Inventory WMI Scanner: Usage & Examples

4/26/2018 8358 Contributors

Purpose:
You wish to scan the Windows Management Instrumentation (WMI) database for specific information.

Resolution:
Obtaining useful and accurate information from the WMI scanner is dependent on the accuracy of the Windows Management Instrumentation Query Language (WQL) query.

Usage:
PDQ.com has bundled the WMI Explorer application, a third-party WMI tool, to assist in the exploration of WMI and the creation of WQL queries. The WMI Explorer can be launched when adding or editing a WMI scanner (Options > Scan Profiles > [Edit | New] > [New > Add > WMI]).
00.png

This is the basic usage flow for the WMI Explorer:

NOTE: In many cases, you will need to double-click selections in the WMI Explorer window. There may also be a wait for classes and properties to enumerate. The status bar at the bottom of the WMI Explorer window will indicate the process and status.
01.png

The query from the above example is

SELECT * FROM Win32_Processor

This will select all (* wildcard) from the Win32_Processor class. 

To translate this into a WMI scanner, create (or edit) a WMI Scanner:
03.png

The Scan Profile can then be run against a machine, and the results can be observed in the Computer window > WMI.
04.png

Changes can also be made from this window, including selecting different scan data (assuming the corresponding WMI scanner has been run), editing the selected scanner, and opening the Scan Profiles window:
05.png

Examples:
Here is list of examples. Click the example to be taken to that section:

CD Drive has Media Loaded
DNS Servers Associated with the Active NIC
Event Viewer Log Entries

Machines With the Intel Management Engine (Intel ME)
MSFT Disk Partition Style

BIOS Information (All the Information)
TPM Information
Is the Machine a VM (or Not) and is a host
Windows Licensing Status

1. Check to see if the CD Drive has media loaded.
In WMI Explorer, you can determine the basics of the query then edit for the specific property:
06.png

And our scan (query) becomes:

SELECT MediaLoaded FROM Win32_CDROMDrive

07.png

2. List all DNS Servers on the active NIC in order of preference.
As in the first example, get the general query from WMI Explorer and refine. 

SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled='True'

08.png

3. Get some Event Viewer logs.
The WHERE keyword is a filter that allows you to narrow down your results. (!=) means “does not equal”. (WHERE Type != ‘Information’) removes all results where the Type field equals Information. The AND keyword allows you to specify multiple filters in 1 query. The LIKE keyword allows you to perform a wildcard search using % as the wildcard character. (AND SourceName LIKE ‘PDQ%) further refines our filter to only show results that also have a SourceName field that starts with PDQ.

SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'PDQ%'

09.png

4. Get Intel Management Engine (ME) information.
Here we need to change the root from the default CIMV2 to Intel_ME. 

SELECT * FROM ME_System

10.png

5. Get information on the disk, specifically partition information (MBR or GPT).
By default, WMI Explorer starts with the basic classes. In this case, an MSFT class is being queried. In order to view the MSFT classes, select the Include MSFT Classes in the Class Enumeration Options and press Refresh Classes:
11.png

The MSFT Classes are then enumerated in the classes pane:
12.png

And our query and scan would look like:

SELECT PartitionStyle, SerialNumber FROM MSFT_Disk

13.png

6. Get (all) BIOS information.

SELECT * FROM Win32_BIOS

14.png

7. Get the TPM information for a machine.
Notice the modification to the default Namespace. Rather than the default of CIMV2, it is necessary to drill down to where the class is enumerated.

SELECT * FROM Win32_Tpm

15.png

8. Check to see if the machine is a VM or not andwhether the machine can host VMs.
In this example, there are two scanners that are run:

SELECT HypervisorPresent FROM Win32_ComputerSystem
SELECT VirtualizationFirmwareEnabled FROM Win32_Processor

16.png

And the WMI scanners:
17.png

18.png

9. Windows licensing status.

We refine the query from WMI Explorer to include the LicenseStatus property FROM the SoftwareLicensingProduct property WHERE the product is LIKE "*Windows*" and the partial Product Key is not empty.

SELECT LicenseStatus FROM SoftwareLicensingProduct WHERE Name LIKE '%Windows%' AND PartialProductKey IS NOT NULL

19.png