Windows Management Instrumentation (WMI) is a Windows component you use to help manage Windows systems. WMI is Microsoft’s proprietary implementation of the Web-Based Enterprise Management (WBEM) standard. WBEM is an open standard promulgated by the Distributed Management Task Force that aims to unify the management of distributed computing environments by utilizing standards-based internet technologies.
This article is an excerpt taken from one of the chapters from the book, Windows Server Automation with PowerShell Cookbook by Thomas Lee. The author has curated over 100 PowerShell recipes for working more effectively with Windows Server 2022/2019.
Windows Server Automation with PowerShell Cookbook: Powerful ways to automate and manage Windows administrative tasks, 4th Edition
$66.15
in stock
4 used from $66.13
Amazon.com
Exploring WMI in Windows
Windows installs WMI during the installation of the OS. The installation process puts most of the WMI components, including the repository, tools, and the providers, into a folder, C:\Windows\System32\WBEM. Inside a running Windows host, WMI runs as a service, the winmgmt service (winmgmt.exe). Windows runs this service inside a shared service process (svchost.exe). In the early versions of WMI in Windows, WMI loaded all the WMI providers into the winmgmt service. The failure of a single provider could cause the entire WMI service to fail. Later, with Windows XP and beyond, Microsoft improved WMI to load providers in a separate process, WmiPrvSE.exe.
In this recipe, you examine the contents of the WBEM folder, the WMI service, and runtime components of WMI.
Getting ready
This recipe uses SRV1, a domain-joined host. You have installed PowerShell 7 and VS Code on this host.
How to do it…
- Viewing the WBEM folder
$WBEMFOLDER = "$Env:windir\system32\wbem"
Get-ChildItem -Path $WBEMFOLDER |
Select-Object -First 20 - Viewing the WMI repository folder
Get-ChildItem -Path $WBEMFOLDER\Repository - Viewing the WMI service details
Get-Service -Name Winmgmt |
Format-List -Property *- Getting process details
$S = tasklist.exe /svc /fi "SERVICES eq winmgmt" |
Select-Object -Last 1
$P = [int] ($S.Substring(30,4))
Get-Process -Id $P
- Examining DLLs loaded by the WMI service process
Get-Process -Id $P |
Select-Object -ExpandProperty modules |
Where-Object ModuleName -match 'wmi' |
Format-Table -Property FileName, Description, FileVersion- Discovering WMI providers
Get-ChildItem -Path $WBEMFOLDER\*.dll |
Select-Object -ExpandProperty Versioninfo |
Where-Object FileDescription -match 'prov' |
Format-Table -Property Internalname,
FileDescription,
ProductVersion- Examining the WmiPrvSE process
Get-Process -Name WmiPrvSE - Finding the WMI event log
$Log = Get-WinEvent -ListLog *wmi*
$Log- Looking at the event types in the WMI log
$Events = Get-WinEvent -LogName $Log.LogName
$Events | Group-Object -Property LevelDisplayName- Examining WMI event log entries
$Events |
Select-Object -First 5 |
Format-Table -Wrap- Viewing executable programs in WBEM folder
$Files = Get-ChildItem -Path $WBEMFOLDER\*.exe
"{0,15} {1,-40}" -f 'File Name','Description'
Foreach ($File in $Files){
$Name = $File.Name
$Desc = ($File |
Select-Object -ExpandProperty VersionInfo).FileDescription
"{0,15} {1,-40}" -f $Name,$Desc
}
- Examining the CimCmdlets module
Get-Module -Name CimCmdlets |
Select-Object -ExcludeProperty Exported*
Format-List -Property *- Finding cmdlets in the CimCmdlets module
Get-Command -Module CimCmdlets - Examining the .NET type returned from Get-CimInstance
Get-CimInstance -ClassName Win32_Share | Get-Member How it works…
The WMI service and related files are in the Windows installation folder’s System32\WBEM folder. In step 1, you view part of the contents of that folder, with output like this:
WMI stores the CIM repository in a separate folder. In step 2, you examine the files that make up the database, with output like this:
Figure 2: Examining the files making up the CIM repository
In step 3, you use Get-Service to examine the WMI service, with output that looks like this:
Figure 3: Viewing the WMI service
In step 4, you examine the Windows process that runs the WMI service, with output like this:
Figure 4: Viewing the WMI service
In step 5, you look at the DLLs loaded by the WMI service process, with the following output:
Figure 5: Viewing the DLLs loaded by the WMI service process
Each WMI provider is a DLL which the WMI service can use. In step 6, you look at the WMI providers on SRV1, with output like this:
Figure 6: Viewing WMI provider DLLs
In step 7, you examine the WmiPrvSE process, with output like this:
Figure 7: Viewing the WmiPrvSE process
Like other Windows services, WMI logs events to an event log, which can help troubleshoot WMI issues. In step 8, you look for any WMI related event logs with output like this: 
Figure 8: Viewing WMI-related event logs
In step 9, you get the events from the log to view the different log levels, with output like this:
Figure 9: Discovering WMI event types
In step 10, you view the first five WMI event log entries on SRV1. The output looks like this:
Figure 10: Viewing WMI event log entries
In step 11, you view the executable programs in the WBEM folder, with output like this:
Figure 11: Viewing the executable programs in the WBEM folder
With PowerShell 7 (and optionally with Windows PowerShell), you access WMI’s functionality using the cmdlets in the CimCmdlets module. You installed this module as part of installing PowerShell 7. The Windows installation program installed a version of this module when you installed the host OS. In step 12, you examine the properties of this module, with output like this:
Figure 12: Viewing the CimCmdlets module details
In step 13, you use Get-Command to discover the cmdlets within the CimCmdlets module, which looks like this:
Figure 13: Viewing the cmdlets in the CimCmdlets module
In step 14, you examine the properties of an object returned from WMI after using the GetCimInstance command. The output from this step looks like this:
Figure 14: Examining the output from Get-CimInstance
Summary
In this article we explored the fundamentals of Windows Management Instrumentation and also understood its significance and functionalities in Windows Server. The book further explores WMI with respect to its relevance in namespaces and classes. The book further dives deep into the topics of Obtaining local and remote WMI objects, Using WMI methods, Managing WMI events, and Implementing permanent WMI eventing.
