Windows Management Instrumentation

A WBEM class defines a particular type of managed resource or some aspect of the WMI environment itsef. A class definition includes includes

While class defines the logical information associated with a managed resource type, an instance of a class contains the actual information for a specific resource of that type. For example, the Win32_Service class defines properties and methods for a Windows service. Each Windows service, like Rpcss, will have a Win32_Service instance that contains the values of the properties for that service, such as its display name, status and so forth.

The WMI providers installed on a system need to make their class definitions accessible to applications. This is done by registering their class definitions with a database that stores the metadata and class definitions for all WMI classes on the system. This database is called the CIM repository.

On Windows 8, the repository is stored as a set of files in the %SYSTEMROOT%\system32\wbem\repository directory.

A WMI schema is a group of classes, generally defined by a single entity, that represent a certain type of managed environment. For example, the Win32 schema is directed towards Windows-based computers.

By convention, the class name prefix, for example Win32_, reflects the schema that defines it.

For the most part, in WMI we work with two schemas:

On Windows, both the above schemas are loaded in the root\cimv2 namespace.

A WMI namespace contains a subset of classes and instances from one or more schemas that are relevant to a particular operating environment. Namespaces are hierarchical and may be nested. They are stored as a logical databases in the CIM repository. Applications need to specify the namespace they are interested in when accessing WMI services.

Namespaces and schemas should not be confused with each other. A network adapter vendor may define a class or an entire schema for its products. In a Windows network, the schema or a subset of it may be loaded into an existing namespace in the CIM repository or even a new namespace as appropriate.

The classes and properties in WMI can be viewed as a database and correspondingly, WMI provides a subset of SQL, the WMI Query Language (WQL) that allows for extracting data from this database. Using WQL instead of programmatically accessing data can often be more efficient, particularly when dealing with remote systems. Although we do not discuss WQL in complete detail the sections below provide examples of using WQL from Tcl. For a detailed description, see WQL Reference.

Names are generally case-insensitive in WMI. This includes names for namespaces, classes, methods, properties and WQL keywords. Also, hierachical names, as are used for nested namespaces, may use either \ or / as a separator. Thus root/cimv2 and root\CIMV2 refer to the same namespace.

A WMI object path is a string that describes the location of a WMI object. An `object' in this context can be a namespace, a class, or instances of a class. The path itself contains three components:

Object paths are used in WMI monikers which can be used to connect to a WMI object.

WMI also provides a mechanism for applications to be asynchronously notified for events. Like the rest of WMI, this mechanism is both flexible and extensible. WMI events may correspond to events like services starting or to a change in state or values of WMI objects, like disk space, or even changes to the WMI schemas.

Because it is used to manage important computing resources, access to WMI is controlled. This security mechanism is based on the standard Windows security model and uses Windows user and group accounts for authentication and authorization. This access control extends to specific namespaces within WMI and includes control of what specific actions a particular user is allowed to invoke. WMI also makes use of impersonation so that access to resources is attempted under the account requesting the access so the WMI service itself, which runs as a privileged process, cannot be used to subvert the protections.

Access to WMI from applications, whether locally or remote, is channeled through the winmgmts service. All access to WMI on a system requires connecting either explicitly or implicitly to this service.

Now that we have the basic concepts out of the way, we can move on to the nitty gritty details and how to access WMI from Tcl.

Generally the first WMI object used, it is used to establish an authenticated connection to a namespace in a WMI service. It has a single method.

Represents an established, authenticated connection as created by an SWbemLocator object. Its primary use is to retrieve and manipulate SWbemObject objects within the connected namespace.

An SWbemObject automation object can represent a managed WMI resource or a WMI class definition. It exposes generic methods can be used to access the underlying resource irrespective of the actual class representing the resource, for example, Win32_Process versus Win32_Service, to discover properties and methods defined for the resource etc. In addition, it also exposes the type-specific specialized properties and methods underlying resource.

An SWbemObjectEx automation class extends SWbemObject with additional methods and properties.

A SWbemObjectPath contains a WMI object path and provides properties and methods to manipulate it. It can be used to parse the path for an object or to construct one.

Contains a collection of SWBemObject objects. You can loop over the objects in the collection with the comobj wrapper’s -iterate method.

The following short code snippet demonstrates use of the above automation objects.

The rest of the chapter illustrates use of these objects in detail.

Connections to a WMI service are always authenticated connections. The above examples use the user credentials of the account the process is running under to authenticate to the WMI server. If we want connect using different credentials, we can specify the account name and password as two additional parameters.

set wbem_services [$wbem_locator ConnectServer REMOTESYSTEM root/cimv2 ACCOUNTNAME PASSWORD]

The ACCOUNTNAME may be a simple name such as Administrator or in domain\name format such as Mydomain\Administrator.

The ConnectServer call has other optional parameters as well, for example to control the security authority, NTLM or Kerberos, to be used for authentication. See WMI Reference for details on these.

Security settings in WMI are manipulated through objects of type SWbemSecurity. These settings may be associated with several different object types including the SWbemLocator object used for connecting, the SWbemServices object representing a connection and SWbemObject objects. All these objects have the Security_ property which can be used to retrieve the associated SWbemSecurity object.

