Some people say command line tools are obsolete, out of date, no longer necessary when you can “point and click”, instead.
But the reality is very different. Every version of Windows sees the command line given new powers and abilities, and if you don’t explore these then you really are missing out.
WMIC
Take the WMIC command, for instance. It has astonishing scope and a huge set of features: the program can return useful information about your system, control running programs, and generally manage just about every aspect of your PC, all from the command line or a convenient shortcut.
How might this work? Let’s suppose you need to know the model of motherboard used in your PC. You could poke around in a system information program, but it’s easier to open a command window (elevated, on Windows Vista or 7 – click Start, type CMD, right-click the link to cmd.exe and select Run As Administrator) and enter the command
wmic baseboard get product,manufacturer
WMIC will then give you the answer right away.
Or maybe you’re wondering if your BIOS needs an update. How old is it, anyway? Restart your PC and one of the boot-time messages might give you a date, but again it’s easier to enter something like
wmic bios get name
and let WMIC tell you more.
System Information
The program can also provide details on many other aspects of your system. Commands like
wmic product list brief
wmic service list brief
wmic process list brief
wmic startup list brief
will list your installed software, services, running processes and Windows startup programs, for instance.
wmic service list brief
wmic process list brief
wmic startup list brief
will list your installed software, services, running processes and Windows startup programs, for instance.
Obviously these details can be found elsewhere, but one advantage of WMIC is that it can save its output for reference later. Use the command
wmic service get /format:hform > c:\folder\services.html
and WMIC will create a formatted HTML page detailing your running services (replace “C:\folder” with an appropriate path for your system). If you have PC problems a few months later you can then look back at this record and see what’s changed.
Uninstall automatically
WMIC isn’t just about reporting on system information, though. Use the appropriate CALL command and it can also carry out a variety of useful maintenance tasks.
Do you regularly have to uninstall and reinstall particular programs, for instance? Doing this manually via Control Panel is tedious, but WMIC can automatically uninstall many applications with a single command. To see how, enter
wmic product get name
and look for the name of the program you’d like to remove. Then enter the name as it appears in that list, in a second command, like this
wmic product where name=”windows live writer” call uninstall
And your specified program will be uninstalled automatically, without you even seeing the uninstall program. (Which is convenient, but also risky as there probably will be no chance to cancel your action – so use this with extreme care.)
Process management
WMIC can, say, also close all the instances of a particular program. So if you want to shut down all Internet Explorer windows, for instance, then the command
wmic process where name=”iexplore.exe” call terminate
would do the trick, closing every instance immediately. (Though again, beware, programs closed in this way probably won’t prompt you to save files you’re working on, so use the command carelessly and data may be lost.)
Or maybe you’d prefer to optimise your system by setting your process CPU priorities? WMIC can handle that, too. Entering
wmic process where name=”notepad.exe” call setpriority 64
will set every running Notepad process to the Idle priority, for instance (see MSDN for the numbers to use to set other priorities).
And this is still barely scratching the surface. WMIC can also give you useful information about your PCs user accounts, change the Start mode of particular services, retrieve useful information from your event logs, change a static IP address, reboot or shut down a PC, and a whole lot more.
And best of all, you can even apply the commands to a remote system by applying the NODE switch and a network name, like
wmic /node:steve-pc service list brief
There’s a huge amount of power on offer here, then. See the Tech-Wreck InfoSec Blog for more great WMIC examples, then open a command window and try a few for yourself.
===
Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State
Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User
Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons
Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief
Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog
Get Mac Address - wmic nic get macaddress
Reboot or Shutdown - wmic os where buildnumber="2600" call reboot
Update static IP address - wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")
Change network gateway - wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)
Enable DHCP - wmic nicconfig where index=9 call enabledhcp
Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled"
Start an Application - wmic process call create "calc.exe"
Terminate an Application - wmic process where name="calc.exe" call terminate
Change Process Priority - wmic process where name="explorer.exe" call setpriority 64
Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid
Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm
Information about files - wmic path cim_datafile where "Path='\\windows\\system32\\wbem\\' and FileSize>1784088" > c:\wbemfiles.txt
Process list - wmic process get /format:htable > c:\process.htm
Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:\appevent.htm
Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF
Get Running Services Information - Wmic service where (state=”running”) get caption, name, startmode, state
Get Startmode of Services - Wmic service get caption, name, startmode, state
Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value
Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV
Get Startup List - wmic startup list full
Find a specific Process - wmic process list brief find "cmd.exe"
Get List of IP Interfaces - wmic nicconfig where IPEnabled='true'
Change IP Address - wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
OS/System Report HTML Formatted - wmic /output:c:\os.html os get /format:hform
Products/Programs Installed Report HTML Formatted - wmic /output:c:\product.html product get /format:hform
Services Report on a Remote Machine HTML Formatted - wmic /output:c:\services.htm /node:server1 service list full / format:htable
Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number - wmic /node:”HOST” bios get serialnumber
Get PC Product Number - wmic /node:”HOST” baseboard get product
Get Services for Remote Machine in HTML Format - wmic /output:c:\services.htm /node:server1 service list full / format:htable
http://www.softwarecrew.com/2011/01/wmic-the-best-command-line-tool-youve-never-used/
http://tech-wreckblog.blogspot.ca/2009/11/wmic-command-line-kung-fu.html
No comments:
Post a Comment