Sunday, 20 November 2011

Windows Management Instrumentation Command-line (WMIC)

The WMIC is a Windows command line tool that will allow you to do many of the things we are used to doing at the shell in Unix. For instance, Windows does not have a “kill –9”command, but with WMIC you can do then same function using the following command:

  • wmic process where name='winrar.exe' delete
  • wmic process process [pid] delete

image

So, unlike Unix, we can kill a process using just the name of the executable as well as selecting the individual PID (Process ID). This is extremely useful in malware analysis.

For auditing, you can also gather a lot of information. For instance, lists of users on the system.

image

More importantly, you can list the service patches and hotfixes that are installed on the system.

  • wmic qfe

image

As you can see, this allows you to script a check of all the patches on a system and to even automate this over your domain.

WMIC is one of the commands you really need to know if you are administrating a Windows system. I will post more on this command soon as well as more in the series on IPSec and NAP this week.

No comments: