Created
July 5, 2022 11:36
-
-
Save llagerlof/c800bece39257f8d2eabaddb8f8de2f3 to your computer and use it in GitHub Desktop.
Windows information in Command Prompt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source: https://quux.wiki.zoho.com/WMIC-Snippets.html | |
| ----- | |
| System, BIOS, Motherboard | |
| This first example shows a few variations of the most common WMI query. We ask a WMI object (computersystem, or bios, or baseboard in the examples below) to return the values for a few of its properties. It returns the results in its default tabular format. | |
| C:\Tools>wmic computersystem get domain, EnableDaylightSavingsTime, Manufacturer, Model, PartOfDomain, TotalPhysicalMemory, username | |
| Domain EnableDaylightSavingsTime Manufacturer Model PartOfDomain TotalPhysicalMemory UserName | |
| cojones.org TRUE INTEL_ D865GLC_ TRUE 2146148352 PURGATORY\quux | |
| C:\Tools>wmic bios get Caption, Manufacturer, SMBIOSBIOSVersion, Version | |
| Caption Manufacturer SMBIOSBIOSVersion Version | |
| BIOS Date: 10/14/03 10:38:21 Ver: 08.00.09 Intel Corp. BF86510A.86A.0049.P11.0310141038 INTEL - 20031014 | |
| C:\Tools>wmic baseboard get Manufacturer, Model, Product, SerialNumber, Version | |
| Manufacturer Model Product SerialNumber Version | |
| Intel Corporation D865GLC ABLC32421808 AAC28909-404 | |
| Processor Info | |
| C:\Tools>wmic cpu get deviceID, Addresswidth, MaxClockSpeed, Name, Manufacturer, ProcessorID | |
| AddressWidth DeviceID Manufacturer MaxClockSpeed Name ProcessorId | |
| 32 CPU0 GenuineIntel 2992 Intel(R) Pentium(R) 4 CPU 3.00GHz BFEBFBFF00000F29 | |
| 32 CPU1 GenuineIntel 2992 Intel(R) Pentium(R) 4 CPU 3.00GHz BFEBFBFF00000F29 | |
| Hard Drives | |
| C:\Tools>wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber | |
| FileSystem FreeSpace Name Size SystemName VolumeSerialNumber | |
| NTFS 53473411072 C: 120023252992 GOOD B0400204 | |
| NTFS 114517245952 E: 500105216000 GOOD 94AE4BE9 | |
| The drivetypes are: | |
| Member name Description | |
| 0 | |
| Unknown The type of drive is unknown. | |
| 1 | |
| NoRootDirectory The drive does not have a root directory. | |
| 2 | |
| Removable The drive is a removable storage device, such as a floppy disk drive or a USB flash drive. | |
| 3 | |
| Fixed The drive is a fixed disk. | |
| 4 | |
| Network The drive is a network drive. | |
| 5 | |
| CDRom The drive is an optical disc device, such as a CD or DVD-ROM. | |
| 6 | |
| Ram The drive is a RAM disk. | |
| Here is a bonus: S.M.A.R.T. information! | |
| C:\Tools>WMIC /NAMESPACE:\\root\wmi PATH MSStorageDriver_FailurePredictStatus get * /format:list | |
| Active=TRUE | |
| InstanceName=IDE\DiskG.SKILL_128GB_SSD_______________________02.10104\4&8188e1b&0&0.0.0_0 | |
| PredictFailure=FALSE | |
| Reason=0 | |
| You can also experiment with | |
| MSStorageDriver_FailurePredictData | |
| MSStorageDriver_FailurePredictEvent | |
| MSStorageDriver_FailurePredictFunction | |
| The best docs I have found for these are here. They're sparse, and probably a bit out of date. | |
| Memory | |
| I can't really explain why the output below gives me more available virtual memory than total virtual memory. | |
| C:\Tools>wmic memlogical get AvailableVirtualMemory, TotalPhysicalMemory, TotalVirtualMemory | |