Security settings are passed on through objects so for example setting the privileges associated with a SWbemLocator object will affect not only any SWbemServices objects retrieved with ConnectServer but also all SWbemObject objects retrieved through them.

Microsoft COM uses monikers as specially formatted names that identify COM objects. A WMI moniker is just a special case of this where the moniker uniquely identifies objects in the WMI world, whether they be namespaces, classes or class instances.

A WMI moniker takes the form of a string with a specific format:

For full syntax details for WMI monikers, see WMI Reference. Some examples of monikers are shown in WMI moniker examples.

There are several mechanisms by which objects for managed resources might be obtained.

In situations where only a specific resource is of interest, there is no need to retrieve all instances and iterate looking for a match. Each instance has one or more key properties which can be used to directly access the object. For example, the Name field of a Win32_LogicalDrive object is a key.

Again, there are a couple of ways to retrieve a specific object by its key property:

Properties contain the data associated with the managed resource represented by a class instance; for example, the state of a Windows service is contained in the State property of the Win32_Service instance for that service. Most of the code examples we have seen so far have dealt with reading properties.

WMI also defines a set of system properties for every class and instances. These are not related to the underlying resource but rather reflect metadata; for example the CLASS property contains the class to which an object belongs. System property names, like system class names, always begin with .

We now discuss additional operations involving properties including

To start off, let us first retrieve an object that we will use for illustration purposes through the discussion.

If properties are data associated with objects, methods are operations that can be invoked to take action on the underlying managed resource. For example, invoking the Shutdown method on an instance of class Win32_OperatingSystem will result in the system being shut down.

One of important features of the CIM is that it provides a means to record and manage relationships between managed resources. An example of a relation is the association between a logical drive C:, represented by an instance of the class Win32_LogicalDisk, and the corresponding physical disk partition to which it is assigned, represented by an instance of Win32_DiskPartition.

These relationships are represented in the CIM by a special type of class, called an association class. An instance of an association class holds references to instances of the two classes representing the relation and any additional data pertaining to that relation.

To illustrate the use of associations, we will start off with a Win32_LogicalDisk object to use for illustrative purposes.

There are hundreds of classes defined in WMI that represent all kinds of resources. The full list with details is available in WMI Reference. We only list a few commonly used ones by category in Common WMI resource classes.

Namespaces partition the CIM repository into nested, logical structure. When an application initiates access to WMI, it always starts out connecting, implicitly or explicitly, to a specific namespace in the repository.

The root of the nested namespace structure is, thankfully, named root. (We say thankfully' because as we shall see, the namespace `default is not the default namespace.)

We now look at the structure of WMI classes in more detail. WMI classes fall into three categories:

Delving deeper into the CIM structure, let us now look at property definitions for a class.

We have already seen introspection with properties of instances where we described enumeration of properties. Exactly the same method can be used with class definitions. The only difference is that in the case of properties the values will be empty since it is a class definition and not an instance.

The final piece of introspection that remains to be explored pertains to methods.

Consumers of WMI event notifications can be of two types - temporary or permanent.

A temporary consumer is an application that subscribes to WMI notifications and receives them as long as it is running. A permanent consumer is a COM object that need not be running but can be invoked on the occurence of an event.

Tcl does not currently support permanent consumers so this chapter only describes the use of temporary consumers. Windows itself does provide some built-in permanent consumers, CommandLineEventConsumer in particular, that can run external programs, including Tcl, in response to an event. However, these have limited function and are not discussed here.

Event notifications can be received by an application in synchronous or asynchronous mode. In the former case, the application makes blocking calls waiting for an event notification. In the latter case, callbacks are delivered through a callback mechanism.

For ease of exposition, most of the examples in this section use synchronous mode. Asynchronous event delivery is described in Receiving event notifications asynchronously.

Events are classified as intrinsic or extrinsic.

Intrinsic events reflect changes in the internal structure of the CIM or data such as addition of a new class or a change in the data for a class instance. For example, a service stopping will be reflected as a change in the State property of the corresponding Win32_Service instance and is considered an intrinsic event. Intrisic events are represented by system defined classes, such as __InstanceModificationEvent which might be generated for the previous service scenario.

Extrinsic events are generated by WMI providers in response to real world events, such as shutdown. The WMI provider for the Windows registry also generates an extrinsic event when a registry key is modified. Note that this is considered and extrinsic event because the registry contents are not part of the CIM database.

We will describe monitoring intrisic events in the next section. Monitoring of extrinsic events follows a similar pattern but differs in some respects. These differences are highlighted in Consuming extrinsic events.

Like many WMI operations, providing and consuming events can be WMI therefore sets quotas on a per-user and system-wide basis. These quotas include number of concurrent subscriptions, memory usage and polling instruction limits and are controlled through the _ArbitratorConfiguration object described in WMI resource limits.

Just like all other objects, events are represented in WMI as classes. Intrinsic events, because they reflect the CIM model, all have the same structure and are defined through a small set of system classes derived from the __Event class. These are shown in Intrinsic event classes. They reflect the fact that intrinsic event notifications may pertain to three types of objects - namespaces, classes and class instances - and may be generated for creation, deletion and modification of the respective types.

Subscribing to intrinsic events involves the following steps:

Our example code illustrates these steps by subscribing to event notifications for processes starting up. Subscriptions for other intrisic events follow the same exact model differing only in the query used.

One more time, we start of by connecting to the WMI service to get a SWbemServices object.

We now submit a query that asks to be notified whenever a new process starts up.

Let us consider each component of the query in turn.

SELECT * FROM __InstanceCreationEvent

This follows the same form that we have seen for a WQL query earlier. We ask the query to return instances of class __InstanceCreationEvent with each instance containing all relevant properties. As summarized in Intrinsic event classes, selecting from this class means

Obviously, the event instances returned are only for new events. They are not persisted.

The next clause is

WITHIN 1

If a WMI provider itself does not implement a more efficient event notification mechanism, WMI itself will do a poor man’s emulation by taking these snapshots of the specified class (in this case Win32_Processes) instances at regular intervals. It then compares consecutive snapshots and generates creation, deletion and modification events based on the comparison. The WITHIN 1 clause directs the snapshots to be taken at 1 second intervals. There is a tradeoff here. Choosing a short interval means more frequent snapshots and comparisons leading to greater system load. On the other hand, increasing the interval increases the chances that an event will be missed. In our example, if a process started and exited between two snapshots, it would not result in a notification being generated. In general, applications should not rely on snapshot based notifications unless they are confident that the state change for the resource will be last longer than the snapshot interval.

The final clause

WHERE TargetInstance ISA 'Win32_Process'

is included because we are not interested in all instance creation notifications but only those for Win32_Process as they represent process creation events. We could have even qualified it further based on a property of the target class. Thus

WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name='notepad.exe'

would result in notifications only when Notepad was started and not for any other process.

As we see later, TargetInstance is a property of the __InstanceCreationEvent class which will hold an instance of Win32_Process for the newly created process.

Having set up the query, we wait a short interval (for the snapshot) and then start a process just to generate a notification.

We can now read the event from the event source using NextEvent which returns an instance of __InstanceCreationEvent.

The NextEvent method is a synchronous method and thus the application will stay blocked until a notification arrives or the call times out.

__InstanceCreationEvent contains three properties:

We print out the properties of the process we just created.

The above code sequence can be adapted for any target and event class. The event classes in Intrinsic event classes all have the same structure except that the ones pertaining to modification events have an additional field - PreviousInstance - which contains the target instance before the modification event. You can use this to detect the nature of the modification.

Extrinsic events are events that are not directly reflected in the CIM data model. For example, since the content of the Windows registry is not part of the CIM, changes to a registry key cannot be notified through the intrinsic events. For such cases, a WMI provider, StdRegProv for the Windows registry, has to implement its own classes for event notifications, such as the RegistryKeyChangeEvent class used for registry key changes.

The code sequence for subscribing to extrinsic events is very similar to that for intrinsic events. The differences are:

We previously illustrated intrinsic events using process startup notifications. Because the Windows provider also implements extrinsic event classes, Win32_ProcessTrace, Win32_ProcessStartTrace and Win32_ProcessStopTrace for these, we can use the same for extrinsic events as well.

Since we are only interested in processes starting, we will query for Win32_ProcessStartTrace instances and read from an event.

Extrinsic event classes, like intrinsic classes, are also derived from the root __Event class and have the SECURITY_DESCRIPTOR and TIME_CREATED properties described earlier. The other properties are specific to the event class.

Here we just print the process name and PID.

So far we have used NextEvent to retrieve events. This method has some drawbacks because it is a synchronous blocking call which will not return until an event notification is available:

We now describe how event notifications can be received in asynchronous fashion to remove these limitations.

Asynchronous WMI event notifications are implemented through the Windows COM connection points. The basic steps are:

We repeat out earlier demonstration of process startup notifications, this time using asynchronous notifications. Although we are demonstrating with extrinsic events here, the same steps would be used for intrinsic events as well.

We start off by writing a callback procedure that will be invoked by the sink when a notification is received.

A few, or perhaps more than a few, words are in order about the callback:

We then create an event sink and bind the callback procedure to it.

Creating a sink is straightforward, but note that unlike most other WMI objects, a sink is independent of the target system WMI provider.

Binding the callback gives a handle that we store in sink_id. This is used later to unbind the callback.

All that remains to be done is to start the notifications using ExecNotificationQueryAsync.

Any new processes would now result in our notification callback being invoked. As proof, we do a demonstration by firing up a couple of processes.

We will hang around for a second and then cancel the notifications.

We see the output from the callback showing processes being started as well as the cancellation of the notifications.

All that’s left to do is the unbind our callback script using the handle that was returned to use earlier and clean up.

And we’re done.

Operational parameters for WMI are accessible through the singleton instance of class Win32_WMISetting.

WMI often deals with huge data sets, access to which can be an expensive affair in terms of system resources. Windows therefore places limits on the resources used by WMI calls. These limits are defined through the properties of the __ArbitratorConfiguration singleton class in the root namespace.

These properties can be accessed just like properties for any other object.