Skip to main content
The Wmi tool connects to the Windows Management Instrumentation service on a remote system and lets you run WQL queries, get and delete objects, invoke methods on classes and instances, execute commands, explore the namespace and class hierarchy, and back up or restore the WMI repository.

Subcommands

CommandDescription
queryExecute a WMI query
getGet an object by WMI path
invokeInvoke a method on a class or object
execExecute a command line on a remote system
lsnsList namespaces within a namespace
lsclassList classes within a namespace
lspropList the properties of a class or object
lsmethodList the methods of a class or object
backupBack up the WMI repository
restoreRestore the WMI repository
deleteDelete a WMI object
For help on any subcommand, run Wmi <subcommand> -h.

Common options

All Wmi subcommands share these options:
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password to authenticate with.
-NtlmHash
hexadecimal hash
NTLM hash for pass-the-hash authentication.
-Kdc (-K)
host:port
KDC endpoint. Required to enable Kerberos.
-Tgt
string
Path to a TGT file (.kirbi or ccache).
-TicketCache
string
Ticket cache file.
-AesKey
HexString
AES-128 or AES-256 Kerberos key.
-S4UserName
UserPrincipalName
User to impersonate with S4U.
-HostAddress (-ha)
string[]
Override network address(es) of the server.
-EncryptRpc (-E)
boolean
Encrypt RPC messages.
-Socks5
host:port
SOCKS5 proxy endpoint.

query

Executes a WQL (WMI Query Language) query against a remote system and prints the results. 
Wmi query [options] <ServerName> <Query>
ServerName
string
required
Name of the server to connect to.
Query
string
required
WQL query to execute (e.g. SELECT * FROM Win32_Process).
-Namespace
string
default:"root\\\\cimv2"
WMI namespace to query.
-PageSize
integer
default:"10"
Number of results to fetch at a time.
-Locale
string
default:"en-US"
Locale for the query.
-WithQualifiers
string[]
Filter by qualifiers. Each entry is a qualifier name or name=value pair.
-OutputFields
string[]
WMI object fields to display in the output.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

Examples

# List all running processes
Wmi query LUMON-FS1 -UserName milchick -Password "Br3@kr00m!" "SELECT * FROM Win32_Process"

# List processes with selected fields
Wmi query LUMON-FS1 -UserName milchick -Password "Br3@kr00m!" -OutputFields Caption,ProcessID,ParentProcessID "SELECT * FROM Win32_Process"

get

Retrieves a specific WMI object by its path, relative to the namespace.
Because the command-line parser strips double quotes, use single quotes to delimit strings within paths. Single quotes are automatically converted to double quotes before the request is sent to WMI.
Wmi get [options] <ServerName> <ObjectPath>
ServerName
string
required
Name of the server to connect to.
ObjectPath
string[]
required
Path of the object to get, relative to the namespace (e.g. Win32_Process, Win32_LogicalDisk.DeviceID='C:').
-Namespace
string
default:"root\\\\cimv2"
WMI namespace.
-Locale
string
default:"en-US"
Locale.
-WithQualifiers
string[]
Filter qualifiers.
-OutputFields
string[]
Fields to display. Available: RelativePath, ObjectFlags, ObjectType.

Examples

# Get the Win32_Process class definition
Wmi get -namespace root\\cimv2 -UserName milchick -Password "Br3@kr00m!" LUMON-FS1 Win32_Process

# Get the C: logical disk object
Wmi get -namespace root\\cimv2 -UserName milchick -Password "Br3@kr00m!" LUMON-FS1 "Win32_LogicalDisk.DeviceID='C:'"

invoke

Invokes a method on a WMI class or instance. You can target a specific instance by path or use a WQL query to select multiple objects. To pass an array argument, enclose the elements in [ and ], space-separated: 
Wmi invoke ... WmiMethod "first arg" [ 1 2 3 ] "last arg"

