Currently Empty: $0.00
Windows Management Instrumentation, a powerful tool of Windows Operating Systems, is an indispensable resource for system administrators and developers. WMI provides an infrastructure that provides access to management data from computer systems and allows to manage this data. This technology is used to perform a wide range of tasks, from collecting system information to software deployment.
In this article, we will take an in-depth look at what WMI is and how it is used. We will discuss the importance of WMI, its basic components and the principle of operation. We will also explain how WMI interacts with tools such as PowerShell and the role of the provider host. This information will help you understand how it is a powerful management tool on Windows systems.
What is Windows Management Instrumentation and Why is it Important?
Windows Management Instrumentation Definition
Windows Management Instrumentation (WMI) is a powerful management technology built into Microsoft’s Windows operating systems. WMI provides an infrastructure that enables control of objects in computer systems and allows to manage operations in the operating system. This technology is an implementation of Microsoft’s Web-Based Enterprise Management (WBEM) protocol and has both codable and programmable interfaces.
Importance of Windows Management Instrumentation
WMI is an indispensable tool for system administrators and developers. It provides a uniform access mechanism to a large collection of Windows management data and methods. This feature makes system administration fast and efficient. It contains nearly 900 classes and each class has functions designed for various purposes. This rich class structure makes WMI a frequently used resource for people developing and scripting programs on Windows.
Windows Management Instrumentation Usage Areas
The usage areas of Windows Management Instrumentation are quite wide:
- Collecting System Information: Can be used to collect the status of computers.
- Configuring Settings: It is possible to change and configure system settings.
- Application Management: It is possible to run and manage applications.
- Code Execution: Code can be executed to automate certain tasks.
- Remote Management: All these operations can be performed remotely without being at the computer.
WMI can be used with programming languages such as C, C++, C#, VB or scripting languages with a Windows compiler. In addition, tools such as PowerShell and Windows Scripting Host (WSH) can also be used to interact with Windows Management Instrumentation. This wide range of uses and flexibility makes it a powerful management tool on Windows systems.
How Attackers Use WMI
In this chapter, you will learn how attackers misuse WMI and how you can take precautions against these techniques.
Attackers use WMI for the following purposes:
- Lateral movement
- Information gathering
- Changing systems
- Providing permanence
Before delving deeper into WMI, it is important to understand the client and server components that make up WMI. The most familiar clients include the command line tool wmic.exe(also known as WMIC) and the PowerShell cmdlet Get-WMIObjectis involved. Both administrators and attackers use these tools for the purposes mentioned above. wmic.exe‘nin Get-WMIObjectSince it is observed that it is used more frequently than wmic.exe on the server side. On the server side wmiprvse.exe(WMI Provider Host) processes many, but not all, requests from clients.
This is especially important because if wmiprvse.exe‘if you are observing suspicious activity, possibly on a remote system wmic.exeyou may be facing an attacker who is running payloads on the system you are examining using WMI – this is a form of lateral movement. A WMI lateral movement technique we see frequently is the following:
wmic.exe /node: process call createOn the target computer, the given process wmiprvse.exe‘will appear as a subprocess of the logon event. If your security audit policies record logon events, you should see a network (type 3) logon event associated with this activity. Variations of the above command line may include forwarded credentials.
Information Gathering and System Switching with WMI
Another common way for attackers to use WMI and especially WMIC is to gather information and modify systems. During ransomware attacks, attackers often list and delete volume shadow copies used to restore files. Ransomware operators often use the Volume Shadow Copy Service (VSS) management tool for this purpose. vssadmin.exe‘therefore many organisations send alerts to the SOC when this tool is running. However wmic.exe too vssadmin.exeTo manage volume shadow copies without calling volume shadow copy, the following command can be used:
wmic shadowcopy delete /noninteractiveIronically, we sometimes see a less stealthy version of this attack using WMIC:
wmic process call create vssadmin.exe delete shadows /all /quietOther WMI Usage Areas
Pattern above, wmiprvse.exe‘s vssadmin.exe will cause him to start the process.
In addition to listing and manipulating volume shadow copies, attackers use WMIC to list and modify dozens of items on a Windows system or environment. We have seen attackers use WMIC to do the following:
- Determine which antivirus product is installed
- Stopping the firewall service
- List group memberships (including local and, in many configurations, domain administrator accounts)
- Interesting is to replace dozens more items
Windows Management Instrumentation Basic Components
Windows Management Instrumentation provides a powerful management infrastructure in Windows operating systems. Its core components enable the system to operate and manage effectively. These components increase the functionality and flexibility of Windows Management Instrumentation.
Windows Management Instrumentation Providers
Windows Management Instrumentation providers are considered the backbone of Windows Management Instrumentation. These providers make available information about objects that can be managed by Windows. A provider retrieves data from an object and passes that data through Windows Management Instrumentation to a management application, such as PowerShell. A Windows Management Instrumentation provider consists of a DLL and MOF file that define classes.
Most Windows Management Instrumentation providers are dynamic. This means that they dynamically retrieve data when requested by the management application. Providers provide access to everything defined in the repositories and process messages from Windows Management Instrumentation to the object.
