Using wmic can prove quite powerful in automation and scripting tasks.
Spot Odd Executables
wmic process where “NOT ExecutablePath like ‘%Windows%'” get ExecutablePath
Look at services that are set to start automatically
wmic service where StartMode=”Auto” get Name, State
Find user-created shares (usually not hidden)
wmic share where “NOT Name like ‘%$'” get Name, Path
Find processes that starts on boot
wmic startup get caption, command, user
Identify any local system accounts that are enabled (guest, etc.)
wmic useraccount where “Disabled=0 AND LocalAccount=1″ get Name”
Change Start Mode of Service
wmic service where (name like “Fax” OR name like “Alerter”) CALL ChangeStartMode Disabled
Number of Logons Per USERID
wmic netlogin where (name like “%jackson”) get numberoflogons
Return a Certain Kind of Event from Eventlog
wmic ntevent where (message like “%logon%”) list brief
Clear the Eventlog (Security example)
wmic nteventlog where (description like “%secevent%”) call cleareventlog
Get Mac Address
wmic nic get macaddress
Reboot or Shutdown
wmic os where buildnumber=”7601″ call reboot
Update Static IP Address
wmic nicconfig where index=9 call enablestatic(“192.168.1.100”), (“255.255.255.0”)
Change network Gateway
wmic nicconfig where index=9 call setgateways(“192.168.1.254”, “192.168.1.200”),(1,2)
Enable DHCP
wmic nicconfig where index=9 call enabledhcp
Service Management
wmic service where caption=”DHCP Client” call changestartmode “Disabled”
Start an Application
wmic process call create “notepad.exe”
Terminate an Application
wmic process where name=”notepad.exe” call terminate
Change process Priority
wmic process where name=”notepad.exe” call setpriority 64
Get List of Process Identifiers
wmic process where (Name=’svchost.exe’) get name,processid
Information about Hard Drives
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about OS
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm
Information about Files
wmic path cim_datafile where “Path=’\\windows\\system32\\wbem\\’ and FileSize>1784088” > c:\wbemfiles.txt
Process List
wmic process get /format:htable > c:\process.htm
Retrieve list of warning and error events not from system or security logs
wmic ntevent where “EventType c:\appevent.htm
Total Hard Drive Space Check
wmic logicaldisk list brief
Get Running Services Information
wmic service where (state=”running”) get caption, name, startmode, state
Get Startmode of Services
wmic service get caption, name, startmode, state
Get Domain Names And When Account PWD set to Expire
wmic UserAccount get name,PasswordExpires /Value
Get Hotfix and Security Patch Information
wmic QFE get /format:CSV >QFE.CSV
Get Startup List
wmic startup list full
Find a Specific Process
wmic process list brief find “cmd.exe”
Get List of IP Interfaces
wmic nicconfig where IPEnabled=’true’
Change IP Address
wmic nicconfig where Index=1 call EnableStatic (“192.168.1.1”), (“255.255.255.0”)
OS and System Report HTML Formatted
wmic /output:c:\os.html os get /format:hform
Products and Programs Installed Report HTML Formatted
wmic /output:c:\product.html product get /format:hform
Services Report on a Remote Machine HTML Formatted
wmic /output:c:\services.htm /node:server1 service list full / format:htable
Turn on Remote Desktop Remotely
wmic /node:”servername” /user:”user@domain” /password: “password” RDToggle where ServerName=”server name” call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely
wmic /node:%%A LogicalDisk where DriveType=”3″ get DeviceID,FileSystem,FreeSpace,Size /Format:csv
MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number
wmic /node:”HOST” bios get serialnumber
Get PC Product Number
wmic /node:”HOST” baseboard get product
Get Services for Remote Machine in HTML Format
wmic /output:c:\services.htm /node:ServerName service list full / format:htable