WMIC for Windows live-response data collection. Deprecated by Microsoft but still present on most fielded Windows systems; PowerShell Get-CimInstance is the modern equivalent. Pair WMIC with output redirection or /record: to preserve provenance.
Side: blue
Syntax
wmic [global switches] <alias> [where clause] <verb> [properties] [format]
Verbs: get extracts specific properties; list brief shows condensed output; list full shows all properties; call invokes methods (e.g. terminate a process — never on a forensic target).
Output redirection:
wmic /output:C:\evidence\result.txt <command> # write result to file
wmic /append:C:\evidence\combined.txt <command> # append instead of overwrite
wmic /output:CLIPBOARD <command> # copy result to clipboard
wmic <command> > result.txt # standard redirect
wmic /record:C:\evidence\session.xml <command> # record cmd + output + timestamps to XMLCombine /output: with /record: for both a human-readable result file and a timestamped audit trail.
Remote query:
wmic /node:"192.168.1.50" /user:"DOMAIN\analyst" /password:"<pwd>" <command>
wmic /node:@"C:\targets.txt" os get caption # query hosts from a fileMonitoring (refresh every N seconds, Ctrl+C to stop):
wmic process list brief /every:5
wmic cpu get loadpercentage /every:2Where clauses
WMIC uses WQL — a SQL subset. Quoting rules below all give the same result; pick whichever avoids shell-quote conflicts.
wmic process where name="cmd.exe" get processid
wmic process where "name='cmd.exe'" get processid
wmic process where (name="cmd.exe") get processidWildcards with LIKE: % matches any number of characters, _ matches exactly one.
wmic process where "name like '%svc%'" list brief # contains 'svc'
wmic service where "name like 'Win%'" get name,state # starts with 'Win'Combined conditions with AND / OR / NOT. Operators: =, !=, <, >, <=, >=, LIKE.
wmic useraccount where "Disabled=0 AND LocalAccount=1" get Name
wmic service where "StartMode='Auto' AND State='Stopped'" get Name,PathName
wmic share where "NOT Name LIKE '%$'" get Name,PathBackslashes in path values must be doubled: path='\\windows\\system32\\wbem\\'.
Forensic queries by data type
System
wmic computersystem get Name,Domain,Manufacturer,Model,TotalPhysicalMemory
wmic os get Caption,Version,BuildNumber,OSArchitecture,InstallDate,LastBootUpTime
wmic os get FreePhysicalMemory,FreeVirtualMemory,TotalVisibleMemorySize
wmic bios get serialnumber,version
wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors
wmic timezone get caption # system timezone (critical for timestamps)
wmic environment list # env vars including PATHProcesses
wmic process list brief # PID, name, memory
wmic process get name,processid,parentprocessid,executablepath,commandline
wmic process where "ProcessID=1234" get CommandLine # full args for one PID
wmic process where "name='svchost.exe'" get processid,parentprocessidcall create and call terminate modify state — never on a forensic target.
Users and groups
wmic useraccount list full
wmic useraccount get Name,SID,Status,Disabled,Lockout
wmic useraccount where "Disabled=0 AND LocalAccount=1" get Name # active local accounts
wmic group list brief
wmic sysaccount list # built-in service accounts
wmic netlogin where (name like "%username") get NumberOfLogonsNetwork
wmic nic get Name,MACAddress,NetEnabled
wmic nicconfig list # full IP/DNS/DHCP detail
wmic nicconfig where IPEnabled='true' get IPAddress,MACAddress,DefaultIPGateway,DNSServerSearchOrderServices
wmic service list brief # name, state, start mode
wmic service get Caption,Name,StartMode,State,PathName # PathName reveals binary location
wmic service where (state="running") get Caption,Name,PathName
wmic service where "State='Stopped' AND StartMode='Auto'" get Name,PathNameServices with PathName values pointing to user-writable directories or unusual paths are persistence-suspect. Compare against a known-good baseline.
Disk and storage
wmic diskdrive get Name,Size,Model,InterfaceType,MediaType
wmic partition get name,size,type
wmic logicaldisk where DriveType=3 get Name,FileSystem,FreeSpace,Size,VolumeSerialNumberDriveType values: 2 = removable, 3 = local fixed, 4 = network, 5 = optical.
Installed software and patches
wmic product get Name,Version,Vendor # slow; queries every MSI
wmic qfe list # installed hotfixes / updates
wmic qfe get HotFixID,InstalledOn,DescriptionWin32_Product triggers an MSI consistency check on every package — minutes-slow and occasionally has side effects on a live host. Use sparingly.
Startup and shares
wmic startup list full # all autostart entries
wmic startup get Caption,Command,User,Location # what runs at boot, for whom, where
wmic share list brief # all shares including hidden ($)
wmic share where "NOT Name LIKE '%$'" get Name,Path # user-created shares onlyCross-reference against HKCU:\...\Run and HKLM:\...\Run registry keys.