Windows Management Instrumentation Consumers
Windows Management Instrumentation consumers are clients or management applications that initiate a connection or query. These applications perform various management tasks by using the information that Windows Management Instrumentation provides. Windows Management Instrumentation consumers use Component Object Model (COM) or Distributed Component Object Model (DCOM) components for communication between local and remote processes.
Windows Management Instrumentation consumers can use Windows Management Instrumentation to gather system information, configure settings, manage applications, and automate certain tasks. These consumers can interact with WMI through programming languages such as C, C++, C#, VB, or scripting languages such as PowerShell and Windows Scripting Host (WSH).
Windows Management Instrumentation Repository
The Windows Management Instrumentation repository is one of the core components of WMI and fulfils the primary function of the WMI database. This repository provides infrastructure management services for computing operations management. The WMI repository is created by MOF (Managed Object Format) files that define classes, structure, and namespaces.
The WMI repository represents systems, applications, networks, devices, and other manageable components using the Common Information Model (CIM). This model provides a common interface and object model for accessing management information.
The Windows Management Instrumentation repository works together with the Windows Management Instrumentation service. The WMI service is the Winmgmt service that appears in Windows as ‘Windows Management Instrumentation’. This service runs in the background so that Windows Management Instrumentation classes can be used and ensures that Windows Management Instrumentation works properly.
These core components make WMI a powerful management tool in Windows operating systems. Through these components, Windows Management Instrumentation provides system administrators and developers with a wide range of management and automation capabilities.
Windows Management Instrumentation Working Principle
Windows Management Instrumentation Architecture
It provides a powerful management infrastructure in Windows operating systems. The Windows Management Instrumentation architecture consists of multiple components and layers. These components include the client or management application that initiates the Windows Management Instrumentation connection, the Component Object Model (COM) or Distributed Component Object Model (DCOM) component, the transport or network layer (Remote Procedure Call – RPC), the WMI repository and service, the provider, and the managed objects.
It uses DCOM (Distributed Component Object Model) infrastructure for remote access. Certain permissions are needed for remote WMI usage. These include Local Firewall permission, remote Windows Management Instrumentation authorisation, UAC (User Account Control) and user permissions to access DCOM objects.
Windows Management Instrumentation Query Language (WQL)
Query Language (WQL) provides a SQL-like syntax that is used for WMI. Configuration Manager supports a superset of the WMI Query Language (WQL) known as Extended WQL. WQL and Extended WQL are based on the American National Standards Institute (ANSI) Structured Query Language (SQL) standard. However, they retrieve data from classes instead of tables and return instances instead of rows.
Extended WQL offers a wider range of operations than standard SQL. Supported clauses include the DISTINCT, COUNT, JOIN, WHERE, SUBSTRING, ORDER BY, UPPER, LOWER, and DATEPART functions. It also supports standard comparison operators (including LIKE and IN) and subqueries.
Windows Management Instrumentation Classes and Objects
WMI classes represent specific elements in the Windows system and are used to manage operations in the operating system. Classes are used by Windows Management Instrumentation providers to pass data to Windows Management Instrumentation services and contain events and properties.
WMI providers make available information about objects that can be managed by Windows. A provider provides data from an object to Windows Management Instrumentation and processes messages from Windows Management Instrumentation to the object. A Windows Management Instrumentation provider consists of a DLL and MOF (Managed Object Format) file that defines classes.
The Windows Management Instrumentation repository fulfils the primary function of the Windows Management Instrumentation database and provides infrastructure management services for computing operations management. Repositories are created by MOF files that define classes, structure, and namespaces. These files are usually located under the %WINDIR%\System32\Wbem directory.
The working principle of Windows Management Instrumentation is based on the fact that these components come together to form a powerful management and monitoring infrastructure on Windows systems. In this way, system administrators and developers can effectively manage and monitor various aspects of the Windows operating system.
Conclusion
Windows Management Instrumentation stands out as a powerful tool for management and monitoring of Windows systems. The basic components of Windows Management Instrumentation, such as providers, consumers and repositories, offer a wide range of possibilities to system administrators and developers. This technology is used to fulfil a variety of tasks, from collecting system information to software deployment.
The working principle of WMI includes a complex architecture and a specialised query language, WQL. WMI classes and objects represent elements in the Windows system and are used to manage operations in the operating system. These features make Windows Management Instrumentation a frequently used resource for people who develop and script programs on Windows. Don’t just learn about Windows Management Instrumentation in depth, explore our other courses on our site! Check out the content that will help you specialise in Cyber Security and take your knowledge one step further.
Frequently Asked Questions about Windows Management Instrumentation
How do I activate WMI?
As a first step, right-click on the Start menu and select ‘Computer Management’. Then, on the screen that opens, right-click on ‘WMI Control’, select ‘Properties’ and check that remote access is enabled in your user’s permissions.
What does WMI Control do?
WMI (Windows Management Instrumentation) is a technology that enables the control of almost every object in Windows operating systems and is used to perform operations and management functions in the operating system. WMI can be used for many functions beyond data collection.
What is a WMI port and what does it do?
WMI is known as ‘Windows Management Instrumentation’ and is pre-installed in Windows operating systems from Windows 2000 onwards. This infrastructure enables the monitoring and management of many components in the operating system infrastructure.