Wmi invoke [options] <ServerName> <ObjectPathOrWqlQuery> <Method> [<Arguments>]
ServerName
string
required
Name of the server to connect to.
ObjectPathOrWqlQuery
string[]
required
Class path, instance path, or WQL query selecting the objects to invoke the method on.
Method
string
required
Name of the method to invoke.
Arguments
string[]
Arguments to pass to the method.
-Namespace
string
default:"root\\\\cimv2"
WMI namespace.
-SkipParams
string[]
Parameters to skip when invoking the method.
-ContinueOnError
boolean
Continue invoking on remaining objects even if an error occurs.
-WithQualifiers
string[]
Filter qualifiers.

Examples

# Start explorer.exe via WMI
Wmi invoke -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-DC1 Win32_Process Create C:\\WINDOWS\\explorer.exe

# Terminate a process by PID
Wmi invoke -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-DC1 Win32_Process.Handle=8008 Terminate

# Terminate a process by name using a WQL query
Wmi invoke -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-DC1 "SELECT * FROM Win32_Process WHERE Caption='REGEDIT.EXE'" Terminate

exec

Executes a command line on a remote system using Win32_Process.Create. By default, the command is wrapped in cmd /q /c and STDOUT/STDERR are captured to a temporary file in C:\Windows\Temp, which is retrieved periodically and printed to your local console. The command polls for process completion and output using Win32_ProcessTrace. Press Ctrl+C to terminate the remote process. To disable output capture or cmd /q /c wrapping, use -CaptureOutput:off or -CmdCall:off. 
Wmi exec [options] <ServerName> <CommandLine>
ServerName
string
required
Name of the server to connect to.
CommandLine
string
required
Command line to execute on the remote system.
-CaptureOutput
boolean
default:"true"
Redirect STDOUT and STDERR to a file and stream the output locally. Requires -CmdCall.
-CmdCall
boolean
default:"true"
Prepend cmd /q /c to the command.
-Wait
boolean
default:"true"
Wait for the command to complete before returning.
-PollInterval
Duration
default:"1s"
Polling interval for checking output and process exit. Specify as a number followed by ms, s, m, or h.
-WorkingDir
string
Working directory for the new process.
-EnvironmentVariables
string[]
Environment variables in NAME=value format, comma-separated.
-EncryptRpc
boolean
Encrypt RPC messages.

Examples

# Run a command and capture output
Wmi exec -UserName milchick -Password Br3@kr00m! LUMON-DC1 -Verbose SystemInfo.exe

# Use an environment variable
Wmi exec -UserName milchick -Password Br3@kr00m! LUMON-DC1 -Verbose "ECHO %MYVAR%" -EnvironmentVariables MYVAR=me

# Set a fast polling interval
Wmi exec -UserName milchick -Password Br3@kr00m! LUMON-DC1 -PollInterval 100ms -Verbose "PING -t localhost"

lsns

Lists the WMI namespaces within a given namespace. 
Wmi lsns [options] <ServerName>
ServerName
string
required
Name of the server to connect to.
-Namespace
string
default:"root\\\\cimv2"
Namespace to list sub-namespaces within.
-PageSize
integer
default:"10"
Number of results to fetch at a time.

lsclass

Lists the classes within a WMI namespace. 
Wmi lsclass [options] <ServerName>
ServerName
string
required
Name of the server to connect to.
-Namespace
string
default:"root\\\\cimv2"
Namespace to list classes within.
-PageSize
integer
default:"10"
Number of results to fetch at a time.
-WithQualifiers
string[]
Filter by qualifiers.
-OutputFields
string[]
Fields to display. Available: RelativePath, Name, BaseClassName, ObjectFlags, ObjectType, ClassPartBytes, HasMethodPart, NdValueTableLength, ValueTableLength.

