Learning WMIC: part 3 – Software inventory per Critical Security Controls

Posted on by

The last time we saw how to use WMIC to find membership of an Active Directory group. That is useful, and should be done periodically as a part of the audit of the Windows environment.

Here’s another problem for WMIC to help with…

Problem: The Critical Security Controls identifies Inventory of Authorized and Unauthorized Software as one of the desired controls. How would we used WMIC to help with this?

Solution:

A good place to start would be to identify the version of Windows that is being run on a computer. Use the OS alias within WMIC.

C:\Windows\system32>wmic os get version
Version
6.1.7601

This output is from a Windows 7 workstation.

Don’t forget that all the properties of the os alias are available with the /? parameter, like this…

C:\Windows\system32>wmic os /?
OS - Installed Operating System/s management.
HINT: BNF for Alias usage.
(<alias> [WMIObject] | <alias> [<path where>] | [<alias>] <path where>) [<verb clause>].
USAGE:
OS ASSOC [<format specifier>]
OS CALL <method name> [<actual param list>]
OS CREATE <assign list>
OS DELETE
OS GET [<property list>] [<get switches>]
OS LIST [<list format>] [<list switches>]
OS SET [<assign list>]

Another option would be to use the LIST parameter

C:\Windows\system32>wmic os list brief
BuildNumber Organization RegisteredUser SerialNumber SystemDirectory Version
7601 Windows User 00371-OEM-9046457-06738 C:\Windows\system32 6.1.7601

After finding the operating system version, it is necessary to itemize the other software on the computer. the PRODUCT alias provides the interface to installation package task management.

There are a couple of options to extract the installed software information. Like with the OS example, either product list brief or product get name, version, vendor may be used.

C:\Windows\system32>wmic product get name, version, vendor
Name Vendor Version
VMware Tools VMware, Inc. 10.0.10.4301679
Microsoft .NET Framework 4.5.2 Microsoft Corporation 4.5.51209

These examples have all been running against the local computer in a command prompt window with administrative privileges. Remember that if you want to execute this against a remote computer, you must use the /node, /user, and /password switches as described in the first part of this series.

Now we have a way to list the software that is installed on a local or remote computer. This is a way to do a software inventory as a part of the critical security control #2.

Posted in Learning, Technical and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *