WMI is an awesome technology capability for Windows administration, I’ve been using WMI since the Windows 2000 era, I’ve written WMI based scripts/tools to defeat malware, yay, however with any tool the use can be for good and for evil!

This post is going to focus on Win32_Process:Create (there are other methods as well!)

Wbemtest

Wbemtest is great, it’s on all windows machines so you can get information and execute methods you can also create queries and notifications queries (great for writing WMI event filters/consumers).

Click Execute Method

Type Win32_process

Click Edit In Paramers…

Edit the “CommandLine” property and click Save Object then close.

Click Execute

VBS

Visual Basic Script is a long-standing technology but still can be useful (depending upon your perspective). It is executes using either cscript.exe or wscript.exe:

‘########################################### ‘# ‘# Run a process using WMI on the localhost ‘# ‘############################################ ‘declare vars DIM objWMIService DIM ReturnCode DIM strComputer DIM ProcessName ProcessName = “calc.exe” strComputer = “.” ‘ “.” = localhost ‘create an object of win management to the local win32_process namespace Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2:Win32_Process”) ‘get the return code ReturnCode = objWMIService.Create(ProcessName, null, null, intProcessID) If ReturnCode = 0 Then Wscript.Echo ProcessName & ” ran with a process ID of ” & intProcessID & “.” Else Wscript.Echo ProcessName & ” could not be started due to error ” & ReturnCode & “.” End If

PowerShell

Using the Invoke-WmiMethod cmdlet we can launch a create process method of the WIN32_Process class. The computername parameter can be used to specify remove machines.

Invoke-WmiMethod -ComputerName . -Class Win32_Process -Name Create -ArgumentList “calc.exe”

Summary

There’s load of ways to access WMI, on top of the methods in this post you can also use WMI via .net etc. This post touches on the most common methods using standard tools, one of which I don’t see much talk about (wbemtest), I’m going to go into the lab to see if we can find any novel ways of using this!