WMI

From Rory.wiki

Jump to: navigation, search

WMI (Windows Management Instrumentation) allows for querying and configuration of windows boxes from the command line (and hence is v. handy for scripting & automation of activities on a windows host)

There's a client available for linux as well which is handy. On Ubuntu (Jaunty and Intrepid anyway) it's not bundled by default

Contents

Useful wmi data to pull

Command Notes
useraccount list brief Provides a listing of useraccounts on the system
select DomainRole from Win32_ComputerSystem returns an int 0 - Standalone Workstation, 1 - Member Workstation, 2 - Standalone Server, 3 - Member Server, 4 - BDC, 5 - PDC
select Domain from Win32_ComputerSystem returns the domain that the machine belongs to
select userName from Win32_ComputerSystem returns the currently logged in user
select ScreenSaverSecure from Win32_Desktop determines whether the screen saver on the machine is password locked
select * from Win32_StartupCommand Get a list of programs that run on system start-up
select * from Win32_ScheduledJob Get a list of scheduled jobs for the machine.
select * from Win32_QuickFixEngineering Get a list of installed hotfixes
select * from Win32_NetworkAdapter" List of Network Adapters on the host
select * from Win32_Service" List of services running on the system

Using wmic linux client

Connecting to a remote machine is

wmic -U username%password //host "command"

Using wmic on a windows box

Basic usage (to affect the machine you're on now) is just wmic which starts an interactive prompt. To connect to a remote machine and execute commands there

wmic /user:username /node:host command

ruby-wmi

There's a windows only gem for ruby which exposes an ActiveRecord like interface for WMI. Should make manipulating the results of WMI queries much easier (also supports remote wmi queries)

The syntax seems to go something like 

  require 'rubygems'
  require 'ruby-wmi'
 
  #This returns an array of WIN32OLE Objects
  useraccounts = WMI::Win32_UserAccount.find(:all)
  #At this point you can iterate over the array pulling out the relevant points like
  first_account = useraccounts[0]
  #Returns Username
  first_account['name']
  #Returns Account Description
  first_account['Description']

WMI and Password Policies

After some looking around it seems it's not possible to use WMI to query the password policy of a machine that's not in a domain. Also the WMI classes that are used to get the information are not exactly the most obvious

RSOP_SecuritySettingNumeric has MinimumPasswordAge MaximumPasswordAge MinimumPasswordLength PasswordHistorySize LockoutBadCount ResetLockoutCount LockoutDuration

RSOP_SecuritySettingBoolean has ClearTextPassword PasswordComplexity RequireLogonToChangePassword ForceLogoffWhenHourExpire LSAAnonymousNameLookup EnableAdminAccount EnableGuestAccount TicketValidateClient

WMI and Security Policies

Turns out it's not possible to use WMI to query local security policies (sigh). There are some WMI classes which are of use in the RSOP\\Computer namespace, but a lot of the security policy checks are not there. May be possible to query the registry and get the information that way, but doesn't seem to be easy.

For auditing gpresult seems like the way to go.


Links & Resources

Microsoft List of WMI tasks for scripts Very useful area of their site, some examples above just come from browsing through this. List Of Win32 WMI Classes

python and wmi

excellent list of wmic snippets

ruby-wmi library

Metasploit winenum script has a handy list of wmic commands.

WQL syntax notes

WMI API

Powershell & WMI blog

Retrieved from "http://wiki.mccune.org.uk/index.php/WMI"