Power Shell and WMI Empowering admins and engineers

  • Slides: 16
Download presentation
Power. Shell and WMI Empowering admins and engineers worldwide.

Power. Shell and WMI Empowering admins and engineers worldwide.

�IT Administrators & Engineers �Security teams �IT Managers Who needs WMI? Presentation by Trevor

�IT Administrators & Engineers �Security teams �IT Managers Who needs WMI? Presentation by Trevor Sullivan

Get system information Change [certain] system information Subscribe for and respond to events Why

Get system information Change [certain] system information Subscribe for and respond to events Why WMI? Presentation by Trevor Sullivan

�Providers Object �Namespaces (class) �Classes ◦ Instance Properties Actions ◦ Instance Methods Properties ◦

�Providers Object �Namespaces (class) �Classes ◦ Instance Properties Actions ◦ Instance Methods Properties ◦ Static properties (methods) (properties) ◦ Static methods �System classes �WMI qualifiers (metadata) WMI Architecture Presentation by Trevor Sullivan

Temporary • Terminated when application exits • Same event query as permanent • Uses

Temporary • Terminated when application exits • Same event query as permanent • Uses WQL event queries Permanent • Persistent in operating system • Registered within WMI • Runs inside WMI process Select * from <Event. Class> within <seconds> where <criteria> WMI Eventing Presentation by Trevor Sullivan

SAPIEN WMI Explorer Excellent WMI browser to find classes, properties, and methods Wbemtest. exe

SAPIEN WMI Explorer Excellent WMI browser to find classes, properties, and methods Wbemtest. exe Built into Windows operating system since Windows 2000 Winmgmt. exe Built-in tool to manage WMI process; can run WMI in separate process Mofcomp. exe Tool to compile Managed Object Format (MOF) files Visual Studio 2010 Has a WMI browser built into it. Free, Express edition available WMI Tools Presentation by Trevor Sullivan

�What is a type accelerator? System. Management Namespace � [wmiclass] = Management. Class �

�What is a type accelerator? System. Management Namespace � [wmiclass] = Management. Class � [wmi] = Management. Object � [wmisearcher] = Management. Object. Searcher WMI Type Accelerators Presentation by Trevor Sullivan

Get reference to BIOS class definition • $Bios. Class = [wmiclass]"\remotepcrootcimv 2: Win 32_BIOS"

Get reference to BIOS class definition • $Bios. Class = [wmiclass]"\remotepcrootcimv 2: Win 32_BIOS" Get instance of Computer System • $Comp. Sys = [wmi]"Win 32_Computer. System. Name='gaming'" WQL query for all network adapters • $Searcher = [wmisearcher]"select * from win 32_networkadapter" • $Searcher. Get(); Type Accelerator Examples Presentation by Trevor Sullivan

� Get-Wmi. Object � Register-Wmi. Event ◦ Get-Event. Subscriber ◦ Unregister-Event � Invoke-Wmi. Method

� Get-Wmi. Object � Register-Wmi. Event ◦ Get-Event. Subscriber ◦ Unregister-Event � Invoke-Wmi. Method ◦ (Get-Wmi. Object … …). Method. Name(); ◦ ([wmiclass]"class_name"). Method. Name(); � Remove-Wmi. Object ◦ (Get-Wmi. Object … …) | % { $_. Delete() }; � Set-Wmi. Instance ◦ [wmiclass]"win 32_environment"). Create. Instance(); WMI Cmdlets Presentation by Trevor Sullivan

Get list of network shares • Get-Wmi. Object –Computer. Name. –Namespace rootcimv 2 –Class

Get list of network shares • Get-Wmi. Object –Computer. Name. –Namespace rootcimv 2 –Class Win 32_Share Get list of GPOs applied to local system • Get-Wmi. Object –Computer. Name. –Namespace rootrsopcomputer – Class RSOP_GPO WQL query for all network adapters • Get-Wmi. Object –Query "select * from win 32_networkadapter" WMI Cmdlet Examples Presentation by Trevor Sullivan

When a process (Notepad) starts • Register-Wmi. Event ` -Query "select * from __Instance.

