Exploring Namespace

We can list all namespaces by querying the namespace class. Use below command to list all namespaces within the root namespace.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace “root” -Class “__Namespace” | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimInstance -Namespace “root” -ClassName “__Namespace”

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace “root” -Class “__Namespace”

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace “root” -Class “__Namespace” | select Name

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimInstance -Namespace “root” -Class “__Namespace” | select Name

Exploring classes:

Here the default namespace used by PS is root\cimv2

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> get-wmiobject -Class *bios* -List

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimClass -ClassName *bios*

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace root\default -class * -List

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace root\default -Class * -List

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace root\cimv2 -class * -List

a lot more in output.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -namespace root\cimv2 -Class * -List | measure

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimClass -ClassName * | measure

We list all the dynamic classes:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimClass -QualifierName dynamic

A lot in output.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimClass -QualifierName dynamic | measure

Wildcards could be used in class names:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -Namespace root/cimv2 -Class *bios* -list

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimClass -Namespace root/cimv2 -ClassName *bios*

Use below command for retrieving information from a class.

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -class Win32_BIOS | Format-List *

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -class win32_computersystem | Format-List *

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-CimInstance -ClassName win32_bios

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -class *process* -List

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-WmiObject -class win32_process

A lot in output.

Using Classes: Filtering Information:

The Returned result could be filtered using three methods:

The –filter parameter:

PS C:\Windows\system32> Get-WmiObject -Class win32_process -Filter “Name = ‘explorer.exe'”

PS C:\Windows\system32> Get-CimInstance -ClassName win32_process -Filter “Name = ‘explorer.exe'” | fl *

Using the where-object cmdlet (this is the slowest method as we are retrieving all the data before filtering it ).

This is V2:

PS C:\Windows\system32> Get-WmiObject -Class win32_Process | Where-Object {$_.Name -eq “explorer.exe”}

This is v3:

PS C:\Windows\system32> Get-CimInstance -ClassName win32_Process -Filter “Name=’explorer.exe'” | Where-Object {$_.Name -eq “explorer.exe”}

The –Query parameter :-

PS C:\Windows\system32> Get-WmiObject -Query “select * from win32_Process where Name = ‘explorer.exe'”

PS C:\Windows\system32> Get-CimInstance -Query “select * from win32_Process where Name = ‘explorer.exe'”

@Saksham Dixit