Monday, August 19, 2013

WMIC Commands



Determine user currently logged in remotely
 wmic /node:remotecomputer computersystem get username

For a text file of the manual run
 wmic /?:full > wmic_docs.txt

Remotely list startup apps
 wmic /node:machinename startup list full
 wmic STARTUP GET Caption, Command, User

Reboot or Shutdown a box
 wmic os where buildnumber="2600" call reboot -- Get build# from OS Info (see below)

Kill a process – use with care
 wmic process where name="cmd.exe" delete

Get OS Information and export to CSV, html, xsl, mof
 wmic /output:wmicbuild.csv os get /all /format:csv
 wmic /output:wmicbuild.html os get /all /format:htable

List running processes and output to HTML/XSL form.
 wmic /output:wmic.html process list full /format:hform

Query Device Driver Status
wmic /output:savrt.csv sysdriver where name="savrt" list status /format:csv
Query this status on all machines in the domain. You have all the machines in the domain in a text file
wmic /node:"@targets.txt" /output:savrt.csv sysdriver where name="savrt" list status /format:csv

Get a list of NICs and IP’s in use
 netsh int ip show config
 wmic nicconfig where IPEnabled='true'

Remotely change the IP to a static IP (Index is Interface#)
 wmic /node:machinename nicconfig where Index=1 call EnableStatic ("172.16.10.10"), ("255.255.0.0")

Remotely change IP to use DHCP
 wmic /node:machinename nicconfig where Index=1 call EnableDHCP

Remotely Display machine’s MAC Address
 wmic /node:machinename nic get macaddress

Get Process Owner or OwnerSID
 wmic process where name="cmd.exe" call getowner
 wmic process where name="cmd.exe" call getownersid

Remotely list running processes every second
 wmic /node:machinename process list brief /every:1

Delete ARPCache
 netsh int ip delete arpcache

System Information

Remotely display System Info
 wmic /node:machinename computersystem list full

Full Drive Info
 wmic diskdrive list full
 wmic partition list full

Bios Info
 wmic bios list full

List all Hotfixes and Services Packs
 wmic qfe

List HotfixID, description and Install date
 wmic qfe where "not description like " get description,hotfixid,installedon
 example: wmic qfe where hotfixid="KB958644" list full <lists patch info for MS08-067>

Remotely List Local Enabled Accounts
 wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name

Start a service
 wmic /node:machinename 4 service lanmanserver CALL Startservice

Change startup mode for a service
 wmic /node:machinename service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled

List Services with brief description
 wmic service list brief

List useraccounts
 wmic useraccount
 wmic useraccount list brief

Enable RDP
 wmic /node:"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”

List ShadowCopy Info
wmic shadowcopy list brief

List Event Logs
 wmic ntevent list brief --- Brief takes a while, full takes even longer
 wmic nteventlog where (description like "%secevent%") call cleareventlog

Remotely output Logon Events to a html file
 wmic /node:machinename /output:wmicevents.html ntevent where (message like "%logon%") list brief /format:htform

List number of times a user logged on
 wmic netlogin where (name like "%adm%") get numberoflogons

Display Shares
 wmic share list brief