Skip to main content

Overview

The query action executes WMI queries to enumerate system information both locally and remotely. WMI provides access to extensive system data including processes, services, hardware, network configuration, and security settings through a SQL-like query language (WQL).
WMI queries are one of the stealthiest enumeration methods on Windows as they generate minimal suspicious activity and are commonly used by legitimate system administration tools.

Syntax

  • Local Query
  • Remote Query
SharpWMI.exe action=query query="<WQL_QUERY>" [namespace=NAMESPACE]

Parameters

ParameterRequiredDescription
actionYesMust be query
queryYesWQL query string (SQL-like syntax)
computernameNoTarget host(s), comma-separated. Defaults to localhost
namespaceNoWMI namespace. Defaults to root\cimv2
usernameNoUsername for authentication (requires password)
passwordNoPassword for authentication (requires username)
WQL queries use double quotes internally, so when passing to SharpWMI, use escaped quotes: query=""select * from win32_service""

WMI Namespaces

Common WMI namespaces for enumeration:
NamespaceDescriptionCommon Classes
root\cimv2Default namespace with most system informationWin32_Process, Win32_Service, Win32_UserAccount
root\SecurityCenter2Security products (AV, Firewall)AntiVirusProduct, FirewallProduct
ROOT\StandardCIMV2Network and storage (Win8+)MSFT_NetTCPConnection, MSFT_NetFirewallRule
root\Microsoft\Windows\DefenderWindows DefenderMSFT_MpComputerStatus, MSFT_MpPreference
root\directory\ldapActive Directory informationds_user, ds_computer, ds_group

Usage Examples

Basic Queries

SharpWMI.exe action=query query="select * from win32_process"

Security Enumeration

SharpWMI.exe action=query query="SELECT displayName,pathToSignedProductExe,pathToSignedReportingExe FROM AntiVirusProduct" namespace="root\SecurityCenter2"
Detects installed antivirus products on Windows 7-10.
SharpWMI.exe action=query query="SELECT displayName,pathToSignedProductExe FROM FirewallProduct" namespace="root\SecurityCenter2"
Identifies third-party firewall products.
SharpWMI.exe action=query query="SELECT AMServiceEnabled,AntispywareEnabled,AntivirusEnabled,RealTimeProtectionEnabled FROM MSFT_MpComputerStatus" namespace="root\Microsoft\Windows\Defender"
Checks Windows Defender protection status.

Process Enumeration

SharpWMI.exe action=query query="SELECT ProcessId,Name,ExecutablePath,CommandLine FROM Win32_Process"
Lists all running processes with full command lines.
SharpWMI.exe action=query query="SELECT ProcessId,Name,ExecutablePath FROM Win32_Process WHERE Name='powershell.exe' OR Name='cmd.exe'"
Find specific processes (useful for detecting shells).
SharpWMI.exe action=query query="SELECT ProcessId,Name FROM Win32_Process WHERE Handle IN (SELECT ProcessID FROM Win32_Process WHERE GetOwner()='Administrator')"
Note: GetOwner() method calls require alternative approaches in WQL.

User and Group Enumeration

SharpWMI.exe action=query query="SELECT Name,LocalAccount,Disabled,PasswordRequired FROM Win32_UserAccount WHERE LocalAccount=True"
Lists local user accounts and their properties.
SharpWMI.exe action=query query="SELECT Name,SID FROM Win32_Group WHERE LocalAccount=True"
Enumerates local security groups.
SharpWMI.exe action=query query="SELECT PartComponent FROM Win32_GroupUser WHERE GroupComponent=""Win32_Group.Domain='COMPUTERNAME',Name='Administrators'"""
Lists members of the local Administrators group.

Network Enumeration

SharpWMI.exe action=query computername=target.domain.com query="Select LocalPort,RemoteAddress,OwningProcess from MSFT_NetTCPConnection WHERE State=5" namespace="ROOT\StandardCIMV2"
Shows established TCP connections (similar to netstat). State=5 means ESTABLISHED.
SharpWMI.exe action=query query="SELECT Description,MACAddress,IPAddress,DefaultIPGateway FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True"
Lists network adapter configurations.
SharpWMI.exe action=query query="SELECT Name,Path,Description,Type FROM Win32_Share"
Enumerates network shares. Type=0 is disk drive, Type=1 is print queue.

