The WMIC is a Windows command line tool that will allow you to do many of the things we are used to doing at the shell in Unix. For instance, Windows does not have a “kill –9”command, but with WMIC you can do then same function using the following command:
- wmic process where name='winrar.exe' delete
- wmic process process [pid] delete
So, unlike Unix, we can kill a process using just the name of the executable as well as selecting the individual PID (Process ID). This is extremely useful in malware analysis.
For auditing, you can also gather a lot of information. For instance, lists of users on the system.
More importantly, you can list the service patches and hotfixes that are installed on the system.
- wmic qfe
As you can see, this allows you to script a check of all the patches on a system and to even automate this over your domain.
WMIC is one of the commands you really need to know if you are administrating a Windows system. I will post more on this command soon as well as more in the series on IPSec and NAP this week.