WMI Introduction

WMI is a windows Management Instrumentation which Microsoft implement for common information model (CIM). Its give us uniform interface for applications and scripts to manage a local or remote computer or network.

It contains implement :

  • Managed object format
  • Providers
  • Managed Object
  • Namespaces
  • Repository
  • Consumers

MOF Files:

We can find the .mof file on this path : C:\Windows\System32\wbem

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> ls C:\Windows\System32\wbem

Managed Objects:

This is the component being managed by WMI like process, service, operating system etc.

Namespace:

This is created by providers are used to divided classes logically(groups-system, core and extension. Types-abstract,static and dynamic).

Some Well known namespaces are: root\cimv2,root\default,root\security,root\subscription etc.

Repository:

WMI Repository is the database used to store static data (definitions) of classes.

Located in the : %WINDIR%\System32\Wbem\Repository directory.

Consumers:

Applications or scripts which can be used to interact with WMI classes for query of data or to run methods or to subscribe to events are called consumers.

Examples of consumers: Powershell, wmic etc.

WMI with Powershell:

Powershell v2 cmdlets to interact with WMI

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-Command *wmi*

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-Command -CommandType cmdlet *wmi*

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> help Get-WmiObject

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> help Get-WmiObject –Examples

WMI with Powershellv3:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-Command -CommandType cmdlet *wmi*

@Saksham Dixit