WMI Query Language via PowerShell Ravikanth Chaganti Explore basics of WMI Query Language, different types of WMI queries, and learn how PowerShell can be used to retrieve WMI management information using WQL. Table of Contents Introduction .................................................................................................................................................. 5 Introducing WMI Query Language ............................................................................................................ 5 WMI Query Types ..................................................................................................................................... 6 Data Queries ......................................................................................................................................... 6 Event Queries ........................................................................................................................................ 6 Schema Queries .................................................................................................................................... 7 WQL Keywords .......................................................................................................................................... 7 WQL Operators ......................................................................................................................................... 8 Tools for the job .......................................................................................................................................... 10 WBEMTEST .............................................................................................................................................. 10 WMI Administrative Tools ...................................................................................................................... 12 [WMISEARCHER] type accelerator .......................................................................................................... 14 PowerShell WMI cmdlets ........................................................................................................................ 15 WMI Data Queries ...................................................................................................................................... 17 SELECT, FROM, and WHERE .................................................................................................................... 17 Using Operators .................................................................................................................................. 18 ASSOCIATORS OF .................................................................................................................................... 21 ClassDefsOnly ...................................................................................................................................... 23 AssocClass ........................................................................................................................................... 24 ResultClass .......................................................................................................................................... 24 ResultRole ........................................................................................................................................... 24 Role ..................................................................................................................................................... 28 RequiredQualifier and RequiredAssocQualifier .................................................................................. 28 REFERENCES OF ....................................................................................................................................... 29 WMI Event Queries: Introduction ............................................................................................................... 31 Event Query Types .................................................................................................................................. 33 Intrinsic Events .................................................................................................................................... 33 Extrinsic Events ................................................................................................................................... 33 Timer Events ....................................................................................................................................... 33 WQL Syntax for event queries ................................................................................................................ 34 WITHIN ................................................................................................................................................ 34 [1] GROUP ................................................................................................................................................. 35 HAVING ............................................................................................................................................... 36 BY ........................................................................................................................................................ 36 Intrinsic Event Queries ................................................................................................................................ 38 __InstanceCreationEvent ........................................................................................................................ 39 __InstanceDeletionEvent ........................................................................................................................ 39 __InstanceModificationEvent ................................................................................................................. 39 Extrinsic Event Queries ............................................................................................................................... 43 Monitoring registry value change events ............................................................................................... 43 Monitoring registry key change events .................................................................................................. 44 Monitoring registry tree change events ................................................................................................. 45 Timer Events ............................................................................................................................................... 46 WMI Schema Queries ................................................................................................................................. 49 Using __this ............................................................................................................................................. 50 Using __Class .......................................................................................................................................... 50 WMI Event Consumers ............................................................................................................................... 51 Temporary Event consumers .................................................................................................................. 51 Permanent Event consumers .................................................................................................................. 51 Creating an event filter ....................................................................................................................... 53 Creating a logical consumer ................................................................................................................ 53 Binding Event Filter and Consumer ..................................................................................................... 54 Introducing PowerEvents ........................................................................................................................ 54 Creating an event filter ....................................................................................................................... 55 Creating an event consumer ............................................................................................................... 55 Binding Event filter and consumer ...................................................................................................... 55 [2] This book is dedicated to Andrew Tearle, the most passionate PowerSheller and a good friend. Rest in peace Andy. [3] Acknowledgements I would like to thank Shay Levy (MVP), Aleksandar Nikolic (MVP), Philip LaVoie, and Robert Robelo for providing their feedback. Their feedback really helped shape the ebook and include extra content that was not planned initially. Also, thanks to everyone who read my blog posts on WMI query language and provided feedback. Your encouragement and support helped me write quite a bit about WQL and now this ebook. [4] Introduction Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed