Learning WMIC: part 3 – Software inventory per Critical Security Controls

The last time we saw how to use WMIC to find membership of an Active Directory group. That is useful, and should be done periodically as a part of the audit of the Windows environment.

Here’s another problem for WMIC to help with…

Problem: The Critical Security Controls identifies Inventory of Authorized and Unauthorized Software as one of the desired controls. How would we used WMIC to help with this?

Solution:

A good place to start would be to identify the version of Windows that is being run on a computer. Use the OS alias within WMIC.

C:\Windows\system32>wmic os get version
Version
6.1.7601

This output is from a Windows 7 workstation.

Don’t forget that all the properties of the os alias are available with the /? parameter, like this…

C:\Windows\system32>wmic os /?
OS - Installed Operating System/s management.
HINT: BNF for Alias usage.
(<alias> [WMIObject] | <alias> [<path where>] | [<alias>] <path where>) [<verb clause>].
USAGE:
OS ASSOC [<format specifier>]
OS CALL <method name> [<actual param list>]
OS CREATE <assign list>
OS DELETE
OS GET [<property list>] [<get switches>]
OS LIST [<list format>] [<list switches>]
OS SET [<assign list>]

Another option would be to use the LIST parameter

C:\Windows\system32>wmic os list brief
BuildNumber Organization RegisteredUser SerialNumber SystemDirectory Version
7601 Windows User 00371-OEM-9046457-06738 C:\Windows\system32 6.1.7601

After finding the operating system version, it is necessary to itemize the other software on the computer. the PRODUCT alias provides the interface to installation package task management.

There are a couple of options to extract the installed software information. Like with the OS example, either product list brief or product get name, version, vendor may be used.

C:\Windows\system32>wmic product get name, version, vendor
Name Vendor Version
VMware Tools VMware, Inc. 10.0.10.4301679
Microsoft .NET Framework 4.5.2 Microsoft Corporation 4.5.51209

These examples have all been running against the local computer in a command prompt window with administrative privileges. Remember that if you want to execute this against a remote computer, you must use the /node, /user, and /password switches as described in the first part of this series.

Now we have a way to list the software that is installed on a local or remote computer. This is a way to do a software inventory as a part of the critical security control #2.

Learning WMIC: part 2 – Finding Group Members

Let’s dig around a little deeper into the capabilities of WMIC and use WMIC to find information needed to solve a problem

Problem: list the active users with access to a system, and the groups they belong to…

Solution:

1. All user accounts that have access to a windows host can be listed using wmic commands

wmic useraccount list brief

This command will list all of the user accounts that have access to the system, starting with local accounts followed by domain accounts. That’s OK, but we don’t now which, if any, of the accounts are inactive.

wmic useraccount list status

This command will show the accounts with the Status column output. “Degraded” in the status column indicates the account is inactive. 

2. Account groups can also be listed using wmic commands

wmic group list brief

This command lists all of the groups with security associations on the Windows hosts

3. Now things get a little more complex. From the previous list (wmic group list brief), look for the group you want to know the members of. Now we need to find the path to that group.

wmic group list instance

Notice that there is a column in the output named _RELPATH. That piece of information may be important. But this command is the one that is important. Note where the backslashes are “escaped” to let parsing occur properly.

wmic path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")

This gives us a list of the users that are a part of that group!

So, the entire command that could be entered from the OS command line (non-interactive) would be

wmic /node:<hostname> /user:<username> /password:<password> path Win32_groupuser where (groupcomponent="win32_group.name=\”Test Group\",domain=\”MyDomain\"")

Let’s break that command down…

  • /node: is used to point to the host we are going to query. If running the command on the host to query, this is not needed
  • /user: is used to specify a user account that has privileges to run the query
  • /password: is the password for the account that has privileges to run the query
  • path Win32_groupuser is a WMI class that relates a group and an account that is a member of that group
  • where (…) indicates only to return records that match the “groupcomponent” attributes given
  • win32_group.name is the property of the win32_group class that we are checking

That’s it for now. More to come!

Learning WMIC: part 1 – Basic Syntax

WMIC is a powerful means to access the Windows Management Interface from the command line. More information about WMI can be found at the Wikipedia page – https://en.wikipedia.org/wiki/Windows_Management_Instrumentation

There are a couple of scenarios for using WIMIC – against the local computer and against a remote computer. With either of the situations, WMIC will run by default with the privileges of the user that is logged in. If that user is not an administrator, either local or domain, then the abilities will be limited.

As with many Windows commands, WMIC may be used interactively, or by issuing the entire command.

From the command prompt, enter wmicand you will enter the wmic environment

C:\Users\dlstrom> wmic
wmic:root\cli>

To get help, simply issue the /? command and press <enter>

At this point everything is being run locally with the privileges of the logged-on user.

I’ve found my mind works better in non-interactive command-line mode rather than interactive mode. That’s what we’ll be using most of the time.

Try this from the command line – wmic startup. This should return LOTS of information that is almost overwhelming.

Now, do wmic startup list brief to a more readable list of startup programs. Remember that this is all running against the local computer.

I’ve found that making the command window as wide as possible helps with wrapping of lines and makes the output more readable.

WMIC can also be run against other Windows computers on the network.

wmic /node:<HOSTNAME> startup list brief executes on another computer. This requires knowing the hostname, and having permissions to access that computer.

If running with local user privileges and trying to access information on the remote host, you might get this…

C:\Users\dlstrom>wmic /node:CONTROL1 startup list brief
Node - CONTROL1
ERROR:
Description = Access is denied.

This means that I’m logged in on my computer with user-level privileges that are not allowed on CONTROL1. The solution is some additional switches on the command line…

C:\Users\dlstrom>wmic /node:CONTROL1 /user:<USERNAME> /password:<PASSWORD> cpu get name
Name
Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz

That USERNAME and PASSWORD must be a valid account on CONTROL1 in order to work. Note that if either the USERNAME or PASSWORD includes a hyphen, then it must be enclosed in double-quote marks.

If you ever get confused as to which host you are working with, this command will identify the nodes you are querying when in interactive mode…

wmic:root\cli>context

That’s it for now. More to come…