When a process (Notepad) starts • Register-Wmi. Event ` -Query "select * from __Instance. Creation. Event within 5 where Target. Instance ISA 'Win 32_Process' and Target. Instance. Name = 'notepad. exe'" ` -Action { Write-Host -Object ("Process started" + $Event. Source. Args. New. Event. Target. Instance. Name) }; Disk free space drops below threshold • Register-Wmi. Event ` -Query "select * from __Instance. Modification. Event within 5 where Target. Instance ISA 'Win 32_Logical. Disk' and Target. Instance. Free. Space < 1000000" ` -Action { Write-Host -Object ('Free space dropped to {0} on drive {1}' -f $Event. Source. Args. New. Event. Target. Instance. Free. Space, $Event. Source. Args. New. Event. Target. Instance. Device. ID) }; WMI Event Cmdlet Examples Presentation by Trevor Sullivan

When a user logs on / off • Register-Wmi. Event ` -Query "select *

When a user logs on / off • Register-Wmi. Event ` -Query "select * from __Instance. Creation. Event within 5 where Target. Instance ISA 'Win 32_User. Profile' and Target. Instance. Loaded <> Previous. Instance. Loaded" ` -Action { Write-Host -Object “User logged on or off" }; New print job created • Register-Wmi. Event ` -Query "select * from __Instance. Creation. Event within 5 where Target. Instance ISA 'Win 32_Print. Job'" ` -Action { Write-Host -Object "New print job created" }; WMI Event Cmdlet Examples Presentation by Trevor Sullivan

New-Wmi. Event. Filter New-Wmi. Event. Consumer New-Wmi. Filter. To. Consumer. Binding Permanent WMI Events

New-Wmi. Event. Filter New-Wmi. Event. Consumer New-Wmi. Filter. To. Consumer. Binding Permanent WMI Events Presentation by Trevor Sullivan

� � � Get-Cim. Associated. Instance Get-Cim. Class Get-Cim. Instance Get-Cim. Session Invoke-Cim. Method

� � � Get-Cim. Associated. Instance Get-Cim. Class Get-Cim. Instance Get-Cim. Session Invoke-Cim. Method New-Cim. Instance New-Cim. Session. Option Register-Cim. Indication. Event Remove-Cim. Instance Remove-Cim. Session Set-Cim. Instance Use Win. RM and avoid DCOM / RPC nightmares! Power. Shell v 3 Presentation by Trevor Sullivan

�Browse WMI with SAPIEN WMI Explorer ◦ http: //www. sapien. com/downloads �Try out the

�Browse WMI with SAPIEN WMI Explorer ◦ http: //www. sapien. com/downloads �Try out the WMI cmdlets and type accelerators �Learn about WMI eventing ◦ http: //powerevents. codeplex. com/ Call to action Presentation by Trevor Sullivan

Thanks for coming! Presentation by Trevor Sullivan

Thanks for coming! Presentation by Trevor Sullivan

agenda Namespace WMI scripts WMIC WMI security 2agenda Namespace WMI scripts WMIC WMI security 2
Power Shell Share Point Online An Admins GuidePower Shell Share Point Online An Admins Guide
Shell and Shell Programming The UNIX Shells ShellShell and Shell Programming The UNIX Shells Shell
Shell and Shell Programming The UNIX Shells ShellShell and Shell Programming The UNIX Shells Shell
Shell and Shell Programming Introduction You Kernel ShellShell and Shell Programming Introduction You Kernel Shell
Shell Environments The Shell Environment u Shell environmentShell Environments The Shell Environment u Shell environment
Shell Programming Oleh Idris Winarno Shell dan ShellShell Programming Oleh Idris Winarno Shell dan Shell
Shell Script Perl Programming Shell Programming A shellShell Script Perl Programming Shell Programming A shell
Shell Environments The Shell Environment u Shell environmentShell Environments The Shell Environment u Shell environment
SHELL SORT SHELL SORT Founded by Donald ShellSHELL SORT SHELL SORT Founded by Donald Shell
Programmazione Shell Bash Shell Bourne again shell IniziamoProgrammazione Shell Bash Shell Bourne again shell Iniziamo
Shell Programming The UNIX Shell The UNIX shellShell Programming The UNIX Shell The UNIX shell
Ancora sulla shell Shell e comandi La shellAncora sulla shell Shell e comandi La shell
UNIX Shell commands shell kernel Kernel shell TenexUNIX Shell commands shell kernel Kernel shell Tenex
Power Shell Power Shell v 1 020061114 WindowsPower Shell Power Shell v 1 020061114 Windows