Skip to main content

WMI cheat sheet

WMI cheat sheet:


To see powershell version:

$psversiontable

To see commands with wmi & cim keyword:

Get-Command -CommandType cmdlet *wmi*

Get-Command -CommandType cmdlet *cim*

If you want to go to powershell version 2:

powershell -version 2

If you want to take help from a powershell cmdlets:

help get-wmiobject 

or 

help get-wmiobject -full

or

help get-wmiobject -example

How to know all the namespaces name:

Get-WmiObject -Namespace "root" -Class "__Namespace" | select Name

Get-CimInstance -Namespace "root" -Class "__Namespace" | select Name

To see nested namespace:

https://www.youtube.com/watch?v=Nkxj4leucdM&list=PLDWrevYFyjcpH12DrlS3KPK5HOMihQzUz&index=2&ab_channel=FuturisticHacker

https://powershellmagazine.com/2013/10/18/pstip-list-all-wmi-namespaces-on-a-system/

To know all the nested namespace of current namespace or default namespace which is cimv2:

Get-WmiObject -Class __NAMESPACE | select Name

To know all the nested namespace of a particular namespace:

Get-CimInstance -Namespace "root\Cimv2" -Class "__Namespace"

Get-CimInstance -Namespace "root\microsoft" -Class "__Namespace"

Get-wmiobject -Namespace "root\Cimv2" -Class "__Namespace" | select name

To know all the classes of current namespace which is cimv2 or any other namespace, then filter out the result:

Get-WmiObject -list 

Get-WmiObject -list | where {$_.Name -like "*user*"}

Get-WmiObject -List | Select-Object -Property Name | Where-Object { $_.Name -eq "Class name here" }

Get-WmiObject -Namespace "root\Cimv2" * -list   (replace namespace as per your need)

Get-WmiObject -Namespace "root\Cimv2" -list | where {$_.Name -like "*user*"}

If you know the class name then you can also use the below command:

Get-WmiObject -Class *user* -list

If you like to measure how may classes in cimv2 or any other namespace:

Get-WmiObject -Namespace "root\Cimv2" * -list | measure

Retrieve information from a class:

Get-wmiobject -Class Win32_computersystem | format-list *

Get-wmiobject -Class Win32_computersystem

Get-wmiobject -Class Win32_computersystem -list

Sometimes you get overwhelmed while fetching info from classes like win32_process class. In that case filtering would be great helpful to narrow down your result:

Get-wmiobject -Class Win32_Process -List  (you will see so many results)

Get-wmiobject -Class win32_process -Filter 'name= "explorer.exe"'  (we are querying by calling the name property)

Get-wmiobject -Class win32_process | Where-Object {$_.Name -eq "explorer.exe"}

Get-wmiobject -Class win32_process | Where name -eq "explorer.exe"

Filter using query:

Get-wmiobject -Query "select * from win32_process where name = 'explorer.exe'"


Removing any object or process using wmi:

Get-WmiObject -Class Win32_Process -Filter 'Name = "Calculatorapp.exe"'

Get-WmiObject -Class Win32_Process -Filter 'Name = "CalculatorApp.exe"' | Remove-WmiObject

Get-WmiObject -Class Win32_Process -list | remove-WmiObject  (this is how we remove class) 


Using methods:

Find all the classes in a namespace which have methods:

Get-WmiObject * -List | Where-Object {$_.Methods}

Finding a class that has method name of something using cim:

Get-CimClass -MethodName Create

Use of expand property to see all the methods:

Get-WmiObject -Class Win32_Process -list | Select-Object -ExpandProperty Methods | Select-Object {$_.Name}

Get-WmiObject -Class Win32_Process -list | Select-Object -ExpandProperty Properties | Select-Object {$_.Name}

Finding specific methods name like create in a specific class:

Get-WmiObject -Class Win32_Process -list | Select-Object -ExpandProperty Methods | where-Object {$_.Name -eq "Create"} | Select {$_.Name}

Listing parameters of a method in a class:

Get-CimClass -Classname win32_process | select -ExpandProperty CimClassMethods | where name -eq "create" | select -ExpandProperty Parameters

Lets use create method of win32_process class to run process/executable:

Invoke-Wmimethod -Class win32_process -Name create -Argumentlist calc.exe  (here Argumentlist is command line parameter)

Invoke-Wmimethod -Class win32_process -Name create -Argumentlist @{commandline = calc.exe}

Invoke-CimMethod -Classname win32_process -Name Create -Arguments @{Commandline = "calc.exe"}

We can also update property of wmi object: 

Get-WmiObject -Class win32_printer -Filter "Name = 'Microsoft XPS Document Writer'" | Fl *

Get-WmiObject -Class win32_printer -Filter "Name = 'Microsoft XPS Document Writer'" | Set-WmiInstance -Arguments @{Comment = "Wmi Comment"}

Accessing remote computer:

Get-WmiObject -Class Win32_OperatingSystem -Computer 192.168.13.2 -Credential opsdc\labuser   (now this will ask for password)

If wmi is blocked by firewall then follow below steps:

$sess = New_CimSession -Computername 192.168.13.2 opsdc\labuser

Get-CimInstance -CimSession $sess -ClassName Win32_OperatingSystem


Registry:

Get-WmiObject -Namespace root\default -class StdRegProv -List

Get-WmiObject -Namespace root\default -class StdRegProv -List | Select -ExpandProperty Methods

or

Get-WmiObject -Namespace root\default -class StdRegProv -List | Select -ExpandProperty Methods | select Name

To avoid long command, you can also do following:

$RegProv = Get-WmiObject -Namespace root\default -class StdRegProv -List

$RegProv = Get-WmiObject -Namespace root\default -class StdRegProv -List -ComputerName 192.168.13.2 -Credential opsdc\labuser    (for remote box)

$RegProv.Methods | select name

Retrieving keys and values from registry:

Invoke-WmiMethod -Namespace root\default -Class StdRegProv -Name Enumkey @(2147483649, "software\microsoft\internet explorer") | select -ExpandProperty snames

Invoke-WmiMethod -Namespace root\default -Class StdRegProv -Name GetStringValue @(2147483649, "software\microsoft\internet explorer\typedurls","url1") | select -ExpandProperty svalue

or

$RegProv.GetStringValue(2147483649, "software\microsoft\internet explorer\typedurls","url1") | Select -ExpandProperty svalue

Extracting the same from remote box:

Invoke-WmiMethod -Namespace root\default -Class StdRegProv -Name GetStringValue @(2147483649, "software\microsoft\internet explorer\typedurls","url1") -ComputerName 192.168.13.2 -Credential opsdc\labuser

$RegProv = Get-WmiObject -Namespace root\default -class StdRegProv -List -ComputerName 192.168.13.2 -Credential opsdc\labuser    (for remote box)

$RegProv.GetStringValue(2147483649, "software\microsoft\internet explorer\typedurls","url1") | Select -ExpandProperty svalue

Using the following 3 wmi commands to create shadowcopy:

(Get-WmiObject -Class Win32_Shadowcopy -List).create("C:\", "ClientAccessible")

$link = (Get-WmiObject -Class Win32_Shadowcopy).DeviceObject + "\"

cmd /c mklink /d C:\shadowcopy "$link"


Information gathering - AD

Listing the classes of this namespace:

Get-WmiObject -Namespace root\directory\ldap -List

Get-CimClass -Namespace root\directory\ldap

Get the current domain:

Get-wmiobject -namespace root\directory\ldap -class ds_domain | select -Expandproperty ds_dc

Another way:

(Get-wmiobject -class win32_computersystem).Domain

Get the current domain policy:

Get-wmiobject -namespace root\directory\ldap -class ds_domain | select DS_lockoutDuration, DS_lockoutObservationWindow, DS_lockoutThreshold, DS_maxPwdAge, DS_minPwdAge, DS_minPwdLength, DS_minPwdHistoryLength, DS_PwdProperties

Get the domain controller:

Get-wmiobject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.useraccountcontrol -eq 532480} | select ds_cn 

Remove the null value from above commands:

(Get-wmiobject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.useraccountcontrol -eq 532480}).Properties | Foreach-object {If($_.value -AND $_.name -notmatch "__"){@{ $($_.name) = $($_.value)}}}

Get all domain users:

Get-wmiobject -class win32_useraccount

Get names of all domain users or any other property:

Get-wmiobject -class win32_useraccount | select name

Get all domain users with another domain with trust relationship:

Get-wmiobject -class win32_useraccount -Filter "Domain = 'childone'"

Get all domain groups:

Get-wmiobject -class win32_group

Get-wmiobject -class win32_GroupInDomain | foreach-object {[wmi]$_.PartComponent}

Get all domain groups with another domain with trust relationship:

Get-wmiobject -class win32_GroupInDomain | where-object {$_.GroupComponent -match "childone"} | foreach-object {[wmi]$_.PartComponent}

Get group membership of the domain admins group for the current and all trusted domains:

Get-wmiobject -class win32_GroupUser | where-object {$_.GroupComponent -match "domain admins"} | foreach-object {[wmi]$_.PartComponent}

Get group membership of the domain admins group of the childone domains:

Get-wmiobject -class win32_GroupUser | where-object {$_.GroupComponent -match "domain admins" -and $_.GroupComponent -match "childone"} | foreach-object {[wmi]$_.PartComponent}

Get group membership of a particular user lets say lab user:

Get-wmiobject -class win32_GroupUser | where-object {$_.PartComponent -match "lab"} | foreach-object {[wmi]$_.GroupComponent}

Get all domain computers:

Get-wmiobject -Namespace root\directory\ldap -Class ds_computer 

Get all domain computers name:

Get-wmiobject -Namespace root\directory\ldap -Class ds_computer | Select -ExpandProperty ds_cn

Get all non empty properties of a computer:

(Get-wmiobject -Namespace root\directory\ldap -Class ds_computer | where-object {$_.ds_cn -eq "ops-dc"}).Properties | Foreach-object {If($_.value -AND $_.name -notmatch "__"){@{ $($_.name) = $($_.value)}}}

To query remote computers where we have local admin rights or not:

Follow the below commands: First get a list of all domain computers.

$computers = Get-wmiobject -Namespace root\directory\ldap -Class ds_computer | Select -ExpandProperty ds_cn

Run a simple wmi query against all the computers. Any computer name shown here will mean local admin access.

foreach ($computer in $computers) {

(Get-wmiobject win32_computersystem -Computer $computer).Name }

You will face some errors but besides you will see some computers. 







Avi




https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--computer-hardware

From the above link you will find all the necessary classes, namespaces.








Avi

Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

The below two commands you need to run first one by one:  docker run -itd --name=ramisec_nessus -p 8834:8834 ramisec/nessus docker exec -it ramisec_nessus /bin/bash /nessus/update.sh Username: admin And you need to change the password: #Enter the command line of the docker container docker exec -it ramisec_nessus bash #Execute the following commands in sequence # Enter this directory cd /opt/nessus/sbin # List logged in users ./nessuscli lsuser # Modify the password of the specified user (take admin as an example) ./nessuscli chpasswd admin After access to the nessus, make sure you turn off the automatic updates otherwise crack will not work after some time. Before any scan you need to run the update.sh command (shown above) to have the latest plugins. Now everytime your system reboots, your docker instance will be shutdown. You need to up it again manually. Here are the commands.  1. docker ps -a    Now note down the container id. 2. docker start <container id> C
Post a Comment
Read more

net command cheat sheet

  To see what users present in the system: net user To see local groups in the system: net localgroup To see domain groups. This should be run on a domain controller: net group To see the details of a user along with his/her group membership: net user mahim To see who are the members of a particular group (local machine): net localgroup "administrators"    (These are not case sensitive. You can use administrators or Administrators. Both will give you same result. To see who are the members of a particular group (domain machine): net group "domain admins" Create a local user: net user localuser1 MyP@ssw0rd /add Create a domain user: net user domainuser1 MyP@ssw0rd /add /domain Add the local user to local admin group: net localgroup Administrators localuser1 /add Add the user to domain admin group: net group "Domain Admins" domainuser1 /add /domain Avi
Post a Comment
Read more