WMI and CIM
Querying objects
Section titled “Querying objects”CIM/WMI is most commonly used to query information or configuration on a device. Thof a class that represents a configuration, process, user etc. In PowerShell there are multiple ways to access these classes and instances, but the most common ways are by using the Get-CimInstance (CIM) or Get-WmiObject (WMI) cmdlets.
List all objects for CIM-class
Section titled “List all objects for CIM-class”You can list all instances of a class.
CIM:
> Get-CimInstance -ClassName Win32_Process
ProcessId Name HandleCount WorkingSetSize VirtualSize--------- ---- ----------- -------------- -----------0 System Idle Process 0 4096 655364 System 1459 32768 3563520480 Secure System 0 3731456 0484 smss.exe 52 372736 2199029891072........WMI:
Get-WmiObject -Class Win32_ProcessUsing a filter
Section titled “Using a filter”You can apply a filter to only get specific instances of a CIM/WMI-class. Filters are written using WQL (default) or CQL (add -QueryDialect CQL). -Filter uses the WHERE-part of a full WQL/CQL-query.
CIM:
Get-CimInstance -ClassName Win32_Process -Filter "Name = 'powershell.exe'"
ProcessId Name HandleCount WorkingSetSize VirtualSize--------- ---- ----------- -------------- -----------4800 powershell.exe 676 88305664 2199697199104WMI:
Get-WmiObject -Class Win32_Process -Filter "Name = 'powershell.exe'"
...Caption : powershell.exeCommandLine : "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"CreationClassName : Win32_ProcessCreationDate : 20160913184324.393887+120CSCreationClassName : Win32_ComputerSystemCSName : STACKOVERFLOW-PCDescription : powershell.exeExecutablePath : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExecutionState :Handle : 4800HandleCount : 673....Using a WQL-query:
Section titled “Using a WQL-query:”You can also use a WQL/CQL-query to query and filter instances.
CIM:
Get-CimInstance -Query "SELECT * FROM Win32_Process WHERE Name = 'powershell.exe'"
ProcessId Name HandleCount WorkingSetSize VirtualSize--------- ---- ----------- -------------- -----------4800 powershell.exe 673 88387584 2199696674816Querying objects in a different namespace:
CIM:
> Get-CimInstance -Namespace "root/SecurityCenter2" -ClassName AntiVirusProduct
displayName : Windows DefenderinstanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}pathToSignedProductExe : %ProgramFiles%\Windows Defender\MSASCui.exepathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exeproductState : 397568timestamp : Fri, 09 Sep 2016 21:26:41 GMTPSComputerName :WMI:
> Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct
__GENUS : 2__CLASS : AntiVirusProduct__SUPERCLASS :__DYNASTY : AntiVirusProduct__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"__PROPERTY_COUNT : 6__DERIVATION : {}__SERVER : STACKOVERFLOW-PC__NAMESPACE : ROOT\SecurityCenter2__PATH : \\STACKOVERFLOW-PC\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"displayName : Windows DefenderinstanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}pathToSignedProductExe : %ProgramFiles%\Windows Defender\MSASCui.exepathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exeproductState : 397568timestamp : Fri, 09 Sep 2016 21:26:41 GMTPSComputerName : STACKOVERFLOW-PCClasses and namespaces
Section titled “Classes and namespaces”There are many classes available in CIM and WMI which are separated into multiple namespaces. The most common (and default) namespace in Windows is root/cimv2. To find the righ class, it can useful to list all or search.
List available classes
Section titled “List available classes”You can list all available classes in the default namespace (root/cimv2) on a computer.
CIM:
Get-CimClassWMI:
Get-WmiObject -ListSearch for a class
Section titled “Search for a class”You can search for specific classes using wildcards. Ex: Find classes containing the word process.
CIM:
> Get-CimClass -ClassName "*Process*"
NameSpace: ROOT/CIMV2
CimClassName CimClassMethods CimClassProperties------------ --------------- ------------------Win32_ProcessTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED, ParentProcessID, ProcessID...}Win32_ProcessStartTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED, ParentProcessID, ProcessID...}Win32_ProcessStopTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED, ParentProcessID, ProcessID...}CIM_Process {} {Caption, Description, InstallDate, Name...}Win32_Process {Create, Terminat... {Caption, Description, InstallDate, Name...}CIM_Processor {SetPowerState, R... {Caption, Description, InstallDate, Name...}Win32_Processor {SetPowerState, R... {Caption, Description, InstallDate, Name...}...WMI:
Get-WmiObject -List -Class "*Process*"List classes in a different namespace
Section titled “List classes in a different namespace”The root namespace is simply called root. You can list classes in another namespace using the -NameSpace parameter.
CIM:
> Get-CimClass -Namespace "root/SecurityCenter2"
NameSpace: ROOT/SecurityCenter2
CimClassName CimClassMethods CimClassProperties------------ --------------- ------------------....AntiSpywareProduct {} {displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingE...AntiVirusProduct {} {displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingE...FirewallProduct {} {displayName, instanceGuid, pathToSignedProductExe, pathToSignedReportingE...WMI:
Get-WmiObject -Class "__Namespace" -Namespace "root"List available namespaces
Section titled “List available namespaces”To find available child-namespaces of root (or another namespace), query the objects in the __NAMESPACE-class for that namespace.
CIM:
> Get-CimInstance -Namespace "root" -ClassName "__Namespace"
Name PSComputerName---- --------------subscriptionDEFAULTCIMV2msdtcCliSECURITYHyperVClusterSecurityCenter2RSOPPEHStandardCimv2WMIdirectoryPolicyvirtualizationInteropHardwareServiceModelSecurityCenterMicrosoftaspnetAppvWMI:
Get-WmiObject -List -Namespace "root"Remarks
Section titled “Remarks”CIM vs WMI
Section titled “CIM vs WMI”As of PowerShell 3.0, there are two ways to work with management classes in PowerShell, WMI and CIM. PowerShell 1.0 and 2.0 only supported the WMI-module which is now superseeded by the new and improved CIM-module. In a later release of PowerShell, the WMI-cmdlets will be removed.
Comparison of CIM and WMI-modules:
|CIM-cmdlet|WMI-cmdlet|What it does
|---|---|---|---|---|---|---|---|---|---
|Get-CimInstance|Get-WmiObject|Gets CIM/WMI-objects for a class
|Invoke-CimMethod|Invoke-WmiMethod|Invokes a CIM/WMI-class method
|Register-CimIndicationEvent|Register-WmiEvent|Registers event for a CIM/WMI-class
|Remove-CimInstance|Remove-WmiObject|Remove CIM/WMI-object
|Set-CimInstance|Set-WmiInstance|Updates/Saves CIM/WMI-object
|Get-CimAssociatedInstance|N/A|Get associated instances (linked object/classes)
|Get-CimClass|Get-WmiObject -List|List CIM/WMI-classes
|New-CimInstance|N/A|Create new CIM-object
|Get-CimSession|N/A|Lists CIM-sessions
|New-CimSession|N/A|Create new CIM-session
|New-CimSessionOption|N/A|Creates object with session options; protocol, encoding, disable encryption etc. (for use with New-CimSession)
|Remove-CimSession|N/A|Removes/Stops CIM-session
Additional resources
Section titled “Additional resources”Should I use CIM or WMI with Windows PowerShell? @ Hey, Scripting Guy! Blog