Windows Management Instrumentation (WMI)

Windows Management Instrumentation (WMI) provides a method to configure, manage, and monitor nearly all the resources on a Windows server or workstation. It is an implementation of the Distributed Management Task Force (DMTF) Common Information Model (CIM) and Web-Based Enterprise Management (WBEM) standards.

Overview

WMI was first introduced to Windows in 1998 with Windows NT 4.0 Service Pack 4 and is available in all subsequent Windows versions. It provides a method for managing nearly all Windows components locally or remotely with a variety of tools including scripting languages and a command line tool called WMIC (Windows Management Instrumentation Command-line). It provides an interface to file systems, event logs, devices, services, hardware controllers, processing, memory, user accounts, and many other aspects of the Windows operating system and installed applications. Components and applications that can be managed by WMI are made available through DLLs and are known as “providers”.

Use

WMI can be used by a number of tools and languages:

  • WMI Administrative Tools is a set of programs provided by Microsoft for interacting with and exploring the WMI providers and namespaces
  • WMIC is a command line tool that makes interacting with WMI available to batch scripts
  • The C/C++ and Microsoft Visual Basic programming languages
  • Scripting languages such as VBscript, JScript, or others that support Active
  • Third party tools such as system management tools and vulnerability scanners often take advantage of WMI (e.g. HP OpenView, Nessus Vulnerability Scanner)

WMI in Control Systems

The [[Bandolier]] project provides control system application audit files for the Nessus vulnerability scanner. In some cases, these audit files use WMI functionality provided by Nessus to help determine the optimal security configuration for a Windows server or workstation. For example, WMI can be used to determine if a default Windows user account is left behind by a control system application installation.

”’Bandolier Audit Check Using WMI”’

type: WMI_POLICY
description: “Check for default account (operator1)”
value_type: POLICY_TEXT
value_data: “operator1″
wmi_namespace: “root/CIMV2″
wmi_request: “SELECT Name FROM Win32_UserAccount”
wmi_attribute: “Name”
wmi_key: “Name”
wmi_option: WMI_ENUM
check_type: CHECK_EQUAL_ANY

description: “A default account (operator1) exists”

description: “The default account (operator1) does not exist”

External Links

Common Information Model (CIM) Standards

WMI Administrative Tools Download

WMI Based Compliance Checks for Nessus

WMI FAQ

WMI in the MSDN Library

WMI Scripting Primer