| AvailableVirtualMemory TotalPhysicalMemory TotalVirtualMemory | |
| 2049300 2095848 1939180 | |
| NIC properties | |
| In the first example below, I query for all NICs. Yikes, too much info! | |
| In the second example I use a where IPEnabled='TRUE' clause to narrow things down, but it's still too much. Here we have several IPEnabled devices which we don't really care about; the system runs VMware, has a TV card, and had a disabled 100bT NIC. | |
| In the third example, I only care about the NIC that is enabled and connected! Could have used DHCPEnabled as the second test, but we might want to get this info from systems with static IPs. I would have compared the IPAddress value to good IPs (or eliminated 192.168 and 169.* addresses), but sadly I have not figured out a way to do WHERE queries on IPAddress; apparently the {} brackets indicate it is an array value, and I have found no way to do WQL queries that compare array values. Please use the comments link if you know how to do this! So, by adding the extra query condition (shown in red), I get only the currently 'live' connection. Although I can imagine cases where DNSDomain would be null and the NIC would still be the live connection. YMMV! | |
| The final query gets a fair amount of NIC information in list format. | |
| C:\Tools>wmic nicconfig get caption, macaddress, ipaddress, DefaultIPGateway | |
| Caption DefaultIPGateway IPAddress MACAddress | |
| [00000001] 1394 Net Adapter | |
| [00000002] RAS Async Adapter | |
| [00000003] WAN Miniport (L2TP) | |
| [00000004] WAN Miniport (PPTP) 50:50:54:50:30:30 | |
| [00000005] WAN Miniport (PPPOE) 33:50:6F:45:30:30 | |
| [00000006] Direct Parallel | |
| [00000007] WAN Miniport (IP) | |
| [00000008] Packet Scheduler Miniport 38:C7:20:52:41:53 | |
| [00000009] Microsoft TV/Video Connection {"169.254.246.73"} 00:07:E9:5D:BC:F4 | |
| [00000010] Intel(R) PRO/1000 CT Network Connection {"169.254.246.73"} 00:07:E9:5D:BC:F4 | |
| [00000011] Packet Scheduler Miniport 00:07:E9:5D:BC:F4 | |
| [00000012] VMware Virtual Ethernet Adapter for VMnet1 {"192.168.199.1"} 00:50:56:C0:00:01 | |
| [00000013] VMware Virtual Ethernet Adapter for VMnet8 {"192.168.226.1"} 00:50:56:C0:00:08 | |
| [00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T {"10.0.0.10"} {"10.0.0.55"} 00:0F:B5:4F:78:73 | |
| [00000015] Packet Scheduler Miniport 00:0F:B5:4F:78:73 | |
| C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE'" get caption, macaddress, ipaddress, DefaultIPGateway | |
| Caption DefaultIPGateway IPAddress MACAddress | |
| [00000009] Microsoft TV/Video Connection {"169.254.246.73"} 00:07:E9:5D:BC:F4 | |
| [00000010] Intel(R) PRO/1000 CT Network Connection {"169.254.246.73"} 00:07:E9:5D:BC:F4 | |
| [00000012] VMware Virtual Ethernet Adapter for VMnet1 {"192.168.199.1"} 00:50:56:C0:00:01 | |
| [00000013] VMware Virtual Ethernet Adapter for VMnet8 {"192.168.226.1"} 00:50:56:C0:00:08 | |
| [00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T {"10.0.0.10"} {"10.0.0.55"} 00:0F:B5:4F:78:73 | |
| C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE' and DNSDomain IS NOT NULL" get caption, macaddress, ipaddress, DefaultIPGateway | |
| Caption DefaultIPGateway IPAddress MACAddress | |
| [00000014] NETGEAR 108 Mbps Wireless PCI Adapter WG311T {"10.0.0.10"} {"10.0.0.55"} 00:0F:B5:4F:78:73 | |
| C:\Tools>wmic nicconfig where "IPEnabled = 'TRUE' and DNSDomain IS NOT NULL" get DefaultIPGateway, DHCPServer, DNSDomain, DNSHostName, DNSServerSearchOrder, IPAddress, IPSubnet, MACAddress, WINSEnableLMHostsLookup, WINSPrimaryServer, WINSSecondaryServer /format:list | |
| DefaultIPGateway={"10.0.0.10"} | |
| DHCPServer=10.0.0.3 | |
| DNSDomain=cojones.org | |
| DNSHostName=good | |
| DNSServerSearchOrder={"10.0.0.3","10.0.0.2"} | |
| IPAddress={"10.0.0.55"} | |
| IPSubnet={"255.255.255.0"} | |
| MACAddress=00:0F:B5:4F:78:73 | |
| WINSEnableLMHostsLookup=TRUE | |
| WINSPrimaryServer= | |
| WINSSecondaryServer= | |
| Video | |
| C:\Tools>wmic path Win32_VideoController get caption, CurrentHorizontalResolution, CurrentVerticalResolution, Description, DriverVersion, AdapterRAM /format:list | |
| AdapterRAM=67108864 | |
| Caption=MOBILITY RADEON 9600/9700 (Microsoft Corporation - WDDM) | |
| CurrentHorizontalResolution=1400 | |
| CurrentVerticalResolution=1050 | |
| Description=MOBILITY RADEON 9600/9700 (Microsoft Corporation - WDDM) | |
| DriverVersion=7.01.01.569 | |
| C:\Tools> | |
| Printers | |
| C:\Tools>wmic printer get Caption, Default, Direct, Description, Local, Shared, Sharename, Status | |
| Caption Default Description Direct Local Shared ShareName Status | |
| TPC PostScript HQ2K FALSE FALSE TRUE FALSE Unknown | |
| Microsoft XPS Document Writer FALSE FALSE TRUE FALSE Unknown | |
| Lexmark i3 TRUE FALSE TRUE TRUE Lexmark I3 Office Unknown | |
| hp photosmart 240 series FALSE FALSE TRUE TRUE PHOTO-printer Unknown | |
| hp officejet g series fax FALSE FALSE TRUE FALSE Unknown | |
| hp officejet g series FALSE FALSE TRUE TRUE hpoffice Unknown | |
| Adobe PDF FALSE FALSE TRUE FALSE Unknown | |
| Acrobat PDFWriter FALSE FALSE TRUE FALSE Unknown | |
| Acrobat Distiller FALSE FALSE TRUE FALSE Unknown | |
| Other Hardware | |
| Here's a query that makes an output somewhat like Linux's lspci: | |
| C:\>wmic path Win32_PnPEntity where "PNPDeviceID like '%VEN%'" get PNPDeviceID, Status, Manufacturer, Service | |
| Manufacturer PNPDeviceID Service Status | |
| Intel PCI\VEN_8086&DEV_2570&SUBSYS_00000000&REV_02\3&267A616A&0&00 OK | |
| Intel PCI\VEN_8086&DEV_2571&SUBSYS_00000000&REV_02\3&267A616A&0&08 pci OK | |
| ATI Technologies Inc. PCI\VEN_1002&DEV_4150&SUBSYS_47221002&REV_00\4&38B71F77&0&0008 ati2mtag OK | |
| ATI Technologies Inc. PCI\VEN_1002&DEV_4170&SUBSYS_47231002&REV_00\4&38B71F77&0&0108 ati2mtag OK | |
| Intel PCI\VEN_8086&DEV_2573&SUBSYS_00000000&REV_02\3&267A616A&0&18 pci OK | |
| Intel PCI\VEN_8086&DEV_1019&SUBSYS_303B8086&REV_00\4&26062112&0&0818 E1000 OK | |
| Intel PCI\VEN_8086&DEV_24D2&SUBSYS_4C438086&REV_02\3&267A616A&0&E8 usbuhci OK | |
| (Standard disk drives) USBSTOR\DISK&VEN_HP&PROD_PHOTOSMART_240_S&REV_1.00\7&7541E0F&1&CN3CH341FTM9&0 disk OK | |
| Intel PCI\VEN_8086&DEV_24D4&SUBSYS_4C438086&REV_02\3&267A616A&0&E9 usbuhci OK | |
| Intel PCI\VEN_8086&DEV_24D7&SUBSYS_4C438086&REV_02\3&267A616A&0&EA usbuhci OK | |
| Intel PCI\VEN_8086&DEV_24DE&SUBSYS_4C438086&REV_02\3&267A616A&0&EB usbuhci OK | |
| (Standard disk drives) USBSTOR\DISK&VEN_OEI-USB&PROD_COMPACTFLASH&REV_1.01\C67CEDBA1F&0 disk OK | |
| (Standard disk drives) USBSTOR\DISK&VEN_OEI-USB&PROD_SM/MS/SD&REV_1.01\C67CEDBA1F&1 disk OK | |
| Intel PCI\VEN_8086&DEV_24DD&SUBSYS_4C438086&REV_02\3&267A616A&0&EF usbehci OK | |
| Intel PCI\VEN_8086&DEV_244E&SUBSYS_00000000&REV_C2\3&267A616A&0&F0 pci OK | |
| NEC PCI\VEN_1033&DEV_00F2&SUBSYS_00F21033&REV_01\4&2E98101C&0&00F0 ohci1394 OK | |
| NETGEAR, Inc. PCI\VEN_168C&DEV_0013&SUBSYS_5A001385&REV_01\4&2E98101C&0&08F0 AR5211 OK | |
| Intel PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8 isapnp OK | |
| Intel PCI\VEN_8086&DEV_24DB&SUBSYS_4C438086&REV_02\3&267A616A&0&F9 pciide OK | |
| Intel PCI\VEN_8086&DEV_24D1&SUBSYS_4C438086&REV_02\3&267A616A&0&FA pciide OK | |
| Intel PCI\VEN_8086&DEV_24D3&SUBSYS_4C438086&REV_02\3&267A616A&0&FB smbusp OK | |
| Analog Devices, Inc. PCI\VEN_8086&DEV_24D5&SUBSYS_E0028086&REV_02\3&267A616A&0&FD smwdm OK | |
| It's best to get Caption and PNPDeviceID in your query, but that makes the output too wide for this web page. So below I show getting the Caption rather than PNPDeviceID | |
| C:\>wmic path Win32_PnPEntity where "PNPDeviceID like '%VEN%'" get Caption, Status, Manufacturer, Service | |
| Caption Manufacturer Service Status | |
| Intel(R) 82865G/PE/P/GV/82848P Processor to I/O Controller - 2570 Intel OK | |
| Intel(R) 82865G/PE/P/GV/82848P Processor to AGP Controller - 2571 Intel pci OK | |
| ALL-IN-WONDER 9600 SERIES ATI Technologies Inc. ati2mtag OK | |
| ALL-IN-WONDER 9600 SERIES - Secondary ATI Technologies Inc. ati2mtag OK | |
| Intel(R) 82865G/PE/P/GV/82848P Processor to PCI to CSA bridge - 2573 Intel pci OK | |
| Intel(R) PRO/1000 CT Network Connection Intel E1000 OK | |
| Intel(R) 82801EB USB Universal Host Controller - 24D2 Intel usbuhci OK | |
| HP photosmart 240 s USB Device (Standard disk drives) disk OK | |
| Intel(R) 82801EB USB Universal Host Controller - 24D4 Intel usbuhci OK | |
| Intel(R) 82801EB USB Universal Host Controller - 24D7 Intel usbuhci OK | |
| Intel(R) 82801EB USB Universal Host Controller - 24DE Intel usbuhci OK | |
| OEI-USB CompactFlash USB Device (Standard disk drives) disk OK | |
| OEI-USB SM/MS/SD USB Device (Standard disk drives) disk OK | |
| Intel(R) 82801EB USB2 Enhanced Host Controller - 24DD Intel usbehci OK | |
| Intel(R) 82801 PCI Bridge - 244E Intel pci OK | |
| NEC OHCI Compliant IEEE 1394 Host Controller NEC ohci1394 OK | |
| NETGEAR 108 Mbps Wireless PCI Adapter WG311T NETGEAR, Inc. AR5211 OK | |
| Intel(R) 82801EB LPC Interface Controller - 24D0 Intel isapnp OK | |
| Intel(R) 82801EB Ultra ATA Storage Controllers Intel pciide OK | |
| Intel(R) 82801EB Ultra ATA Storage Controllers Intel pciide OK | |
| Intel(R) ICH5/ICH5-M SMBus Controller - 24D3 (Intel(R) SMBus 2.0 Driver) Intel smbusp OK | |
| SoundMAX Integrated Digital Audio Analog Devices, Inc. smwdm OK | |
| Here's a fun one. List the name and PCI ID of everything in Device manager that is in an error state. You know, those little yellow exclamation points! | |
| C:\Tools>wmic path win32_pnpentity where "ConfigManagerErrorCode <> 0" get Name, PNPDeviceID | |
| Name PNPDeviceID | |
| ATI T200 Unified AVStream Driver DISPLAY\NTATIVRV01\5&883B044&1&80000008&01&00 | |
| USB Mass Storage Device USB\VID_55AA&PID_B012\C67CEDBA1F | |
| 1394 Net Adapter V1394\NIC1394\18F74C01 | |
| NETGEAR 108 Mbps Wireless PCI Adapter WG311T PCI\VEN_168C&DEV_0013&SUBSYS_5A001385&REV_01\4&2E98101C&0&08F0 | |
| Bluetooth PAN Network Adapter ROOT\NET\0000 | |
| SCSI/RAID Host Controller ROOT\SCSIADAPTER\0000 | |
| Operating System, Service Pack, Hotfixes, Domain | |
| Notice how I used the /format:list directive to return a list rather than a superwide table. | |
| A QFE is a hotfix. In the first QFE query below, rather than a get verb, I used list brief. | |
| In the second QFE query, note the use of the percent sign (%) as wildcard in a WHERE clause, highlighted in red. This is important to remember; WQL queries do not use the asterisk as a wildcard! | |
| C:\Tools>wmic os get bootdevice, caption, csname, currenttimezone, installdate, servicepackmajorversion, servicepackminorversion, systemdrive, version, windowsdirectory /format:list | |
| BootDevice=\Device\HarddiskVolume1 | |
| Caption=Microsoft Windows XP Professional | |
| CSName=GOOD | |
| CurrentTimeZone=-480 | |
| InstallDate=20030829205313.000000-420 | |
| ServicePackMajorVersion=2 | |
| ServicePackMinorVersion=0 | |
| SystemDrive=C: | |
| Version=5.1.2600 | |
| WindowsDirectory=C:\WINDOWS | |
| C:\Tools>wmic qfe list brief | |
| Description | |
| Microsoft .NET Framework 1.1 Hotfix (KB928366) | |
| Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) | |
| Microsoft Data Access Components KB870669 | |
| Microsoft SQL Server 2000 Service Pack 3 Updates to MDAC 2.7 SP1 | |
| Security update for Microsoft Data Access Components | |
| [...listing truncated, you get the point...] | |
| C:\Tools>wmic qfe where "HotFixID like '%928366%'" get Description, FixComments, InstalledOn, ServicePackInEffect | |
| Description FixComments InstalledOn ServicePackInEffect | |
| Microsoft .NET Framework 1.1 Hotfix (KB928366) Update 7/11/2007 1.1 | |
| C:\Tools>wmic ntdomain get Caption, DnsForestName, DomainControllerAddress, Status | |
| Caption DnsForestName DomainControllerAddress Status | |
| GOOD Unknown [...note this is the localcomputer...] | |
| PURGATORY cojones.org \10.0.0.3 OK | |
| Services | |
| C:\Tools>wmic service get caption, name, state | |
| Caption Name State | |
| Atheros Configuration Service ACS Running | |
| AdRem NetCrunch Task Scheduler AdRemTaskScheduler Stopped | |
| Alerter Alerter Stopped | |
| Application Layer Gateway Service ALG Running | |
| Apple Mobile Device Apple Mobile Device Running | |
| Application Management AppMgmt Stopped | |
| [...listing truncated, you get the point...] | |
| C:\Tools>wmic service where "name='Alerter'" get caption, startmode, startname, state, status | |
| Caption StartMode StartName State Status | |
| Alerter Disabled NT AUTHORITY\LocalService Stopped OK | |
| Installed Software | |
| This not the same as the 'currently installed programs' list you would get by opening Control Panel --> Add/Remove Software. I am not sure how or why the two lists are different, but on my test machine they are definitely not the same. NOTE: the 'wmic product' query doesn't work on Windows 2003 until you add the Windows Installer Provider, as illustrated here. | |
| You can uninstall sofware, too. | |
| C:\Tools>wmic product get Caption, InstallDate, Vendor | |
| Caption InstallDate Vendor | |
| ABBYY FineReader for ScanSnap (TM) 2.0 20070127 ABBYY Software | |
| VMware Server Console 20061106 VMware, Inc. | |
| MSXML 4.0 SP2 (KB925672) 20061012 Microsoft Corporation | |
| Intel(R) PROSafe for Wired Connections 20041226 Intel | |
| NETGEAR Wireless Adapter WG311T 20050415 NETGEAR | |
| Windows Server 2003 Administration Tools Pack 20031007 Microsoft Corporation | |
| VMware Workstation 20061228 VMware, Inc. | |
| Intel(R) PROSafe for Wired Connections 20041226 Intel | |
| HP Software Update 20050331 HEWLET~1|Hewlett-Packard | |
| Windows Resource Kit Tools 20030917 Microsoft Corporation | |
| [...listing truncated, you get the point...] | |
| H:\>wmic path win32_product where "name = 'HP Software Update'" call Uninstall <--- UNINSTALLING software. | |
| Executing (\\COMPUTER\root\cimv2:Win32_Product.IdentifyingNumber="{DEC61338-62B5-454A-AAB2- | |
| 71D612277798}",Name="HP Software Update",Version="1.5.0")->Uninstall() | |
| Method execution successful. | |
| Out Parameters: | |
| { | |
| ReturnValue = 0; <--- zero means success. The package was uninstalled. | |
| }; | |
| Processes | |
| Here we use several call methods to actually do stuff (rather than just listing stuff). And we get a lot of fairly ugly and needless output. But the commands are useful just the same. | |
| C:\Tools>wmic process call create 'notepad.exe' | |
| Executing (Win32_Process)->Create() | |
| Method execution successful. | |
| Out Parameters: | |
| instance of __PARAMETERS | |
| { | |
| ProcessId = 14524; | |
| ReturnValue = 0; | |
| }; | |
| [...notepad starts in the GUI...] | |
| C:\Tools>wmic process where "name='notepad.exe'" call setpriority 64 | |
| Executing (\GOOD\ROOT\CIMV2:Win32_Process.Handle="7356")->setpriority() | |
| Method execution successful. | |
| Out Parameters: | |
| instance of __PARAMETERS | |
| { | |
| ReturnValue = 0; | |
| }; | |
| C:\Tools>wmic process where "name='notepad.exe'" get Caption, ExecutablePath, Priority, ProcessID, WorkingSetSize | |
| Caption ExecutablePath Priority ProcessId WorkingSetSize | |
| notepad.exe C:\WINDOWS\system32\notepad.exe 4 7356 3825664 | |
| C:\Tools>wmic process where "name='notepad.exe'" call terminate | |
| Executing (\GOOD\ROOT\CIMV2:Win32_Process.Handle="7356")->terminate() | |
| Method execution successful. | |
| Out Parameters: | |
| instance of __PARAMETERS | |
| { | |
| ReturnValue = 0; | |
| }; | |
| C:\Tools>wmic process where "name='notepad.exe'" get Caption, ExecutablePath, Priority, ProcessID, WorkingSetSize | |
| No Instance(s) Available. | |
| [...notepad is terminated in the GUI...] | |
| Event Logs | |
| Note that these take a long time to complete - so long that the command is nearly useless. I could have included the eventlog message below (it's 'Message'), but that would have made the output way too wide for this web page. The query shown below gets all warning and error log entries from System which occurred after December 4, 2007. | |
| H:\>WMIC NTEVENT WHERE "EventType<3 AND LogFile = 'System' AND TimeGenerated>'20071204'" GET EventCode, EventIdentifier, RecordNumber, SourceName, TimeGenerated, Type | |
| EventCode EventIdentifier RecordNumber SourceName TimeGenerated Type | |
| 50 -2108030926 171408 Microsoft-Windows-Time-Service 20071204002221.000000-000 Warning | |
| 131 -2108030845 171768 Microsoft-Windows-Time-Service 20071204172639.000000-000 Warning | |
| 5719 5719 171770 NETLOGON 20071204172741.000000-000 Error | |
| 243 -2147483405 171984 Win32k 20071205160544.401179-000 Warning | |
| 10009 -1073731815 172190 Microsoft-Windows-DistributedCOM 20071207101245.000000-000 Error | |
| 1003 1003 172251 Microsoft-Windows-Dhcp-Client 20071208055130.000000-000 Warning | |
| 50 -2108030926 172264 Microsoft-Windows-Time-Service 20071208133340.000000-000 Warning | |
| Users and Groups | |
| C:\Tools>wmic useraccount where "LocalAccount='TRUE'" get Caption, Disabled, Domain, Lockout, PasswordExpires, SID, Status | |
| Caption Disabled Domain Lockout PasswordExpires SID Status | |
| GOOD\ACTUser FALSE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1015 OK | |
| GOOD\Administrator FALSE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-500 OK | |
| GOOD\quux FALSE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1001 OK | |
| GOOD\ASPNET FALSE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1003 OK | |
| GOOD\Guest TRUE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-501 Degraded | |
| GOOD\HelpAssistant TRUE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1000 Degraded | |
| GOOD\SUPPORT_388945a0 TRUE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1002 Degraded | |
| GOOD\VUSR_GOOD FALSE GOOD FALSE FALSE S-1-5-21-1214440339-861567501-682003330-1014 OK | |
| GOOD\__vmware_user__ FALSE GOOD FALSE TRUE S-1-5-21-1214440339-861567501-682003330-1025 OK | |
| C:\Tools>wmic group where "LocalAccount='TRUE'" get Caption, SID, Status | |
| Caption SID Status | |
| GOOD\Administrators S-1-5-32-544 OK | |
| GOOD\Backup Operators S-1-5-32-551 OK | |
| GOOD\Guests S-1-5-32-546 OK | |
| GOOD\Network Configuration Operators S-1-5-32-556 OK | |
| GOOD\Power Users S-1-5-32-547 OK | |
| GOOD\Remote Desktop Users S-1-5-32-555 OK | |
| GOOD\Replicator S-1-5-32-552 OK | |
| GOOD\Users S-1-5-32-545 OK | |
| GOOD\Debugger Users S-1-5-21-1214440339-861567501-682003330-1004 OK | |
| GOOD\HelpServicesGroup S-1-5-21-1214440339-861567501-682003330-1001 OK | |
| GOOD\VS Developers S-1-5-21-1214440339-861567501-682003330-1010 OK | |
| GOOD\__vmware__ S-1-5-21-1214440339-861567501-682003330-1024 OK | |
| You could use WMIC to get members of a group, like so: | |
| wmic group where "Name='Administrators'" assoc /resultclass:Win32_useraccount | |
| ...but the result is so ugly, it's not worth the bother. There are better ways to do that sort of query. Hint: NET LOCALGROUP Administrators | |
| Query remote hosts | |
| /node specifies the remote host name. The rest seems self-explanatory. | |
| C:\Tools>wmic /node:fs1 /user:mydomain\quuxadmin /password:mypass logicaldisk where drivetype=3 get name, freespace, filesystem, size | |
| FileSystem FreeSpace Name Size | |
| NTFS 1750355968 C: 8578932736 | |
| NTFS 321957826560 D: 536863567872 | |
| NTFS 106292609024 E: 107372081152 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment