PowerShell and WMI
Download
Report
Transcript PowerShell and WMI
PowerShell and WMI
Empowering admins and engineers worldwide.
IT Administrators & Engineers
Security teams
IT Managers
Who needs WMI?
Presentation by Trevor Sullivan
Get system information
Change [certain] system information
Subscribe for and respond to events
Why WMI?
Presentation by Trevor Sullivan
Providers
Namespaces
Classes
◦
◦
◦
◦
Instance Properties
Instance Methods
Static properties
Static methods
Object
(class)
Actions
Properties
(methods)
(properties)
System classes
WMI qualifiers (metadata)
WMI Architecture
Presentation by Trevor Sullivan
Temporary
• Terminated when application exits
• Same event query as permanent
• Uses WQL event queries
Permanent
• Persistent in operating system
• Registered within WMI
• Runs inside WMI process
Select * from <EventClass> within <seconds> where <criteria>
WMI Eventing
Presentation by Trevor Sullivan
SAPIEN WMI Explorer
Excellent WMI browser to find classes, properties, and methods
Wbemtest.exe
Built into Windows operating system since Windows 2000
Winmgmt.exe
Built-in tool to manage WMI process; can run WMI in separate process
Mofcomp.exe
Tool to compile Managed Object Format (MOF) files
Visual Studio 2010
Has a WMI browser built into it. Free, Express edition available
WMI Tools
Presentation by Trevor Sullivan
What is a type accelerator?
System.Management Namespace
[wmiclass]
= ManagementClass
[wmi]
= ManagementObject
[wmisearcher] = ManagementObjectSearcher
WMI Type Accelerators
Presentation by Trevor Sullivan
Get reference to BIOS class definition
•$BiosClass = [wmiclass]"\\remotepc\root\cimv2:Win32_BIOS"
Get instance of Computer System
•$CompSys = [wmi]"Win32_ComputerSystem.Name='gaming'"
WQL query for all network adapters
•$Searcher = [wmisearcher]"select * from win32_networkadapter"
•$Searcher.Get();
Type Accelerator Examples
Presentation by Trevor Sullivan
Get-WmiObject
Register-WmiEvent
Invoke-WmiMethod
Remove-WmiObject
Set-WmiInstance
◦ Get-EventSubscriber
◦ Unregister-Event
◦ (Get-WmiObject … …).MethodName();
◦ ([wmiclass]"class_name").MethodName();
◦ (Get-WmiObject … …) | % { $_.Delete() };
◦ [wmiclass]"win32_environment").CreateInstance();
WMI Cmdlets
Presentation by Trevor Sullivan
Get list of network shares
•Get-WmiObject –ComputerName . –Namespace root\cimv2 –Class
Win32_Share
Get list of GPOs applied to local system
•Get-WmiObject –ComputerName . –Namespace root\rsop\computer –
Class RSOP_GPO
WQL query for all network adapters
•Get-WmiObject –Query "select * from win32_networkadapter"
WMI Cmdlet Examples
Presentation by Trevor Sullivan
When a process (Notepad) starts
• Register-WmiEvent `
-Query "select * from __InstanceCreationEvent within 5 where
TargetInstance ISA 'Win32_Process' and TargetInstance.Name =
'notepad.exe'" `
-Action { Write-Host -Object ("Process started" +
$Event.SourceArgs.NewEvent.TargetInstance.Name) };
Disk free space drops below threshold
• Register-WmiEvent `
-Query "select * from __InstanceModificationEvent within 5 where
TargetInstance ISA 'Win32_LogicalDisk' and TargetInstance.FreeSpace <
100000000000" `
-Action { Write-Host -Object ('Free space dropped to {0} on drive
{1}' -f $Event.SourceArgs.NewEvent.TargetInstance.FreeSpace,
$Event.SourceArgs.NewEvent.TargetInstance.DeviceID) };
WMI Event Cmdlet Examples
Presentation by Trevor Sullivan
When a user logs on / off
•Register-WmiEvent `
-Query "select * from __InstanceCreationEvent within 5
where TargetInstance ISA 'Win32_UserProfile' and
TargetInstance.Loaded <> PreviousInstance.Loaded" `
-Action { Write-Host -Object “User logged on or off" };
New print job created
•Register-WmiEvent `
-Query "select * from __InstanceCreationEvent within 5
where TargetInstance ISA 'Win32_PrintJob'" `
-Action { Write-Host -Object "New print job created" };
WMI Event Cmdlet Examples
Presentation by Trevor Sullivan
New-WmiEventFilter
New-WmiEventConsumer
New-WmiFilterToConsumerBinding
Permanent WMI Events
Presentation by Trevor Sullivan
Get-CimAssociatedInstance
Get-CimClass
Get-CimInstance
Get-CimSession
Invoke-CimMethod
New-CimInstance
New-CimSession
New-CimSessionOption
Register-CimIndicationEvent
Remove-CimInstance
Remove-CimSession
Set-CimInstance
Use WinRM and avoid
DCOM / RPC nightmares!
PowerShell v3
Presentation by Trevor Sullivan
Browse WMI with SAPIEN WMI Explorer
◦ http://www.sapien.com/downloads
Try out the WMI cmdlets and type
accelerators
Learn about WMI eventing
◦ http://powerevents.codeplex.com/
Call to action
Presentation by Trevor Sullivan
Thanks for coming!
Presentation by Trevor Sullivan