Skip to main content

Overview

The getenv action retrieves environment variable values from local and remote systems by querying the Win32_Environment WMI class. It can retrieve all environment variables or specific variables by name.

Syntax

SharpWMI.exe action=getenv [name=VARIABLE_NAME[,NAME2,...]] [computername=HOST[,HOST2,...]] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be getenv
nameNoVariable name(s), comma-separated. If omitted, retrieves all
computernameNoTarget host(s), comma-separated. Defaults to localhost
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

Get All Environment Variables

SharpWMI.exe action=getenv

Get Specific Variables

SharpWMI.exe action=getenv name=PATH computername=target.domain.com

Example Output

  Scope: \\target.domain.com\root\cimv2
  Query: "select Name,VariableValue,UserName From Win32_Environment WHERE Name='PATH'"

                          Name : PATH
                 VariableValue : C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
                      UserName : <SYSTEM>

                          Name : PATH
                 VariableValue : C:\Users\jdoe\AppData\Local\Microsoft\WindowsApps
                      UserName : DOMAIN\jdoe

Environment Variable Scope

Environment variables have different scopes:
ScopeUserName ValueDescription
System<SYSTEM>System-wide variables
UserDOMAIN\usernameUser-specific variables
VolatileVariesTemporary session variables

Operational Use Cases

Scenario 1: Information Gathering

# Get user context information
SharpWMI.exe action=getenv name=USERNAME,USERDOMAIN,COMPUTERNAME computername=target.domain.com

# Get file paths
SharpWMI.exe action=getenv name=TEMP,APPDATA,PROGRAMFILES computername=target.domain.com

# Get system info
SharpWMI.exe action=getenv name=OS,PROCESSOR_ARCHITECTURE,NUMBER_OF_PROCESSORS computername=target.domain.com

Scenario 2: Detect Security Tools

# Check PATH for security tool directories
SharpWMI.exe action=getenv name=PATH computername=target.domain.com
Look for:
  • AV installation paths
  • EDR agent directories
  • Security monitoring tools
  • Defensive software

Scenario 3: Credential Hunting

# Check for credential-related variables
SharpWMI.exe action=getenv computername=target.domain.com
Look for:
  • Custom credential variables
  • API keys in environment
  • Database connection strings
  • Service account info

Scenario 4: Exfiltration Channel

# Store data in environment variable (using setenv)
SharpWMI.exe action=setenv name=DATA value="<exfiltrated_data>" computername=target.domain.com

# Retrieve stored data
SharpWMI.exe action=getenv name=DATA computername=target.domain.com

# Clean up
SharpWMI.exe action=delenv name=DATA computername=target.domain.com

Common Environment Variables

System Information

VariableDescription
COMPUTERNAMEComputer name
USERDOMAINUser’s domain
USERNAMECurrent username
OSOperating system
PROCESSOR_ARCHITECTURECPU architecture
NUMBER_OF_PROCESSORSProcessor count

Paths

VariableDescription
PATHExecutable search paths
TEMP / TMPTemporary directory
APPDATAApplication data directory
LOCALAPPDATALocal application data
USERPROFILEUser profile directory
PROGRAMFILESProgram Files directory
SystemRootWindows directory

User Session

VariableDescription
SESSIONNAMESession name (Console, RDP)
LOGONSERVERDomain controller used for logon
USERDNSDOMAINUser’s DNS domain

Remote vs Local Usage

  • Local Query
  • Remote Query
SharpWMI.exe action=getenv name=PATH
Advantages:
  • No network traffic
  • No authentication required
  • Immediate results

Detection Considerations

  • WMI queries for Win32_Environment class
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI operations
  • Environment variable enumeration from unusual sources
  • Bulk environment queries across systems
  • Queries for sensitive variables

Best Practices

Operational Security

  • Limit query frequency
  • Blend with legitimate admin activity
  • Use specific variable names when possible
  • Avoid bulk enumeration

Data Analysis

  • Filter system variables
  • Focus on user-specific values
  • Look for credentials in variables
  • Identify security tool paths

Troubleshooting

Cause: Variable doesn’t existSolution:
  • Check variable name spelling
  • Variable may be user-specific
  • Run without name parameter to see all variables
Cause: Insufficient privilegesSolution:
  • Use username and password parameters
  • Verify admin rights on target
Cause: No matching variablesSolution:
  • Verify WMI service is running
  • Check variable scope (system vs user)
  • Try querying all variables first

setenv

Set environment variable values

delenv

Delete environment variables

query

Custom WMI queries

ps

List processes

Alternative Query

# Get all environment variables
SharpWMI.exe action=query query="SELECT Name,VariableValue,UserName FROM Win32_Environment" computername=target

# Get specific variable
SharpWMI.exe action=query query="SELECT Name,VariableValue,UserName FROM Win32_Environment WHERE Name='PATH'" computername=target

# Get user-specific variables
SharpWMI.exe action=query query="SELECT Name,VariableValue FROM Win32_Environment WHERE UserName LIKE '%username%'" computername=target