EV Reach - WMI Explorer - Using the WMI Query View

Last modified on 2023/07/12 14:02
Contents

With WMIX, EV Reach's WMI Explorer, users can query WMI objects using a query language called WQL. With this language, you can format a query string which defines the information to be returned. This is a very powerful tool as it enables you to fine tune a result set by configuring individual properties to be returned as well as by allowing you to specify conditions. A full definition of WQL is outside the scope of this user guide and we encourage you to review a book on this subject to explore its full potential. This user guide will only highlight its basic functions through a series of examples.

You can review more technical information about the WQL language by clicking on the WQL Reference Weblink in the Information Panel. This reference weblink points, by default, to the Microsoft® WMI Query Language page, however, you can configure this link to point to any web site in the WMIX Options window.

Using the Query WMI View you will be able to:

  • Execute any WQL query string and view the result set
  • Create sophisticated WMI Query strings using the WMI Query Wizard.
  • Generate a Script which executes the configured WMI Query
  • Add Query root objects in the Browser View

Using the Query WMI View you will NOT be able to:

  • Execute Object Tasks
  • Modify Object Properties

Using to the Query WMI View

The WMI Query View

The WMI query view is very straightforward. It includes the query edit field, a Namespace selector, and a Run Query button. Simply enter the query string in the edit field. Make sure that the selected namespace is the one owning the class subject of the query and click on the Run Query button (see Executing WMI Queries).

If you do not know the syntax of a WMI query or the available classes and properties, simply use the WMI Query Wizard to have WMIX generate the query for you.

Adding WMI Query to the Browser View

Once you enter a query string in the edit field, the Add Query to Browser View button gets enabled. This button is located at the top right corner of the Query view. To set the currently entered query as a root object in the Browser view, click on this button. Once a query has been configured as a Browser view root object, it can be modified at any time from within the Browser view (see Modifying the list of Root Objects.)

Generating a Script of a WMI Query

WMIX can automatically generate a WMI Script which executes the currently configured WMI query. The generated script will execute the WMI query and reports on the attributes of the resulting instances.

To generate a WMI Query script:

  1. Enter the desired WMI Query in the Query field
  2. Click on the button

    wmix14.png

See Find out more

Introduction to WQL

If you are already familiar with WQL, you can skip this section and go directly to the next section.

The Microsoft® WMI Query Language (WQL) allows for three types of queries: Data Queries, Schema Queries and Event Queries. Only Data Queries will be covered here. Data queries allow for the retrieval of instances for a particular class or association object. The basic format of a data query is as follows:

Syntax:SELECT * FROM where is the WMI name of the class object (see Namespace & Class view.)The SELECT statement indicates which property of the class you wish to query. Here we specify * which requests all properties of the class to be returned. The FROM statement indicates which class to return the properties from.
Examples:SELECT * FROM Win32_DiskDrive Returns the full set of properties for all instances of the Win32_DiskDrive class.SELECT BytesPerSector,InterfaceType FROM Win32_DiskDrive Returns the bytes per sector and interface type properties for all instances of the Win32_DiskDrive class.Note: Whether or not you specify * or a set of properties to return, the key properties of an object are always returned.

Adding Conditions

You can add conditions to your data queries using the WHERE statement.

Syntax:SELECT * FROM  WHERE PROPERTY=
Examples:SELECT * FROM Win32_Service WHERE Started='False' Returns all services which are not started.Note: Since the Started property is of type BOOLEAN, its value could have been 0 instead of 'FALSE'. The following queries are all equivalent: SELECT * FROM Win32_Service WHERE Started='False' SELECT * FROM Win32_Service WHERE Started=FALSE SELECT * FROM Win32_Service WHERE Started=0 SELECT * FROM Win32_Service WHERE Started='0'SELECT * FROM Win32_Service WHERE Started=0 AND  StartMode="Auto" Returns all services which are not started and have the start mode configured to Automatic.Note: Since the StartMode property is of type STRING, the value must be within single or double quotes.SELECT * FROM Win32_LogicalDisk WHERE Compressed<>TRUE AND FreeSpace<10485760 Returns all disk drives which are not compressed and where the amount of free disk space is less than 10 Megabytes (10485760 bytes).Note: The following boolean operators are available:  =, != , <>SELECT * FROM Win32_LogicalDisk WHERE FileSystem="NTFS" Returns all disk drives which are of type NTFS.

Executing WMI Queries

wmix20.png

To execute a WMI query, type its query string in the edit field of the Query View and click on the Run Query... button. Once the query is complete, the result set is returned in the Instances Panel.

If you execute a well formatted query, it is automatically added to the Recently Executed query list of the Information Panel. The Information Panel keeps track of the last ten well formatted queries which were executed. At any time, you can click on any of the recently executed query links to initialize the view to that query.

