![]() ![]() The most basic is to return information on the local CPU, which can be done with the following command: This will give you the WMIC command prompt, wmic:root\cli>.Type WMIC to invoke the program, and hit enter.To return information on the CPU running on the local machine, we follow these steps: The most basic way to run a WMI query is run WMIC in the standard Windows command prompt. Typically, a WMI consumer is either a monitoring application, such as PRTG Network Monitor, a management application, or a script, such as a PowerShell script. WMI Consumer is the entity that sends queries to objects via the Object Manager.WMI API achieves this and provides a way for applications to access the WMI infrastructure that is device-independent.It requests data from these providers and then returns it back to the requesting application. CMI Object Manager is a system that sits in between a management application and WMI providers.Dynamic data is not stored here but is instead held and logged via a WMI provider class. The WMI repository is a database that stores all the static data that is related to WMI. ![]() Methods can be accessed via a scripting application or via a network management application. Methods are attached to particular classes, and allow actions to be performed based on data included in them: for instance, methods can be used to start and stop processes on remote machines.WMI system classes are pre-defined and start with a double underscore. They contain events and properties that allow for the actual capture and setting of data. Classes are used by WMI providers to pass data to WMI services.Some are general, some are device-specific, and Windows comes with numerous built-in WMI providers. There are many different types of WMI providers. WMI providers are objects that monitor events and data from a specific object.This includes a vast array of components because essentially any parameter or object that can be accessed by other Windows tools – such as a performance monitor – can also be accessed by WMI. Managed objects are any logical or physical component or service that can be managed via WMI.This is a process that runs with the display name “Windows Management Instrumentation”, and acts as an intermediary between WMI providers, the WMI repository, and managing applications. WMI service is the implementation in Windows of the WMI system.WMI is an integrated part of the Windows operating system, and since Windows 2000 it has come pre-installed with all Windows operating systems. Windows Management Instrumentation Architecture As you can see, the uses of WMI are varied, and the system can be used to monitor and change a huge variety of settings across a computer network. Configure computer settings (security, system properties, permissions, etc.)Īll of these functions are accessed via a combination of PowerShell and the WMI command-line interface (WMIC).The large-scale aim of the system is to consolidate the management of devices and applications across corporate networks, and so WMI can be used to do the following: Windows Management Instrumentation Usesīefore we look in more detail at the way that WMI can be used for insider surveillance, it’s also worth pointing out that WMI has plenty of legitimate uses. Towards the end of this post, we’ll explore what that script block might look like for our insider scenario. The above code queries the CIM_DataFile object to obtain Excel file creation details in a specific directory and then fires a script block. Our stealthy insider could put together the following: Register-WmiEvent -Query "SELECT * FROM _InstanceModificationEvent WITHIN 5 WHERE TargetInstance isa 'CIM_DataFile' and TargetInstance.FileSize > 2000000 and TargetInstance.Path = '\\Users\\lex\\Important' and targetInstance.Drive = 'C:’ and targetInstance.Extension =’xlsx’” -Action $action ![]() Perhaps our hypothetical insider knows - from say shoulder-surfing - that his colleague Lex occasionally downloads large Excel files containing social security and other account numbers of customers. It doesn’t take that much technical knowledge, and you can imagine a Snowden-like employee turning WMI into an employee monitoring tool. Just as WMI can be used for good, it’s also possible to do some evil insider hacking. The Register-WmiEvent cmdlet does all this through one somewhat complex line of PowerShell. With WMI, you can query for, say, all large Excel files found in a directory, and then get notified when a new file meeting a file size criteria of, say, 1 Mb is created. ![]() Quick Review: What is WMI and What is it Used For?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |