Windows Management Instrumentation (WMI) provides a method to configure, manage, and monitor nearly all the resources on a Windows server or workstation. It is an implementation of the Distributed Management Task Force (DMTF) Common Information Model (CIM) and Web-Based Enterprise Management (WBEM) standards.
WMI was first introduced to Windows in 1998 with Windows NT 4.0 Service Pack 4 and is available in all subsequent Windows versions. It provides a method for managing nearly all Windows components locally or remotely with a variety of tools including scripting languages and a command line tool called WMIC (Windows Management Instrumentation Command-line). It provides an interface to file systems, event logs, devices, services, hardware controllers, processing, memory, user accounts, and many other aspects of the Windows operating system and installed applications. Components and applications that can be managed by WMI are made available through DLLs and are known as “providers”.
WMI can be used by a number of tools and languages:
- WMI Administrative Tools is a set of programs provided by Microsoft for interacting with and exploring the WMI providers and namespaces
- WMIC is a command line tool that makes interacting with WMI available to batch scripts
- The C/C++ and Microsoft Visual Basic programming languages
- Scripting languages such as VBscript, JScript, or others that support Active
- Third party tools such as system management tools and vulnerability scanners often take advantage of WMI (e.g. HP OpenView, Nessus Vulnerability Scanner)
WMI in Control Systems
The [[Bandolier]] project provides control system application audit files for the Nessus vulnerability scanner. In some cases, these audit files use WMI functionality provided by Nessus to help determine the optimal security configuration for a Windows server or workstation. For example, WMI can be used to determine if a default Windows user account is left behind by a control system application installation.
”’Bandolier Audit Check Using WMI”’
description: “Check for default account (operator1)”
wmi_request: “SELECT Name FROM Win32_UserAccount”
description: “A default account (operator1) exists”
description: “The default account (operator1) does not exist”