WMIC (Windows Management Instrumentation Command) example


Windows Management Instrumentation Command.
Read a huge range of information about local or remote computers. Also provides a way to make configuration changes to multiple remote machines. WMIC is available on Vista/Windows 7, Windows XP Professional, but not Windows XP Home.


WMIC /output:”%computername%.txt” MEMORYCHIP where “memorytype=17” get Capacity

WMIC /node:remote_computer PROCESS call create “netstat.exe -ano > C:\output.txt”

   Retrieve information about <Alias>:
      WMIC [global_switches] [/locale:ms_409] <alias> [options] [format]
   Interactive mode:

 ALIAS               - Access local system aliases [CALL]

 BASEBOARD           - Base board management (motherboard or system board) 
 BIOS                - BIOS management (Basic input/output services) 
 BOOTCONFIG          - Boot configuration

 CDROM               - CD-ROM
 COMPUTERSYSTEM      - Computer system [CALL/SET]
 CPU                 - CPU
 CSPRODUCT           - Computer system product information from SMBIOS. 

 DATAFILE            - DataFiles [CALL]
 DCOMAPP             - DCOM Applications.
 DESKTOP             - User's Desktop
 DESKTOPMONITOR      - Desktop Monitor
 DEVICEMEMORYADDRESS - Device memory addresses
 DISKDRIVE           - Physical disk drive
 DISKQUOTA           - Disk space usage for NTFS volumes.[SET]
 DMACHANNEL          - Direct memory access (DMA) channel

 ENVIRONMENT         - System environment settings [SET]
 FSDIR               - Filesystem directory entry [CALL]

 GROUP               - Group account [CALL]

 IDECONTROLLER       - IDE Controller
 IRQ                 - Interrupt request line

 JOB                 - Jobs scheduled using the schedule service.[CALL]

 LOADORDER           - System services that define execution dependencies. 
 LOGICALDISK         - Local storage devices [CALL/SET]
 LOGON               - LOGON Sessions.

 MEMCACHE            - Cache memory
 MEMLOGICAL          - System memory, layout and availability
 MEMPHYSICAL         - Physical memory management

 NETCLIENT           - Network Client management.
 NETLOGIN            - Network login information for a particular user. 
 NETPROTOCOL         - Protocols (and their network characteristics).
 NETUSE              - Active network connection.
 NIC                 - Network Interface Controller (NIC)
 NICCONFIG           - Network adapter. [CALL] 
 NTDOMAIN            - NT Domain. [SET]  
 NTEVENT             - NT Event Log.  
 NTEVENTLOG          - NT eventlog file [CALL/SET]

 ONBOARDDEVICE       - Common adapter devices built into the motherboard.
 OS                  - Operating System/s [CALL/SET]

 PAGEFILE            - Virtual memory file swapping
 PAGEFILESET         - Page file settings [SET]
 PARTITION           - Partitioned areas of a physical disk.
 PORT                - I/O ports
 PORTCONNECTOR       - Physical connection ports
 PRINTER             - Printer device [CALL/SET]
 PRINTERCONFIG       - Printer device configuration  
 PRINTJOB            - Print job [CALL]
 PROCESS             - Processes [CALL]*
 PRODUCT             - Windows Installer [CALL]

 QFE                 - Quick Fix Engineering (patches)
 QUOTASETTING        - Setting information for disk quotas on a volume. [SET]

 REGISTRY            - Computer system registry [SET]

 SERVER              - Server information 
 SERVICE             - Service application [CALL]
 SHARE               - Shared resourcees [CALL]
 SOFTWAREELEMENT     - Elements of a software product*
 SOFTWAREFEATURE     - Subsets of SoftwareElement. [CALL]*
 SOUNDDEV            - Sound Devices 
 STARTUP             - Commands that run automatically when users logon
 SYSACCOUNT          - System account  
 SYSDRIVER           - System driver for a base service. [CALL]
 SYSTEMENCLOSURE     - Physical system enclosure
 SYSTEMSLOT          - Physical connection points including ports,
                       slots and peripherals, and proprietary connections points.

