  35. https://learn.microsoft.com/en-us/windows/win32/wmisdk/setting-namespace-security-with-the-wmi-control
  36. https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/wmi-error-0x8004106c
  37. https://support.microsoft.com/en-us/topic/ms09-012-vulnerabilities-in-windows-could-allow-elevation-of-privilege-dad72bd0-a4bf-f599-8924-eb372eb497e8
  38. https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
  39. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wql-sql-for-wmi
  40. https://learn.microsoft.com/en-us/windows/win32/wmisdk/querying-with-wql
  41. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/6c8a38f4-4ee1-47cb-99f1-b42718a575ce
  42. https://learn.microsoft.com/en-us/windows/win32/api/wbemcli/nf-wbemcli-iwbemservices-execquery
  43. https://learn.microsoft.com/en-us/dotnet/api/system.management.managementobjectsearcher?view=net-9.0-pp
  44. https://learn.microsoft.com/en-us/windows/win32/wmisdk/creating-a-wmi-script
  45. https://learn.microsoft.com/en-us/windows/win32/wmisdk/enumerating-wmi
  46. https://learn.microsoft.com/en-us/dotnet/api/system.management.managementobject?view=net-9.0-pp
  47. https://learn.microsoft.com/en-us/windows/win32/wmisdk/constructing-a-moniker-string
  48. https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-with-vbscript
  49. https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-object-path-requirements
  50. https://support.microsoft.com/en-us/topic/-0x80041002-wbem-e-not-found-error-occurs-when-you-try-to-open-a-wmi-namespace-on-a-computer-that-is-running-windows-7-or-windows-server-2008-r2-603eddc4-e9e3-49ed-294f-1468852c6095
  51. https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event
  52. https://learn.microsoft.com/en-us/windows/win32/wmisdk/determining-the-type-of-event-to-receive
  53. https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-asynchronous-event-notifications
  54. https://learn.microsoft.com/en-us/windows/win32/wmisdk/monitoring-and-responding-to-events-with-standard-consumers
  55. https://learn.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi
  56. https://learn.microsoft.com/en-us/windows/win32/winrm/portal
  57. https://openwsman.github.io/
  58. https://learn.microsoft.com/en-us/windows/win32/winrm/authentication-for-remote-connections
  59. https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
  60. https://learn.microsoft.com/en-us/intune/configmgr/develop/core/understand/introduction-to-wbemtest
  61. https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/scenario-guide-troubleshoot-wmi-connectivity-access-issues
  62. https://learn.microsoft.com/en-us/dotnet/framework/wcf/diagnostics/wmi/
  63. https://www.windowscentral.com/microsoft/windows-11/how-to-force-the-windows-11-2025-update-version-25h2-on-your-pc
  64. https://techcommunity.microsoft.com/blog/windows-itpro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/4039242
  65. https://learn.microsoft.com/en-us/powershell/scripting/learn/ps101/07-working-with-wmi?view=powershell-7.5
  66. https://learn.microsoft.com/en-us/ssms/configure-wmi-to-show-server-status-in-sql-server-tools
  67. https://learn.microsoft.com/en-us/windows/win32/wmisdk/running-the-mof-compiler-on-a-file
  68. https://learn.microsoft.com/en-us/windows/win32/wmisdk/compiling-mof-files
  69. https://learn.microsoft.com/en-us/answers/questions/4158921/winmgmt-issue
  70. https://learn.microsoft.com/en-us/answers/questions/1791997/is-there-any-script-for-rebuilding-wmi
  71. https://learn.microsoft.com/en-us/windows/win32/wmisdk/com-api-for-wmi
  72. https://learn.microsoft.com/en-us/dotnet/api/system.management?view=net-9.0-pp
  73. https://learn.microsoft.com/en-us/windows/win32/wmisdk/scripting-api-for-wmi
  74. https://learn.microsoft.com/en-us/windows/win32/wmisdk/developing-a-wmi-provider
  75. https://learn.microsoft.com/en-us/dotnet/api/system.management.instrumentation?view=netframework-4.8.1
  76. https://learn.microsoft.com/en-us/windows/win32/wmisdk/using-wmi
  77. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
  78. https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-process
  79. https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/get-ciminstance?view=powershell-7.5
  80. https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-processor
  81. https://learn.microsoft.com/en-us/powershell/scripting/samples/collecting-information-about-computers?view=powershell-7.5
  82. https://learn.microsoft.com/en-us/dotnet/api/system.management.wqleventquery.-ctor?view=net-8.0
  83. https://learn.microsoft.com/en-us/intune/configmgr/core/servers/manage/create-queries
  84. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/win32-ntlogevent
  85. https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingwmicmdlet?view=ps-modules
  86. https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/implementing-wmi
  87. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wmilib/ns-wmilib-_wmiguidreginfo
  88. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wmilib/
  89. https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/calling-wmisystemcontrol-to-handle-wmi-irps
  90. https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/wmi-event-tracing
  91. https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-idecontroller
  92. https://learn.microsoft.com/en-us/windows-hardware/drivers/wdf/introduction-to-wmi-for-kmdf-drivers
  93. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wmilib/nf-wmilib-wmicompleterequest
Add your contribution
Related Hubs
User Avatar
No comments yet.