Software and Updates

SharpWMI.exe action=query query="SELECT Name,Version,Vendor,InstallDate FROM Win32_Product"
Lists installed software (can be slow on some systems).
SharpWMI.exe action=query query="SELECT HotFixID,Description,InstalledOn FROM Win32_QuickFixEngineering"
Shows installed Windows updates.
SharpWMI.exe action=query query="SELECT Name,Command,User FROM Win32_StartupCommand"
Lists programs that run at startup.

Service Enumeration

SharpWMI.exe action=query query="SELECT Name,DisplayName,PathName,StartMode,State FROM Win32_Service WHERE State='Running'"
Lists all running services.
SharpWMI.exe action=query query="SELECT Name,DisplayName,PathName FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'"
Finds auto-start services that aren’t running.
SharpWMI.exe action=query query="SELECT Name,DisplayName,PathName FROM Win32_Service WHERE StartName='LocalSystem'"
Identifies services running with SYSTEM privileges.

Scheduled Tasks

SharpWMI.exe action=query query="SELECT JobId,Name,Command,Owner FROM Win32_ScheduledJob"
Lists scheduled tasks (legacy scheduled jobs only).

System Information

SharpWMI.exe action=query query="SELECT Caption,Version,OSArchitecture,BuildNumber,InstallDate FROM Win32_OperatingSystem"
Gets OS version and details.
SharpWMI.exe action=query query="SELECT Name,Domain,Manufacturer,Model,TotalPhysicalMemory FROM Win32_ComputerSystem"
Hardware and domain information.
SharpWMI.exe action=query query="SELECT Manufacturer,Version,ReleaseDate,SerialNumber FROM Win32_BIOS"
BIOS details (useful for VM detection).

Persistence Detection

# Check for event filters
SharpWMI.exe action=query query="SELECT Name,Query FROM __EventFilter" namespace="root\subscription"

# Check for event consumers
SharpWMI.exe action=query query="SELECT Name,ScriptText FROM ActiveScriptEventConsumer" namespace="root\subscription"

# Check for bindings
SharpWMI.exe action=query query="SELECT Filter,Consumer FROM __FilterToConsumerBinding" namespace="root\subscription"
Detects WMI-based persistence mechanisms.

Remote vs Local Usage

  • Local Enumeration
  • Remote Enumeration
Advantages:
  • No network traffic
  • Works without admin privileges for most queries
  • No authentication required
  • Faster execution
Use Cases:
  • Post-exploitation enumeration
  • System reconnaissance after initial access
  • Service/software enumeration
SharpWMI.exe action=query query="select * from win32_service"

Detection Considerations

While WMI queries are common in enterprise environments, certain patterns can indicate malicious activity.
  • Unusual WMI queries from non-administrative tools
  • Queries against SecurityCenter2 namespace
  • Bulk queries across multiple systems
  • Queries for process command lines
  • Event subscription enumeration
  • Queries originating from user workstations
  • Event ID 5857: WMI activity
  • Event ID 5860: Registration of temporary event consumers
  • Event ID 5861: Registration of permanent event consumers
  • Sysmon Event ID 19: WMI event filter activity
  • Sysmon Event ID 20: WMI consumer activity
  • Sysmon Event ID 21: WMI consumer binding
  • DCOM traffic on port 135
  • Dynamic RPC ports (49152-65535)
  • Multiple WMI connections from single source
  • WMI traffic from unusual source IPs

Best Practices

Query Optimization

  • Use WHERE clauses to filter results
  • Select specific properties instead of *
  • Avoid Win32_Product if possible (slow)
  • Test queries locally before remote execution

Operational Security

  • Blend in with legitimate admin activity
  • Use standard WMI namespaces when possible
  • Avoid bulk queries during business hours
  • Limit query frequency to avoid detection

Troubleshooting

Cause: Insufficient privileges or wrong credentialsSolution:
  • Verify credentials with username/password parameters
  • Ensure user is admin on target system
  • Check UAC remote restrictions
Cause: Syntax error in WQL querySolution:
  • Test query with wmic.exe first: wmic /node:target process list
  • Verify WMI class exists in namespace
  • Check for proper quote escaping
Cause: Namespace doesn’t exist on target systemSolution:
  • Verify namespace exists: wmic /namespace:\\root path __NAMESPACE
  • Use default root\cimv2 for most queries
  • Some namespaces only exist on certain Windows versions

loggedon

Enumerate logged-on users (specialized query)

ps

List processes with owner info

firewall

Enumerate firewall rules

getenv

Query environment variables