You wish to scan the Windows Management Instrumentation (WMI) database for specific information.
Obtaining useful and accurate information from the WMI scanner is dependent on the accuracy of the Windows Management Instrumentation Query Language (WQL) query. We advise reviewing the Custom Scanner Best Practices article and thoroughly testing scans on a few machines before scanning your entire environment.
PDQ.com has bundled the WMI Explorer application, a third-party WMI tool, to assist in the exploration of WMI and the creation of WQL queries. The WMI Explorer can be launched when adding or editing a WMI scanner (Options > Scan Profiles > [Edit | New] > [New > Add > WMI]).
This is the basic usage flow for the WMI Explorer:
Note: In many cases, you will need to double-click selections in the WMI Explorer window. There may also be a wait for classes and properties to enumerate. The status bar at the bottom of the WMI Explorer window will indicate the process and status.
The query from the above example is
SELECT * FROM Win32_Processor
This will select all (* wildcard) from the Win32_Processor class.
To translate this into a WMI scanner, create (or edit) a WMI Scanner:
The Scan Profile can then be run against a machine, and the results can be observed in the WMI page of the Computer Details window.
Changes can also be made from this page, including selecting different scan data (assuming the corresponding WMI scanner has been run), editing the selected scanner, and opening the Scan Profiles window:
Here is list of examples. Click the example to be taken to that section:
CD Drive has Media Loaded
DNS Servers Associated with the Active NIC
Event Viewer Log Entries
Machines With the Intel Management Engine (Intel ME)
MSFT Disk Partition Style
BIOS Information (All the Information)
Is the Machine a VM (or Not) and is a host
Windows Licensing Status
And our scan (query) becomes:
SELECT MediaLoaded FROM Win32_CDROMDrive
SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled='True'
3. Get some Event Viewer logs.
The WHERE keyword is a filter that allows you to narrow down your results. (!=) means “does not equal”. (WHERE Type != ‘Information’) removes all results where the Type field equals Information. The AND keyword allows you to specify multiple filters in 1 query. The LIKE keyword allows you to perform a wildcard search using % as the wildcard character. (AND SourceName LIKE ‘PDQ%) further refines our filter to only show results that also have a SourceName field that starts with PDQ.
SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'PDQ%'
SELECT * FROM ME_System
5. Get information on the disk, specifically partition information (MBR or GPT).
By default, WMI Explorer starts with the basic classes. In this case, an MSFT class is being queried. In order to view the MSFT classes, select the Include MSFT Classes in the Class Enumeration Options and press Refresh Classes:
The MSFT Classes are then enumerated in the classes pane:
And our query and scan would look like:
SELECT PartitionStyle, SerialNumber FROM MSFT_Disk
SELECT * FROM Win32_BIOS
SELECT * FROM Win32_Tpm
SELECT HypervisorPresent FROM Win32_ComputerSystem
SELECT VirtualizationFirmwareEnabled FROM Win32_Processor
And the WMI scanners:
We refine the query from WMI Explorer to include the LicenseStatus property FROM the SoftwareLicensingProduct property WHERE the product is LIKE "*Windows*" and the partial Product Key is not empty.
SELECT LicenseStatus FROM SoftwareLicensingProduct WHERE Name LIKE '%Windows%' AND PartialProductKey IS NOT NULL