You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Wmi delete -UserName milchick -Password Br3@kr00m! LUMON-DC1 "SELECT * FROM Win32_Process WHERE Caption='REGEDIT.EXE'"
Wmi exec
Executes a command on a remote system via WMI
Synopsis
Wmi exec [options] <ServerName> <CommandLine>
Parameters
Name
Aliases
Value
Description
<ServerName>
<String>
Name of the server to connect to
<CommandLine>
<String>
Command line to execute
Options
Name
Aliases
Value
Description
-CaptureOutput
<SwitchParam>
Redirects STDOUR and STDERR to a file
Default: True
-WorkingDir
<String>
Sets the working directory for the new process
-CmdCall
<SwitchParam>
Prepends 'cmd /q /c' to the command
Default: True
-Wait
<SwitchParam>
Waits for the command to complete
Default: True
-PollInterval
<Duration>
Polling interval
Default: 1s
-EnvironmentVariables
<String[]>
Environment variables to pass to the command
-EncryptRpc
<SwitchParam>
Encrypts RPC messages
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Connection
Name
Aliases
Value
Description
-Dialects
<Smb2Dialect[]>
List of SMB2 dialects to negotiate
Possible values:
Smb2_0_2
Smb2_1
Smb3_0
Smb3_0_2
Smb3_1_1
-RequireSigning
-signreq
<SwitchParam>
Requires packets to be signed
-RequireSecureNegotiate
<SwitchParam>
Requires the client to authenticate the negotiation
-EncryptSmb
<SwitchParam>
Requires an encrypted connection
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Client Behavior
Name
Aliases
Value
Description
-F, -FollowDfs
<SwitchParam>
Checks for and follows DFS referrals (default=true)
-DfsReferralBufferSize
<Int32>
Specifies the size for the DFS referral buffer (default=4096)
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Details
This command uses WMI Win32_Process.Create to execute a command line,
optionally capturing the output and waiting for the executed program to exit.
Both -CaptureOutput and -CmdCall are enabled by default. To disable them,
specify -CaptureOutput:off or -CmdCall:off
Use -PollInterval to specify the polling interval for checking output as well
as the Win32_ProcessTrace query. Specify the value as a number followed by one
of [ ms, s, m, h ] specifying the unit.
To specify environment variables for the started process, specify
-EnvironmentVariables followed by a list of <name>=<value> pairs, separated by
commas. For example, to specify two variables named VAR1 and VAR2:
-EnvironmentVariables VAR1=value1, VAR2=value2
-CaptureOutput redirects STDOUT and STDERR to a file using the redirection
provided by CMD.EXE and therefore requires -CmdCall as well. Wmi exec
generates a file name using a new GUID and creates this file in
C:\Windows\Temp using SMB. It periodically checks the file for updates using
the interval specified by -PollInterval. Any updates are fetched and printed
to STDOUT.
While the command is running, Wmi exec uses Win32_ProcessTrace to monitor the
started process and its child processes. Once the root process of the tree
exits, Wmi exec exits, returning the exit status returned by the remote
process.
Use Ctrl+C to terminate the remote process. When -CmdCall is enabled, the
first child process is terminated (that isn't named conhost.exe).
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
The object path is specified relative to the namespace.
Since the command line parser strips double quotes, use single quotes to
delimit strings. Single quotes are converted to double quotes before sending
the request to WMI.
Examples
Example 1 - Gets the Win32_Process class
Wmi get -namespace root\cimv2 -UserName milchick -Password "Br3@kr00m!" LUMON-FS1 Win32_Process
Example 2 - Gets the Win32_LogicalDisk for C:
Wmi get -namespace root\cimv2 -UserName milchick -Password "Br3@kr00m!" LUMON-FS1 Win32_LogicalDisk.DeviceID='C:
Path to object or WQL query of objects to invoke on
<Method>
<String>
Method to invoke
<Arguments>
<String[]>
Arguments to pass to the method
Options
Name
Aliases
Value
Description
-SkipParams
<String[]>
List of parameters to skip
-ContinueOnError
<SwitchParam>
Continue even if errors occur
-Namespace
<String>
Namespace to query
Default: root\cimv2
-Locale
<String>
Locale
Default: en-US
-WithQualifiers
<String[]>
Filter qualifiers
-E, -EncryptRpc
<SwitchParam>
Encrypts RPC messages
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
For each object, Wmi invoke looks up the specified method and parses/coerces
the command line arguments after the method name as arguments to the WMI
method.
