11/17/23, 10:27 PM Windows Management Instrumentation | Understanding Windows Operating System Basics

Return to Learning Path Overview

Windows Management Instrumentation or WMI is a set of specifications that's used to consolidate the management
Search Video of devices and applicat
Based Enterprise Management is WMI. Now, this WMI capability provides users or administrators, us, with different types of information-
- the status of local systems or even remote systems, somewhere out there on the network. It supports the configuration of different security
In fact, the common use case
is that our Cisco Discovery Agent, or CDA, uses WMI to talk to a Windows server and see login events so that we know what user logged in
based firewalling. OK. So let's just use PowerShell on Windows to interact with WMI.

Windows Management
Instrumentation
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on
Windows-based operating systems. You can write WMI scripts or applications to automate administrative
tasks on remote computers. WMI also supplies management data to other parts of the operating system and
products.

WMI can be used in all Windows-based applications, and is most useful in enterprise applications and
administrative scripts. System administrators can find information about using WMI at the TechNet
ScriptCenter, and in various books about WMI.

An example of a network security device using WMI is to retrieve the Windows user log in and log off
security events from the Windows domain controller.

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_21/pages/23 1/3
11/17/23, 10:27 PM Windows Management Instrumentation | Understanding Windows Operating System Basics
To avoid detection and to carry out broad commands on compromised systems, today's attacks often use
WMI to connect to remote systems, modify the registry, access event logs, and execute commands. Besides
the initial login event, remote WMI commands leave little evidence on the accessed system. Therefore,
Windows administrators should follow the proper Windows guidelines to secure the WMI access.

WMI supports a limited form of security that validates each user before the user is allowed to connect to
WMI, on a remote or local computer. This security is layered on top of the Windows operating system
security. By default, only the local computer Administrator account has full control of the WMI services on the
computer that is being managed. Members of the Administrators group have access to remote computers,
but may not have access to all the data. Permissions can be changed by adding a user to the Administrators
group on the managed computer or by authorizing users or groups in WMI and setting their permission level.

Content Review Question Correct

What information may an attacker obtain with WMI access to the Windows domain controller security
events?

user password

user login and logout events

file share names

Active Directory configurations

Submit

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_21/pages/23 2/3
11/17/23, 10:27 PM Windows Management Instrumentation | Understanding Windows Operating System Basics

Keep going! Next: Common Windows Server Functions

https://ondemandelearning.cisco.com/apollo-alpha/mc_salyst110_21/pages/23 3/3