Windows Management Instrumentation (WMI) has been a component of all Windows versions since Windows 2000. It is an interface through which applications can push notifications to the user of the computer.
It is a part of all flavors of Windows, including Windows Server. This capability is not restricted to Microsoft utilities and operating system elements. Any software developer can include WMI notifications in a program.
- 1 How does WMI work?
- 2 Problems with WMI
- 3 Uses for WMI
- 4 WMI tools
- 5 Best WMI Monitoring tools
- 5.1 1. SolarWinds WMI Monitor with Server and Application Monitor (FREE TRIAL)
- 5.2 2. Paessler WMI Service Sensor with PRTG (FREE TRIAL)
- 5.3 3. Sapien WMI Explorer
- 5.4 4. Nagios XI
- 5.5 5. WMI Explorer
- 5.6 6. Adrem Free WMI Tools
- 5.7 7. Hyena WMI Inventory Reporting Tool
- 5.8 8. NirSoft SimpleWMIView
- 5.9 9. Goverlan WMIX
- 5.10 10. Powershell WMI Explorer
- 6 WMI issues
- 7 Monitor WMI
How does WMI work?
The WMI mechanism is based on principles designed by the Distributed Management Taskforce (DMTF) which were defined in two published protocols: Web-Based Enterprise Management (WBEM) and the Common Information Model (CIM). Essentially, they enable background tasks to get through the constantly-running Desktop environment by including a message check routine within the environment’s Desktop management program.
The routine provides a service that is a little like a pigeonhole system. Applications that want to get their notifications displayed on the Desktop place them in a specific area of memory. When the Desktop program cycles back around to the point that instructs it to check for messages, all of the waiting notifications will be processed in turn and displayed in the expandable panel on the right side of the Desktop.
Problems with WMI
The Desktop area that contains “published” notifications is called the Action Center. Once all messages have been processed, the Desktop shows an alert to the user, informing about the presence of notifications in the side panel. The design of the icon that gives access to the Action Center also changes to show the presence of unread notifications. This icon is a square speech bubble that is hollow if there are no unread notifications and solid if there are. These two communication methods do not necessarily allow the user to see those notifications.
The Action Center is not permanently visible, and so messages only get read if the user chooses to open the side panel. Either intentionally or through forgetfulness, the user might never open the Action Center and so might never read those notifications. A context menu on the notifications icon in the system tray also enables the user to flush the notifications from the Action Center regardless of whether or not they have been read.
The use of WMI messaging is a useful “forget me not” channel for the developers of commercial software and it is also possible for websites to push notifications through WMI via WBEM. This means that the notifications system is a little over-exploited as a method for reminding potential customers of a product’s availability. It has become an important marketing channel. As people tend to resist sales pitches, they have become inured to the benefits of the Action Center. It can get full of “spam,” so it is not unusual for users to regularly empty out the Action Center notifications without reading any of them, much in the way that they delete all contents of the Junk folder in their email system.
Uses for WMI
The disregard of Action Center messages is a shame, particularly in commercial situations. WMI is used by a number of important business applications and even network administration functions send WMI notifications. SNMP, for example, can be set to process alerts into the Action Center through WMI. So, you could be using WMI much more effectively to help you manage your network and also to alert end users of errors on their devices.
WMI includes APIs and if you have programming support, you could use this system to communicate with end users via alerts. However, in order to change the culture and encourage users to drop their prejudices against the Action Center as a waste of time, you need to filter out irrelevant messages and marketing ploys.
You can exploit WMI notifications to gain information on your computer, your server, or your network if you can properly filter and manage those messages. Unfortunately, the Action Center doesn’t include any controls. However, there are a number of useful WMI assistants on the market that can help you harness the information contained in WMI notifications without having to wade through spam.
Here is our list of the ten best WMI monitoring tools:
- SolarWinds WMI Monitor with Server and Application Monitor (FREE TRIAL)
- Paessler WMI Service Sensor with PRTG (FREE TRIAL)
- Sapien WMI Explorer
- Nagios XI
- WMI Explorer
- Adrem Free WMI Tools
- Hyena WMI Inventory Reporting Tool
- NirSoft Simple WMI Viewer
- Goverlan WMIX
- Powershell WMI Explorer
The following sections explain the benefits of each of these tools.
Best WMI Monitoring tools
SolarWinds produces a range of excellent infrastructure monitoring tools and its Server and Application Monitor includes a WMI monitoring utility. However, that is a paid product and you can just get the SolarWinds WMI expertise by downloading the free WMI Monitor. The free utility is not a piece cut out of the Server and Application Monitor. It is a completely separate piece of software developed from the ground up as a standalone utility.