To pass an array of values to a WMI method, enter each element as a separate
command line argument (separated by spaces) with [ before the first element and
] after the last argument. For example, to invoke this method:
Path to object or WQL query of objects to invoke on
Options
Name
Aliases
Value
Description
-ContinueOnError
<SwitchParam>
Continue even if errors occur
-Namespace
<String>
Namespace to query
Default: root\cimv2
-Locale
<String>
Locale
Default: en-US
-WithQualifiers
<String[]>
Filter qualifiers
-E, -EncryptRpc
<SwitchParam>
Encrypts RPC messages
-ConsoleOutputStyle
-OutputStyle
<OutputStyle>
Determines the output style
Possible values:
Freeform
Raw
Table
List
Csv
Tsv
Json
-OutputFields
<String[]>
Fields to display in output
Possible values:
Flags
Signature
Name
ClassOfOrigin
QualifiersText
Subtype
SubtypeCode
PrivilegesText
IsReadOnly
ShortDescription
FullDescription
IsStatic
Id
IsInputParameter
-OutputHeaders
<SwitchParam>
Print headers for table/list/CSV/TSV styles
Default: True
-SpnOverride
<SpnMapping[]>
Specifies an SPN override
-AuthProxy
<EndPoint>
Endpoint of auth proxy
-Socks5
<host-or-ip:port>
End point of SOCKS 5 server to use
Output
Name
Aliases
Value
Description
-LogLevel
<LogMessageSeverity>
Sets the lowest level of messages to log
Possible values:
Debug
Diagnostic
Verbose
Info
Warning
Error
Critical
-ConsoleLogFormat
-LogFormat
<LogFormat>
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
You may specify multiple object paths. Each object path may be a class or an
instance.
Use -WithQualifiers to filter by one or more qualifiers. Each entry may either
be a qualifier name or a name-value pair of the form <name>=<value>. If only a
name is specified, the filter matches if the qualifier is present with a value
other than 'false'. If the <name>=<value> syntax is used, the qualifier value
must match using a case-insensitive string comparison. If the qualifier has
multiple values, only one value must match.
Examples
Example 1 - List the methods of the Win32_Process class
Sets the format of log messages written to the console
Default: 0
Possible values:
Text
TextWithTimestamp
Json
-Verbose
-V
<SwitchParam>
Prints verbose messages
-Diagnostic
-vv
<SwitchParam>
Prints diagnostic messages
-HumanReadable
<SwitchParam>
Formats file sizes as human-readable values
Authentication
Name
Aliases
Value
Description
-Anonymous
<SwitchParam>
Uses anonymous login
-UserName
-u
<UserPrincipalName>
User name to authenticate with, not including the domain
-UserDomain
-ud
<String>
Domain of user to authenticate with
-Password
-p
<String>
Password to authenticate with
-NtlmHash
<hexadecimal hash>
NTLM hash for NTLM authentication
Authentication (Kerberos)
Name
Aliases
Value
Description
-AesKey
<HexString>
AES key (128 or 256)
-DesKey
<HexString>
DES key
-Tgt
<String>
Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets
<String[]>
Name of file containing service tickets (.kirbi or ccache)
-TicketCache
<String>
Name of ticket cache file
-K, -Kdc
<host-or-ip:port>
KDC endpoint
-S4UserName
<UserPrincipalName>
Name of user to impersonate with S4U
-U2UserName
<UserPrincipalName>
User name to request TGT for U2U
-S4UserCert
<String>
Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService
<SecurityPrincipalName>
Name of service to proxy through
-UserCert
<String>
Name of file containing user's certificate (for PKINIT)
-UserKey
<String>
Name of file containing user's key (for PKINIT)
-UserKeyPassword
<String>
Password to decrypt file containing user's key (for PKINIT)
Authentication (NTLM)
Name
Aliases
Value
Description
-Workstation
-w
<String>
Name of workstation to send with NTLM authentication
-NtlmVersion
<Version>
NTLM version number (a.b.c.d)
Connection
Name
Aliases
Value
Description
-HostAddress
-ha
<String[]>
Network address(es) of the server
-UseTcp6Only
-6
<SwitchParam>
Only use TCP over IPv6 endpoint
-UseTcp4Only
-4
<SwitchParam>
Only use TCP over IPv4 endpoint
Details
You may specify multiple object paths. Each object path may be a class or an
instance.
Use -WithQualifiers to filter by one or more qualifiers. Each entry may either
be a qualifier name or a name-value pair of the form <name>=<value>. If only a
name is specified, the filter matches if the qualifier is present with a value
other than 'false'. If the <name>=<value> syntax is used, the qualifier value
must match using a case-insensitive string comparison. If the qualifier has
multiple values, only one value must match.
Examples
Example 1 - List the properties of the Win32_Process class