- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
When it comes to managing and monitoring Windows environments, including Windows client operating systems and Windows Server, Windows Management Instrumentation (WMI) is a really powerful tool. However, WMI can be notoriously challenging, especially when used for remote management. This can be due to issues with connectivity, permissions, firewall, and even problems with the WMI query itself. What if there were a utility that could help test and troubleshoot WMI connectivity to a Windows endpoint as well as provide an easy way to write and test WMI queries in WMI query language (WQL)?
AdRemSoftware, the company that makes NetCrunch networking monitoring software, makes a freely available utility that can make WMI testing and queries easier. It is called the WMI Tester. In this review of the WMI Tester utility, we will see what the app can do and how it makes WMI much easier.
What is Windows Management Instrumentation (WMI)?
First off, it would be beneficial to take a closer look at Windows Management Instrumentation (WMI) to see what it is and how we interact with it for management and monitoring purposes.
As we have already mentioned, WMI is a means to manage and monitor specific data on local or remote Windows machines. WMI is the proprietary Microsoft implementation of a framework known as Web-Based Enterprise Management (WBEM), which is a well-known standard for management information access in an enterprise.
WMI is used to query Windows information for parts of the operating system itself as well as other Microsoft solutions such as System Center Operations Manager (SCOM) and Windows Remote Management (WinRM).
An entity known as the Distributed Management Task Force (DMTF) maintains a Common Information Model (CIM) that represents endpoints such as network devices, systems, applications, and others. CIM is the model used by WMI for remote local and remote connectivity.
While WMI is available in Windows Server and client operating systems by default, the various WMI providers available may depend on the specific version of Windows running on the endpoint as well as the features and solutions that are installed. ***Note*** An exception to using WMI to connect remotely includes the Starter, Basic, and Home editions of Windows, as these do not allow remote WMI queries. An example of a common WMI provider that can be queried for useful information is the Active Directory WMI provider.
Microsoft provides a resource listing some of the more well-known WMI providers available to interact with.
WMI query language
One of the really neat things you can do with WMI is query it, much like you would a SQL database table using something called WMI Query Language (WQL). With WQL, you can write queries on WMI to query specific information from WMI providers. Three different types of queries are possible with WQL. These include:
- Data queries
- Event queries
- Schema queries
An example WQL query to find the various event logs looks like the following:
SELECT LogfileName, Name, LastModified, LastAccessed, CreationDate, FileSize, MaxFileSize, NumberOfRecords, OverWritePolicy, Sources FROM Win32_NTEventlogFile
In theory, WMI is easy to interact with for querying all kinds of information from your Windows environment. However, in practice, it is common to run into issues with querying WMI for information, especially on remote Windows endpoints. Why is this? What are the common troubleshooting points to take note of with WMI troubleshooting?
Typically, most troubleshooting of WMI is related to trying to query information about a remote Windows computer. WMI connects to remote Windows computers using DCOM. DCOM can be troublesome, especially with permissions.
In addition to these permission-related issues and misconfiguration of remote DCOM access, WMI relies on network communication for proper access. One of the challenges with WMI is the wide range of ports used for access by default. It uses TCP port 135 as well as a wide dynamic range of ports, including ports 1024 to 65535. Keeping these points in mind when establishing WMI connectivity to your remote Windows endpoints can help to narrow down any WMI errors you may receive.
Changes in AdRemSoftware's Free WMI Tool Offering
Some time ago, AdRemSoftware offered a product called the WMI Tool, which was available as a free download. However, this tool is no longer available for free. WMI Tool has now been incorporated into NetCrunch, AdRemSoftware's premiere network monitoring solution.
AdRemSoftware has reduced the functionality of the free WMI offering, now the WMI Tester. Previously, the free WMI Tool was a more fully featured tool than the WMI Tester, providing a more powerful interface, tools, and information by default. Again, this WMI utility is now part of the NetCrunch "tools."
When the WMI Tool is compared with the new WMI Tester utility, one of the more powerful features is the Query Builder. With the WMI Tool, the Query Builder made writing WQL queries much easier as you could basically pick the objects and write the query using the wizard.
AdRemSoftware has reduced the functionality of the free download of their WMI Tester utility so that it is only a very light implementation of the WMI Tool without some of the more advanced features, such as the Query Builder.
While the functionality is reduced in the WMI Tester, it is still useful. It can quickly test connectivity to your remote Windows endpoint. It also provides an easy way to see whether your WQL query includes the correct syntax and returns the desired/expected information.
The screenshot below shows running a specified query against a Windows endpoint, resulting in an RPC error noted in the output.
As you can see in the following screenshot, there are built-in WQL queries to return information on the operating system, services, processes, logs, partitions, network, print jobs, and more.
Creating a new WQL query allows naming the query, selecting the namespace, and entering the WQL query code.
Adding a new connection for a remote WMI query test is as easy as adding an IP address/FQDN and entering the username and password to make the WMI connection.
Compared to the previously free download called the WMI Tool, WMI Tester is quite a bit lighter in features and functionality. While this is a little disappointing, the WMI Tool is now included as part of the native tools in NetCrunch, which is AdRemSoftware's monitoring platform.
WMI Tester provides a simple interface that can help you test connectivity to a Windows endpoint as well as write WMI Query Language (WQL) code to query specific information. It also has several prebuilt WQL queries that can provide a starting point for testing various WMI information.
Subscribe to 4sysops newsletter!
Check out AdRemSoftware's free download of WMI Tester here.