This tool runs on all Windows environments and is permanently free to use. The tool only monitors one server, but it doesn’t have to be installed on that very same server just as long as the computer that you run this software on is connected to the network.
This tool will only channel WMI notifications from commercially useful applications: Active Directory, SharePoint, Exchange Server, Internet Information Services, and SQL Server. So, that cuts out a lot of the irrelevant spam notifications straight away. The set up for the notification filtering and management is a little technical and you can tailor notifications if you understand how WMI tokens work. You can even write your own scripts if you have programming capabilities. However, if you don’t have time for all of that, you could just use the templates that ship with the tool.
SolarWinds operates an online forum for its user community. This is called THWACK and anyone can get access to it — you don’t have to pay or buy products from SolarWinds. You can get extra templates for the WMI Monitor from THWACK users for free. Templates modify the notification gathering routines of the Monitor. They act as filters and they will also generate alerts based on message counts and frequency and also combinations of notifications. Essentially, the templates are the knowledgebase of the WMI Monitor and they will provide you with tailored, relevant alerts without the need to write scripts. You can evaluate the Server & Application Monitor on a 30-day free trial.
Paessler doesn’t produce many individual stand-alone tools. Instead, it ships one monolithic package, called PRTG Network Monitor, that covers every imaginable utility that you could possibly want in order to monitor networks, servers, and applications. This bumper pack contains a series of “sensors.” The functionality of PRTG depends on the sensors that you activate. So, if you want a network monitor, you buy PRTG and turn on the network monitoring sensors. If you’re in the market for a server monitor, you just turn on PRTG’s server monitoring sensors.
PRTG contains WMI sensors, so you can just use the package as a WMI monitor and leave all of the other sensors turned off. A big benefit of that strategy is that it will cost you nothing. Paessler’s charging bands for PRTG are calculated on the number of sensors that you want to use and the system is free for 100 sensors or less.
The screenshot above shows how PRTG interprets WMI notifications. In this view, you can see performance graphs for both WMI and SNMP notifications. The graphs represent the volume of generated notifications and in this view, you can see a whole year’s worth of data interpreted. The view can be reduced down to a two-day timeframe, giving you notification volumes per hour. Alerts are also depicted on the graphs, represented as dots imposed on the performance line.
The illustration shows just one way that you could use WMI notification data. The dashboard is completely customizable and you can also drill down to view individual notifications. You can also create custom alerts based on WMI messages.
PRTG is a very comprehensive tool and it is highly likely that you will want to turn on other sensors beside the WMI features. For example, the user in the illustration above chose to implement SNMP monitoring as well. This strategy is perfectly feasible and could even be managed within the 100 sensor limit on the free version. If you want to deploy PRTG fully, you will have to pay for it. You can get a 30-day free trial of PRTG with unlimited sensor activation.
Sapien produced a full WMI management tool with its WMI Explorer. This is a much more in-depth WMI tool than the others on this list and focuses purely on WMI notifications. It also gives you access to PowerShell. This is a very technical tool and if you understand how PowerShell works and how WMI messages are structured then you will never want to use any other tool for accessing the WMI system. If you are not adept with programming concepts and you don’t work well with codes and tokens, then you will struggle to get anything meaningful out of this utility.
Sapien WMI Explorer throws back the curtain of user-friendly front-ends and gets you right into the pit of WMI data. This is the digital equivalent of getting your hands dirty.
WMI stores Action Center messages in a database and WMI Explorer gets you into that data source directly. You can examine data from the computer that you have the Explorer installed on and also access the WMI stores of other computers over a network. The program will even cache messages from remote systems so you can still explore their WMI data when they are not able to be contacted.
As you read above, there is a large volume of WMI notifications lurking in the depths of every Windows computers and you need to cut down the overgrowth before you can detect any meaningful information. Sapien is very good at providing you with filters and search facilities that act as your machete as you delve into the jungle of WMI.
The tool includes a VBScript and PowerShell script generator to create data gathering and formatting procedures. Again, use these with caution. If you are not familiar with PowerShell, you would be better off looking at the templates that the tool provides. These are pre-written scripts that will automate data collection for you.
Each notification in the WMI database is usually linked to an explanation that is made available online by the software house that provided the notification-generating program. This information can provide deeper explanations for any error codes contained in the WMI message and even propose solutions. WMI Explorer pulls in those guides to help you fix the problems that the WMI message alerts.
Data can be exported in HTML, XML, CSV, and plain text. WMI Explorer doesn’t have a fancy user interface, so the developers expect users to transfer data into other applications, such as Excel for analysis.
WMI Explorer is not free, but it is very cheap. The price you pay gets you the software to use forever, but it only gives you support for one year. That support is not just a Help Desk, but also includes patches and updates. You can buy a support package for subsequent years.
4. Nagios XI
Nagios Core is a world-beating free network monitoring system. There is also a paid version, called Nagios XI. Both versions can be enhanced by add-ons that are available for free from a very active user community. Both versions of Nagios employ WMI to gather data and present it to administrators. There are also a number of WMI-related plug-ins available from the community.
WMI is categorized as an “agentless” system. That means that a monitoring program doesn’t need to deploy its own client component on every piece of equipment being monitored. This is because the WMI notifications are already being generated anyway, so all any developer of a WMI monitor needs to do is write a central manager to collect those messages. Nagios has such a manager integrated into it.
Nagios runs on Windows and Linux. However, don’t think that you can’t gather WMI data if you install the monitor on a Linux computer because the system reaches out over the network to explore systems data on every computer connected to it. That exploration includes the gathering of WMI data.
The WMI usage of Nagios is not specifically channelled towards one screen in the dashboard because the tool exploits the WMI system to gather data on application and host performance, so a lot of the feedback of live statuses that you see in the tool is actually based on WMI notifications.
5. WMI Explorer
The WMI tool is sometimes referred to as CodePlex WMI Explorer due to the fact that its code used to be available on the CodePlex platform. However, CodePlex isn’t a software house, it is a code archive and the code has now been moved to GitHub.
This tool is an open source project and you can use it for free. It was developed by a systems administrator who couldn’t find the right tool to enable him to sort through WMI notifications, so he wrote one himself. He then made this tool available to others.
This is a WMI data browser. The layout of the interface is similar to Windows File Explorer. It has a tree structure in a panel to the left of the window, which looks like the directory panel in File Explorer. The next panel lets you narrow down records by class and then you get a search panel to filter out results even further. The right-most panel in the screen is a data viewer, showing the details of the currently-selected object.
What these different panels actually show are the elements of the WMI Query Language. So, as you select options from each list, you are really assembling a WQL query. The interface assembles the query in a line at the bottom of the screen, so this is actually also a WQL tutorial. As you use the WMI Explorer you will become more familiar with the language.
This is a very straightforward interface and you don’t need specialist skills in order to use it. You can explore any computer remotely over a network as long as you have the admin password for it. As well as assembling the WQL query, the tool will generate a PowerShell script to deliver and execute the query in the WMI database and return the results. This tool takes care of all of the programming work needed to fetch WMI data.
Free WMI Tools from Adrem is a single interface that includes a variety of WMI manipulation tools, all accessed through a side menu. The tool is able to mine WMI data on the machine on which it is installed and it can also query any other computer that can be contacted over a network – you would need the admin password for those other computers, though.
The WMI Tools include access to event logs and they can also query system statuses for you. These utilities make this free pack of utilities into a lightweight system monitoring tool, taking you far beyond simply viewing WMI messages or gathering statics on their sources and frequency.
The views available in the interface are:
- Overview – giving a general system summary
- Processes – shows all current, active processes on the machine being examined
- Services – a list of all installed services and their status, including inactive services
- Event Logs – a list of all of the event logs on the machine
- Hardware – live details of hardware statuses
- Operating System – all active OS components
- WMI Explorer – a WMI Query Language interpreter
This set of tools gives you very comprehensive controls over the Windows machines in your business. The only downside to the way the toolset is structured is that it can only give views on one computer at a time.
The data interpretation screens mean that you would very rarely need to go to the WMI Explorer tool to make direct investigations on the raw data. For most people, the system status visualization and well-planned data layout would provide sufficient information.
If Adrem ever created a consolidated version of this utility, it would be a fully-fledged infrastructure monitoring system. The pleasing GUI interface, together with its view limitations makes this tool well suited to small networks, where possibly an owner-operator would have to take responsibility for administering the system. You would not need any technical skills in order to install and use this great pack of system monitoring utilities.
Hyena is a system monitoring package created by System Tools Software. The Enterprise Edition of this pack includes the WMI Inventory Reporting Tool. This is a query interpreter and VBScript generator. The utility takes all of the programming requirements out of the task of monitoring WMI by presenting each query element in a series of lists. The user assembles a query using point-and-click options and then the tool will package the assembled query in VBScript to delivery it to the WMI database and retrieve results.
Before you have recourse to the WMI query assembler, you could browse through a library of pre-written queries, one of which may well already cater to your objective. Whether you run a library query or create your own, you have the option to run the investigation on your own computer, or a remote computer, or even on groups of computers. You will need the admin permissions of all of the computers that you access.
The utility is called an “inventory reporting tool” and you can use it to log many details about each Windows computer that you have connected to your network.
Types of information that can be gathered with the tool include:
- Computer make, model and system asset ID
- CPU type, architecture, capacity, and utilization
- Memory capacity and utilization
- Operating system, service pack level, and serial number
- Computer MAC addresses and IP address plus DHCP details
- Installed applications, hotfixes, and security updates
The tool includes an action execution function, which enables you to execute programs that act on the collected WMI data. This task automation includes log management, DHCP address management, launching or killing processes, removing applications, creating system startup routines, and commanding reboots or shutdowns. All Hyena activities can be logged for audit purposes.
One weak point of Hyena is its interface. It is very good at gathering data but it isn’t very good at displaying it and there aren’t many analytical features in the utility. However, you can export data from Hyena to Access or Excel for analysis there.
Hyena is not a free tool, but you can try it out on a 30-day free trial.
NirSoft offers a free WMI database front end, called SimpleWMIView. This tool displays the records that it encounters in a given WMI namespace on a given computer. The tool tabulates WMI records for easy viewing and this formatting also makes the records easy to write out to CSV files for import into other tools, such as Excel. It is also possible to write out plain text, tab-delimited, HTML, XML, and JSON formats.
The download for the utility is its executable file, so it doesn’t require any installation process. You just run the downloaded file to get the interface running. SimpleWMIView can also be run at the command line with a series of options that get your WMI data into a file without opening the interface.
The program will access WMI records stored on the same computer on which the SimpleWMIView software is installed. However, it is possible to connect to other computers over the network through the interface.
The interface includes some straightforward filters and you can set up your own WQL data filters if you have knowledge of the query language. The interface is also able to sort data on any of the columns shown in the interface. All of these data manipulation actions can also be specified at the command line.
The ability to gather data through a command makes it possible to integrate this utility into a batch job and run queries periodically. This is a good option if you want to archive off WMI messages into log files. So, you can create your own WMI log file server with this tool.
The utility works well if you are looking for a raw data manipulation tool. It doesn’t really rank as a WMI analysis tool. However, the range of export formats that the tool provides means that it would be a good back-end for any other tool, which could provide better analysis functions.
Goverlan’s main product is a network monitoring tool, called Reach. The company also produces a number of complementary tools and WMIX is one of these. The WMIX is a free WMI data gatherer.
Like some of the other tools in this list, WMIX simply represents the elements of a WMI Query Language search in a GUI front end. As you select elements from each option panel, you will see the WQL query assemble in a field at the bottom of the screen. So, it offers a good way for you to become familiar with WQL.
WMI queries are usually managed via PowerShell of VBScript. The interface packages your WQL statements in script so you don’t have to worry about learning the command language of these two systems. If you are interested in writing your own scripts for future WMI monitoring, you can assemble the WQL queries in the WMIX interface and then extract them for inclusion in your scripts.
The data viewer presents WMI records in a tree structure, enabling you to drill down through message categories, expanding out each node to reveal more detailed properties. A side panel explains each node’s attributes. This layout makes it very easy to explore the statuses and properties of your Windows computer.
WMIX is a very attractive query and script generator. It works both as a guide and a teaching tool as well as a data access interface. This tool would be suitable for administrators of any size network but it would be of particular interest to the managers of small systems that rely on Windows computers.
The Powershell WMI Explorer is a free enthusiast-developed WMI interface. This tool has been around for a long time and was one of the first WMI interpreters available. Although the interface is not very sophisticated, it more or less started the whole software category of WMI interpreters and influenced the development of all of the other tools on this list. It is sometimes referred to by its developer’s name, so you may see this tool billed as Marc van Orsouw’s WMI Explorer. Mr. Van Orsouw also identifies himself as “/\/\O\/\/” so another name that is sometimes used for this tool is MoW WMI Explorer.
The Explorer can access WMI data on the local computer or it can connect via a network to access WMI data on other computers. The interface doesn’t enable the simultaneous fetching from several sources. However, you could collect WMI records from each source, write them out to file and then merge those files if you wanted a unified overview of the WMI activity on your network.
The interface contains four main panels – two index panels to the left and two wider data access panels to the right. The first index panel shows a File Explorer-type view of the namespaces available on the computer. The second left-hand panel lists all the data class options for WMI. The lower right-hand panel explains the selected category and also shows all of the available properties. The upper right-hand panel lets you assemble a query and then execute it.
WMI data fetches are automatically conducted via PowerShell, so you don’t have to write any of your own procedures to gather data.
The Help panel in the tool is particularly useful because it explains what each data class means. There are a lot of the classes and so this reference manual can come in really handy even if you don’t intend to use the tool to query WMI directly.
The tendency of many to ignore Action Center notifications is a gift to hackers. Similarly, intrusion detection systems often overlook WMI notifications as being too mundane to facilitate attacks. However, WMI can be used in every phase of an attack strategy and its combination with PowerShell to transport data and queries across networks makes this tool a great conduit for data theft in plain sight.
WMI messages usually don’t make it into physical files. This means that they never become source material for host-based intrusion detection systems (HIDS) and never get considered by security information managers (SIMs) that form part of SIEM. So, simply dumping WMI messages into files periodically (daily), will begin to get those WMI notifications tracked as long as you find a HIDS or a SIM that can handle the format of the log files that your log server process produces.
PowerShell is ubiquitous in Windows systems and any attempt to block this service method would disable the usefulness of your computer because it is used by too many applications to be considered an optional system. So, despite the obvious attraction of PowerShell to hackers, network-based intrusion detection systems (NIDS) don’t always look too closely at the activities of this essential service.
The WMI operating methods include a facility called a “subscription.” This will restart a WMI process if it is killed. So, that would provide a useful mechanism for an advanced persistent threat (APT) to keep running on a computer even after a reboot or a system cleanup is performed by antimalware software.
A combination of WMI and PowerShell provides an efficient way for fileless malware to remain active on a computer even when the original infection has been cleaned up. However, there may not need to be an initial, traceable infection. Websites are able to push WMI notifications, implemented with the permission of the user. That mechanism allows the website to send notifications to users, even when the website is no longer open in a browser on the computer. So, a malicious attack could easily be directed by a remote command center through the WMI system. The Desktop process could be manipulated into transporting malicious instruction to each Windows computer by delivering the alerts requested from a remote site by a persistent WMI subscription. Network-wide activity could be coordinated through innocuous PowerShell routines.
All computer users are cautious about allowing notifications from little-known websites. However, hackers have been known to piggyback their virus distribution through the websites of trusted sites. An infected or outright fake product update is another well-known method of distributing viruses, and if the system modification is implemented as a WMI notification set-up without storing any files on the computer, antivirus systems would not spot it.
Windows Management Instrumentation is widely used by software providers and websites to communicate error information and event publicity to the users of Windows computers. The owners of computers seem less interested in the capabilities of WMI, but they should pay attention to it.
As you have read in this guide. WMI is a good source of useful system information that can be of use to private computer users and also the administrators of commercial networks. However, the overwhelming volume of non-essential messages can often drown out the usefulness of the WMI system.
If you wrote off WMI as irrelevant, then think again. Company network systems administrators should particularly start combing through WMI namespaces for system activity information. If you have become the subject of an advanced persistent threat, you won’t know about the intrusion until you look for it – that is the nature of APTs. An APT is a hidden infection that can go undetected for years. This type of intrusion compromises your system integrity, exposes data to disclosure and offers a hacker enough time to explore every corner of your business, setting traps, altering data, and harvesting authentication credentials.
Getting familiar with the WMI system, its data formatting structures, and information landscape is the first step in harnessing the power of Windows Management Instrumentation. Your next task is to start hands-on operations, and any of the tools in our list will provide you excellent support as you learn about WMI classes, WMI Query Language and PowerShell and VBScript access to data stores.
Once you are comfortable with WMI processes, you will be in a better position to assess whether your current security systems are sufficient in order to protect your company from fileless malware attacks and advanced persistent threats. If you can’t find a SIEM system that currently gathers WMI data, write your own WMI log management routine and feed them into a host-based intrusion detection system. Both fileless malware and APTs are fast-growing intrusion strategies and you need to get ahead of these problems in order to protect the users and data on your system.
Do you monitor your WMI system? Have you discovered an APT operating through WMI and PowerShell? Did you find the intrusion difficult to get rid of? Have you found an IDS that includes WMI monitoring? Leave a message in the Comments section below to share your experiences with the community.