To stop the execution of a query, click on the Stop Action button of the main toolbar.

Selecting the query namespace

By default, all queries are executed against the CIMV2 namespace. To select a different namespace, click on the Query in: link of the query view. From the Namespace Selection window, select the desired namespace and click on OK.

Searching for WMI Objects

If you want to construct a WMI query for an object but do not know the exact name of the WMI class, click on the Search WMI... button of the main toolbar. Search for the object you need, select it from the result list and click on OK. This will automatically insert the default query string for the selected object. For more information, see Searching for Objects.

Exporting a WMI Query into a Script

Once you have entered a WMI Query, the Generate Script button will highlight in the ribbon bar:

wmix14.png

Click on it to export the current WMI query into a script.

See Find out more

WMI Query Wizard

WMIX provides a wizard to easily generate sophisticated WMI queries. Using this wizard, you can create complicated WMI queries with no prior knowledge of the WMI Query Language or of the contents within the WMI repository. In addition, the Wizard outputs the WMI query in a format which is compatible with Group Policy Object WMI Filters.  Simply use the WMI Query Wizard to create a query and then copy / paste the output into the GPO WMI Filter field.

Using the WMI Explorer Query Wizard

To start the WMIX Query Wizard, select the Query WMI tab and click on the Use Query Wizard button.

Select the WMI Class for this query

You must first select the WMI Class object that you need to target in the WMI query. You can specify the WMI class object in three ways:

  1. Select the class from the list of pre-defined WMI objects. The list of pre-defined classes is defined by the list of root objects in the browser view (see: Modifying the list of Root Objects).
  2. Search for a WMI Class object. To trigger the search dialog, select Other class... at the bottom of the list of pre-defined WMI objects.

    wmix21.png

  3. Type in the name of the WMI class. You can either enter the name of the class by itself (in which case the currently focused namespace is used) or enter the full class path including the name of the namespace.For instance, the following are valid entries: Win32_ComputerSystem orROOTCIMV2:Win32_ComputerSystem.

Click on Next.

Select the class properties to query

You can choose to return the value of all properties of a class or select one or more specific properties.

wmix22.png

Click on Next.

Configure a WMI Query Filter

A WMI Filter is a set of conditions used against the instances of a WMI Class which defines whether or not an instance should be reported or excluded.

  • If you do not wish to configure a WMI Query Filter, select the No Filteroption and click on Next.
  • To create a WMI Filter, select the Configure a WMI query filter option and click on Next.

If you selected to configure a WMI query filter, the next steps below allow you to specify a boolean logic string based on the class's properties. A boolean logic string is a set of AND / OR conditions. The Query Wizard allows you to add as many conditions as you need, to set the desired boolean operator between them, and to group conditions to implement boolean precedence.

For example, let's define a WMI Filter on the Win32_Service class for the following statement: Query services configured to start automatically in the Stopped state, or, services configured to start manually in the Running state.

Start the Wizard, set the focus on the Win32_Service class and configure the WMI Filter as follows:

wmix23.png

  1. Click on Add a new condition to this group, select the Start Mode property, the = condition and set the Value to Auto. Click on OK.
  2. Click on Add a new condition to this group, select the Start Mode property, the = condition and set the Value to Manual. Click on OK.
  3. Click on Add grouped conditionin the 'Start Mode = Auto' condition, select the State property, the =condition and set the Value toStopped. Click on OK.
  4. Click on Add grouped conditionin the 'Start Mode = Manual' condition, select the State property, the =condition and set the Value toRunning. Click on OK.
  5. Set the boolean operator between the two condition groups to OR.
  • You should end-up with the same boolean graph as the one displayed on the left.
  • If you need to modify a condition, click on the Edit link within it.
  • If you need to remove a condition from a group, click on the Delete link within it.
  • To remove a condition group, remove all conditions within it.

Once you have configured the desired filter, click on Next.

View the Resulting WQL String

The last page of the Wizard displays the resulting WMI Query string. The format of this WMI Query is the same as the one accepted by the Group Policy Objects WMI Filter in that it includes namespace information within it.

  • To transfer the resulting WMI Query String to another application, simply select it and use COPY/PASTE to transfer it.
  • To transfer the resulting WMI Query String to the WMIX Query String field, click on the button

    wmix24.png

    Then click on the Run Query button to test your query. Note: The WMIX Query String field accepts the GPO WMI Filter format. You do not need to remove the namespace information from it.

If the generated WMI Query String needs to be modified, click on the Back button to modify your settings or click on Close to close the Wizard.

Tags:
Powered by XWiki © EasyVista 2022