 TAPEDRIVE           - Tape drives  
 TEMPERATURE         - Temperature sensor (electronic thermometer).
 TIMEZONE            - Time zone data 

 UPS                 - Uninterruptible power supply (UPS) 
 USERACCOUNT         - User accounts [CALL/SET]

 VOLTAGE             - Voltage sensor (electronic voltmeter) data
 VOLUME              - Local storage volume [CALL/SET]
 VOLUMEQUOTASETTING  - Associates the disk quota setting with a specific disk volume. [SET]

 WMISET              - WMI service operational parameters [SET]

New aliases in Windows 2003: 
 MEMORYCHIP          - Memory chip information.
 RDACCOUNT           - Remote Desktop connection permission [CALL]
 RDNIC               - Remote Desktop connection on a specific network adapter [CALL/SET]
 RDPERMISSIONS       - Permissions to a specific Remote Desktop connection [CALL]
 RDTOGGLE            - Turn Remote Desktop listener on or off remotely[CALL]
 RECOVEROS           - Blue Screen Information [SET]
 SHADOWCOPY          - Shadow copy management [CALL]
 SHADOWSTORAGE       - Shadow copy storage areas [CALL/SET]
 VOLUMEUSERQUOTA     - Per user storage volume quotas  [SET]


By default an alias will return a standard LIST of information, you can also choose to GET one or more specific properties.

Configuration changes can be made, where indicated above with: [CALL or SET ]

The CREATE and DELETE options allow you to change the WMI schema itself.

                [/TRANSLATE:BasicXml|NoComma ]
                   [/EVERY:no_secs] [/FORMAT:format]
   alias GET [property list]
                [/VALUE ] [/ALL ] [/TRANSLATE:BasicXml|NoComma ]
                   [/EVERY:no_secs] [/FORMAT:format]
   alias CALL method_name [parameters]
   alias SET [assignments]
   alias CREATE 
   alias DELETE
   alias ASSOC [/RESULTCLASS:classname] [/RESULTROLE:rolename][/ASSOCCLASS:assocclass]

For more help
   WMIC /alias /?
   WMIC /alias option /?

The order of the /FORMAT and /TRANSLATE switches is significant: if /TRANSLATE follows /FORMAT, the output is formatted first and then translated.

All the options above can be extended with a WHERE clause, best shown by the examples below:


Format defines the layout of the information, XML output is automatically formatted using a default style sheet, while other formats (HTML, Table, MOF, Raw XML etc) can be specified using /FORMAT: stylesheet_name

Stylesheets supplied with WMIC:

    csv.xsl, hform.xsl, htable-sortby.xsl, htable.xsl
    texttable.xsl, textvaluelist.xsl, xml.xsl

All output files are unicode text (convert to ASCII with TYPE) Tab Separated Values (.tsv) can be opened in excel

The PROCESS alias can be used to start a new installation process, if doing this across the network, place the installer files on a share with permissions EVERYONE : Read Only. This is because network credentials will be dropped when jumping from one remote machine to another (unless you have kerberos configured).




WMIC OS GET csname, locale, bootdevice

WMIC OS GET osarchitecture /value

WMIC OS GET localdatetime

WMIC NTEVENT where LogFile='system'

WMIC NTEVENT where "LogFile='system' and Type>'0'" 

WMIC SERVICE where (state=”running”) GET caption, name, state > services.tsv



WMIC PRINTER where PortName="LPT1:" GET PortName, Name, ShareName

WMIC PROCESS where name='evil.exe' delete

WMIC /output:"%computername%.txt" MEMORYCHIP where "memorytype=17" get Capacity

WMIC /node:remote_computer PROCESS call create "netstat.exe -ano > C:\output.txt"

WMIC /node:@workstns.txt /failfast:on PROCESS call create "\\server\share\installer.cmd"

Interactive mode:
wmic:root\cli> OS get csname
wmic:root\cli> quit


WMIC is available on XP Professional and all later versions of Windows.
Under XP the global option /locale:ms_409 is required (for English US. language)

To run WMIC requires administrator rights.

The last element returned by WMIC is a single <CR> character (an empty line), when running WMIC in a FOR loop you might need to remove this, particularly if delayed expansion is involved.

The number of WMI properties that can be monitored (and the number of WMI providers) has increased with every new version of Windows.

When you type WMIC for the first time all the aliases are compiled. The second, and subsequent times you run WMIC, it will start immediately.

Running WMIC within a batch file it can sometimes hang, possible workarounds for this:
START “” /W CMD /C WMIC options
WMIC options… <NUL

* WMI information for installed software packages (PACKAGE and SOFTWAREFEATURE) is often incomplete and inconsistent for a variety of historical reasons. A more reliable method is to retrieve a list of installed programs directly from the Add/Remove list in the registry, with a WSH script like this from Torgeir Bakken.