lsprop

Lists the properties of a WMI class or object. You may specify multiple object paths. Use -WithQualifiers to filter properties. A qualifier name alone matches if the qualifier is present with a non-false value. A name=value pair performs a case-insensitive string comparison. 
Wmi lsprop [options] <ServerName> [<ObjectPath>]
ServerName
string
required
Name of the server to connect to.
ObjectPath
string[]
Path of the class or object to inspect. Accepts multiple values.
-Namespace
string
default:"root\\\\cimv2"
WMI namespace.
-WithQualifiers
string[]
Filter by qualifiers.
-OutputFields
string[]
Fields to display. Available: Name, PropertyType, DefaultValue, RuntimeType, ElementType, ClassOfOrigin, QualifiersText, IsReadOnly, ShortDescription, FullDescription, IsStatic.

Examples

# List all properties of Win32_Process
Wmi lsprop -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-FS1 Win32_Process

# List only properties requiring SeDebugPrivilege
Wmi lsprop -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-FS1 -WithQualifiers Privileges=SeDebugPrivilege Win32_Process

lsmethod

Lists the methods of a WMI class or object. You may specify multiple object paths. Use -WithQualifiers to filter methods. A name=value pair performs a case-insensitive string comparison. 
Wmi lsmethod [options] <ServerName> <ObjectPathOrWqlQuery>
ServerName
string
required
Name of the server to connect to.
ObjectPathOrWqlQuery
string[]
required
Class or instance path, or WQL query. Accepts multiple values.
-Namespace
string
default:"root\\\\cimv2"
WMI namespace.
-WithQualifiers
string[]
Filter by qualifiers.
-ContinueOnError
boolean
Continue on error.
-OutputFields
string[]
Fields to display. Available: Name, Signature, Flags, ClassOfOrigin, IsStatic, IsReadOnly, ShortDescription, FullDescription, QualifiersText, PrivilegesText, Subtype, SubtypeCode, Id, IsInputParameter.

Examples

# List all methods of Win32_Process
Wmi lsmethod -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-FS1 Win32_Process

# List only static methods
Wmi lsmethod -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-FS1 -WithQualifiers static Win32_Process

# List methods that require SeDebugPrivilege
Wmi lsmethod -namespace root\\cimv2 -UserName milchick -Password Br3@kr00m! LUMON-FS1 -WithQualifiers Privileges=SeDebugPrivilege Win32_Process

backup

Backs up the WMI repository to a file on the remote system. 
Wmi backup [options] <ServerName> <FileName>
ServerName
string
required
Name of the server to connect to.
FileName
string
required
Path on the remote system to write the backup file to.

Examples

Wmi backup -UserName milchick -Password Br3@kr00m! LUMON-FS1 C:\\wmibackup.bak

restore

Restores the WMI repository from a backup file on the remote system. 
Wmi restore [options] <ServerName> <FileName>
ServerName
string
required
Name of the server to connect to.
FileName
string
required
Path on the remote system to read the backup file from.
-ForceShutdown
boolean
Force active clients to shut down before restoring.

delete

Deletes a WMI object or a set of objects matching a WQL query. 
Wmi delete [options] <ServerName> <ObjectPathOrWqlQuery>
ServerName
string
required
Name of the server to connect to.
ObjectPathOrWqlQuery
string[]
required
Object path or WQL query selecting objects to delete.
-Namespace
string
default:"root\\\\cimv2"
WMI namespace.
-ContinueOnError
boolean
Continue even if errors occur.

Examples

# Terminate a process by PID
Wmi delete -UserName milchick -Password Br3@kr00m! LUMON-DC1 Win32_Process.Handle=8008

# Terminate a process by name
Wmi delete -UserName milchick -Password Br3@kr00m! LUMON-DC1 "SELECT * FROM Win32_Process WHERE Caption='REGEDIT.EXE'"
  • Scm — manage services on remote Windows systems
  • Smb2Client — file operations over SMB2 (used by Wmi exec to retrieve output)

Build docs developers (and LLMs) love

Get started for freeTalk to us