WMIC Quick Reference Guide
This article is a general reference topic for the WMI command-line (
wmic [alias] [where] [clause]
[alias] — process, share, startup, service, nicconfig, useraccount, etc.
[where] — where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] — list [fulllbrief], get [attribl, attrib2], call [method].
|wmic [alias] get /?||List all attributes|
|wmic [alias] call /?||Callable methods|
|wmic process list full||Process attributes|
|wmic startupwmc service||Starts wmic service|
|wmic ntdomain list||Domain an DC info|
|wmic qfe||List all patches|
|wmic process call create "process_name"||Execute process|
|wmic process where name="process" call terminate||Terminate process|
|wmic logicaldisk get description,name||Get logical shares|
|wmic cpu get DataWidth /format:list||Display 32 || 64 bit|
Remotely determine logged in user
wmic /node:remotecomputer computersystern get username
List number of times user has logged on
wmic netlogin where (name like "%adm%") get numberoflogons
Get software names
wmic product get name /value
uninstall product XXX nointeractively
wmic product where name"XXX" call uninstall /nointeractive
Remotely start RDP
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections="O" call SetAllowTSConnections "1"
Search for services with unquoted paths to binary
wmic service get name,displayname,patchname,startnode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v ""
Remote process listing every second
wmic /node:machinename process list brief /every:1
Execure SMB hosted file on remote sysytem with specific credentials
wmic /node: targetiP /user:domain\user /password:password process call create "\\smbiP\share\mybinary.exe"