Event logs
wmic ntevent where (EventCode=4624) list brief # filter by event ID
wmic ntevent where "LogFile='Security'" get EventCode,TimeGenerated,Message
wmic nteventlog get LogFileName,NumberOfRecords,FileSize # log file metadataFor non-trivial event-log analysis, use Get-WinEvent (PowerShell) or Event Viewer — WMIC is impractical for large queries.
Output formatting
wmic os get caption /format:list # property=value
wmic os get caption /format:csv # CSV
wmic os get /format:hform > os.html # HTML form reportAvailable formats: csv, list, htable, hform, rawxml, xml, value.
WMIC outputs UTF-16 LE with <CR><CR><LF> line endings. Side effects when piping:
wmic process get name | find /v "" # strip extra blank lines
wmic os get caption /value | find "=" # cleanest parseable formPowerShell equivalents
PowerShell is scriptable, returns objects, and has no UTF-16 quirk. Map any WMIC alias to its WMI class with wmic alias <alias> get target.
| WMIC | PowerShell equivalent |
|---|---|
wmic os list full | Get-CimInstance Win32_OperatingSystem |
wmic process list brief | Get-CimInstance Win32_Process | Select Name,ProcessId,ParentProcessId |
wmic computersystem get Name,Domain | Get-CimInstance Win32_ComputerSystem | Select Name,Domain |
wmic bios get serialnumber | Get-CimInstance Win32_BIOS | Select SerialNumber |
wmic service list brief | Get-Service | Select Name,DisplayName,Status,StartType |
wmic nicconfig where IPEnabled='true' | Get-CimInstance Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" |
wmic qfe list | Get-HotFix |
wmic useraccount list | Get-LocalUser |
wmic startup list full | Get-CimInstance Win32_StartupCommand |
wmic diskdrive list brief | Get-CimInstance Win32_DiskDrive | Select Model,Size,InterfaceType |
wmic ntevent where "LogFile='Security'" | Get-WinEvent -LogName Security |
PowerShell live response script
Single-script collection of host state to one output file. Scriptable, supports remote execution via Invoke-Command, no UTF-16 quirks.
# enforce consistent encoding so all sections of ginfo.txt match
# 'Unicode' matches PS 5.1 default; 'utf8' is more portable across hosts
$PSDefaultParameterValues['Out-File:Encoding'] = 'utf8'
$out = "ginfo.txt"
# users and groups
Add-Content $out "+++++++Local Users+++++++"
Get-LocalUser | Out-File -Append $out
Add-Content $out "+++++++Local Groups+++++++"
Get-LocalGroup | Out-File -Append $out
Add-Content $out "+++++++Local Administrators+++++++"
Get-LocalGroupMember Administrators | Out-File -Append $out
# services with startup type
Add-Content $out "+++++++Services+++++++"
Get-Service | Select-Object Name, DisplayName, Status, StartType | Out-File -Append $out
# system info
Add-Content $out "+++++++System Information+++++++"
Get-CimInstance -ClassName Win32_ComputerSystem |
Select-Object Name, Domain, Manufacturer, Model, TotalPhysicalMemory | Out-File -Append $out
# active network connections (process-attributed)
Add-Content $out "+++++++TCP Connections+++++++"
Get-NetTCPConnection |
Select-Object CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, State |
Out-File -Append $out
# running processes with paths
Add-Content $out "+++++++Running Processes+++++++"
Get-Process | Select-Object StartTime, ProcessName, Id, Path | Out-File -Append $out
# scheduled tasks
Add-Content $out "+++++++Scheduled Tasks+++++++"
Get-ScheduledTask | Select-Object TaskName, TaskPath, Author, State | Out-File -Append $out
# autostart from registry Run key
Add-Content $out "+++++++Run Key Persistence+++++++"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" | Out-File -Append $outFallback for hosts where Get-LocalUser is unavailable (some domain controllers, locked-down builds):
Get-CimInstance Win32_UserAccount -Filter "LocalAccount=True"
Get-CimInstance Win32_Group -Filter "LocalAccount=True"
Get-CimInstance Win32_GroupUser | Where-Object { $_.GroupComponent -like '*Administrators*' }WMIC-only collection (legacy hosts)
When PowerShell is restricted or unavailable, run from a trusted USB and write to external storage:
wmic /output:E:\evidence\system.txt computersystem list full
wmic /output:E:\evidence\os.txt os list full
wmic /output:E:\evidence\processes.txt process get Name,ProcessID,ParentProcessID,ExecutablePath,CommandLine
wmic /output:E:\evidence\services.txt service get Caption,Name,StartMode,State,PathName
wmic /output:E:\evidence\users.txt useraccount list full
wmic /output:E:\evidence\startup.txt startup list full
wmic /output:E:\evidence\nic.txt nicconfig list
wmic /output:E:\evidence\shares.txt share list
wmic /output:E:\evidence\disks.txt diskdrive list full
wmic /output:E:\evidence\patches.txt qfe listEach command leaves a small forensic footprint on the target. Always capture memory before running these.
links:
Field Manual | Data Acquisition | Windows Forensic Artifacts