Understanding Windows Management Instrumentation and its role in Windows Server

Windows Management Instrumentation (WMI) is a Windows component you use to help manage Windows systems. WMI is Microsoft’s proprietary implementation of the Web-Based Enterprise Management (WBEM) standard. WBEM is an open standard promulgated by the Distributed Management Task Force that aims to unify the management of distributed computing environments by utilizing standards-based internet technologies.

This article is an excerpt taken from one of the chapters from the book, Windows Server Automation with PowerShell Cookbook by Thomas Lee. The author has curated over 100 PowerShell recipes for working more effectively with Windows Server 2022/2019.

Windows Server Automation with PowerShell Cookbook: Powerful ways to automate and manage Windows administrative tasks, 4th Edition

$93.99
$66.15
 in stock

8 new from $66.15
4 used from $66.13

Free shipping

BUY NOW

Amazon.com

as of August 16, 2023 12:05 am

Exploring WMI in Windows 

Windows installs WMI during the installation of the OS. The installation process puts most of the WMI components, including the repository, tools, and the providers, into a folder, C:\Windows\System32\WBEM. Inside a running Windows host, WMI runs as a service, the winmgmt service (winmgmt.exe). Windows runs this service inside a shared service process (svchost.exe). In the early versions of WMI in Windows, WMI loaded all the WMI providers into the winmgmt service. The failure of a single provider could cause the entire WMI service to fail. Later, with Windows XP and beyond, Microsoft improved WMI to load providers in a separate process, WmiPrvSE.exe. 

In this recipe, you examine the contents of the WBEM folder, the WMI service, and runtime components of WMI. 

Getting ready 

This recipe uses SRV1, a domain-joined host. You have installed PowerShell 7 and VS Code on this host. 

How to do it… 

1. Viewing the WBEM folder 

$WBEMFOLDER = "$Env:windir\system32\wbem" 
Get-ChildItem -Path $WBEMFOLDER | 
  Select-Object -First 20 

2. Viewing the WMI repository folder   

Get-ChildItem -Path $WBEMFOLDER\Repository 

3. Viewing the WMI service details 

Get-Service -Name Winmgmt  |  
  Format-List -Property *

4. Getting process details 

$S = tasklist.exe /svc /fi "SERVICES eq winmgmt" | 
       Select-Object -Last 1 
$P = [int] ($S.Substring(30,4)) 
Get-Process -Id $P  

5. Examining DLLs loaded by the WMI service process

Get-Process -Id $P |  
  Select-Object -ExpandProperty modules |  
    Where-Object ModuleName -match 'wmi' | 
      Format-Table -Property FileName, Description, FileVersion

6. Discovering WMI providers 

Get-ChildItem -Path $WBEMFOLDER\*.dll |  
  Select-Object -ExpandProperty Versioninfo |  
    Where-Object FileDescription -match 'prov' | 
      Format-Table -Property Internalname,  
                             FileDescription,  
                             ProductVersion

7. Examining the WmiPrvSE process                              

Get-Process -Name WmiPrvSE 

8. Finding the WMI event log 

$Log = Get-WinEvent -ListLog *wmi* 
$Log

9. Looking at the event types in the WMI log

$Events = Get-WinEvent -LogName $Log.LogName 
$Events | Group-Object -Property LevelDisplayName

10. Examining WMI event log entries 

 $Events | 
  Select-Object -First 5 | 
    Format-Table -Wrap

11. Viewing executable programs in WBEM folder

$Files = Get-ChildItem -Path $WBEMFOLDER\*.exe 
"{0,15}  {1,-40}" -f 'File Name','Description' 
Foreach ($File in $Files){ 
 $Name = $File.Name 
 $Desc = ($File |  
          Select-Object -ExpandProperty VersionInfo).FileDescription 
"{0,15}  {1,-40}" -f $Name,$Desc 
}

12. Examining the CimCmdlets module

Get-Module -Name CimCmdlets | 
  Select-Object -ExcludeProperty Exported* 
    Format-List -Property *

13. Finding cmdlets in the CimCmdlets module 

Get-Command -Module CimCmdlets     

14. Examining the .NET type returned from Get-CimInstance 

Get-CimInstance -ClassName Win32_Share | Get-Member  

How it works… 

The WMI service and related files are in the Windows installation folder’s System32\WBEM folder. In step 1, you view part of the contents of that folder, with output like this: 

WMI stores the CIM repository in a separate folder. In step 2, you examine the files that make up the database, with output like this: 

Figure 2: Examining the files making up the CIM repository 

In step 3, you use Get-Service to examine the WMI service, with output that looks like this: 

 Figure 3: Viewing the WMI service 

In step 4, you examine the Windows process that runs the WMI service, with output like this: 

 Figure 4: Viewing the WMI service 

In step 5, you look at the DLLs loaded by the WMI service process, with the following output: 

 Figure 5: Viewing the DLLs loaded by the WMI service process

Each WMI provider is a DLL which the WMI service can use. In step 6, you look at the  WMI providers on SRV1, with output like this: 

Figure 6: Viewing WMI provider DLLs

In step 7, you examine the WmiPrvSE process, with output like this: 

Figure 7: Viewing the WmiPrvSE process 

Like other Windows services, WMI logs events to an event log, which can help troubleshoot WMI issues. In step 8, you look for any WMI related event logs with output like this:     Figure 8: Viewing WMI-related event logs

In step 9, you get the events from the log to view the different log levels, with output like this: 

 Figure 9: Discovering WMI event types 

In step 10, you view the first five WMI event log entries on SRV1. The output looks like this: 

Figure 10: Viewing WMI event log entries

In step 11, you view the executable programs in the WBEM folder, with output like this: 

 Figure 11: Viewing the executable programs in the WBEM folder

With PowerShell 7 (and optionally with Windows PowerShell), you access WMI’s functionality using the cmdlets in the CimCmdlets module. You installed this module as part of installing PowerShell 7. The Windows installation program installed a version of this module when you installed the host OS. In step 12, you examine the properties of this module, with output like this:              

Figure 12: Viewing the CimCmdlets module details 

 In step 13, you use Get-Command to discover the cmdlets within the CimCmdlets module, which looks like this: 

Figure 13: Viewing the cmdlets in the CimCmdlets module 

In step 14, you examine the properties of an object returned from WMI after using the GetCimInstance command. The output from this step looks like this: 

Figure 14: Examining the output from Get-CimInstance 

Summary

In this article we explored the fundamentals of Windows Management Instrumentation and also understood its significance and functionalities in Windows Server. The book further explores WMI with respect to its relevance in namespaces and classes. The book further dives deep into the topics of Obtaining local and remote WMI objects, Using WMI methods, Managing WMI events, and Implementing permanent WMI eventing.