注意:wmic指令需要本地管理者或域管理者才可以進⾏正常使⽤,普通權限⽤戶若想要使⽤wmi,可以修改 普通⽤戶的ACL,不過修改⽤戶的ACL也需要管理者權限,這⾥筆者單獨羅列⼩結:普通⽤戶使⽤wmic。以下 指令均在2008R2、2012R2、2016上進⾏測試,部分指令在虛拟機中測試不⾏,例如查詢殺軟。
wmic logon list brief #登入⽤戶
wmic ntdomain list brief #域控機器
wmic useraccount list brief #⽤戶清單
wmic share get name,path #檢視系統共享
wmic service list brief |more #服務清單
wmic startup list full #識别開機啟動的程式,包括路徑
wmic fsdir "c:\\test" call delete #删除C槽下的test⽬錄
wmic nteventlog get path,filename,writeable #檢視系統中開啟的⽇志
wmic nicconfig get ipaddress,macaddress #檢視系統中⽹卡的IP位址和MAC位址
wmic qfe get description,installedOn #使⽤wmic識别安裝到系統中的更新檔情況
wmic product get name,version #檢視系統中安裝的軟體以及版本,2008R2上執⾏後⽆反應。
wmic useraccount where "name='%UserName%'" call rename newUserName #更改目前⽤戶名
wmic useraccount where "name='Administrator'" call Rename admin #更改指定⽤戶名
wmic bios list full | findstr /i "vmware" #檢視目前系統是否是VMWARE,可以按照實際情況進⾏篩選
wmic desktop get screensaversecure,screensavertimeout #檢視目前系統是否有屏保保護,延遲是多少
wmic process where name="vmtoolsd.exe" get executablepath #擷取指定程序可執⾏⽂件的路徑
wmic environment where "name='temp'" get UserName,VariableValue #擷取temp環境變量
###查詢目前主機的防毒軟體
wmic process where "name like '%forti%'" get name
wmic process where name="FortiTray.exe" call terminate
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState,pathToSignedProductExe
wmic /namespace:\\root\securitycenter2 path antispywareproduct GET displayName,productState, pathToSignedProductExe
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState,pathToSignedProductExe
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
###
###查詢windows機器版本和服務位數和.net版本
wmic os get caption
wmic os get osarchitecture
wmic OS get Caption,CSDVersion,OSArchitecture,Version
wmic product where "Name like 'Microsoft .Net%'" get Name, Version
###
###查詢本機所有盤符
wmic logicaldisk list brief
wmic logicaldisk get description,name,size,freespace /value
###
###解除安裝和重新安裝程式
wmic product where "name like '%Office%'" get name
wmic product where name="Office" call uninstall
###
### 檢視某個程序的詳細資訊 (路徑,指令⾏參數等)
wmic process where name="chrome.exe" list full
wmic process where name="frp.exe" get executablepath,name,ProcessId 程序路徑
wmic process where caption="frp.exe" get caption,commandline /value
###
### 更改PATH環境變量值,新增c:\whoami
wmic environment where "name='path' and username='<system>'" set
VariableValue="%path%;c:\whoami
###
### 檢視某個程序的詳細資訊-PID
wmic process list brief
tasklist /SVC | findstr frp.exe
wmic process where ProcessId=3604 get
ParentProcessId,commandline,processid,executablepath,name,CreationClassName,CreationDate
###
### 終⽌⼀個程序
wmic process where name ="xshell.exe" call terminate
ntsd -c q -p 程序的PID
taskkill -im pid
###
###擷取電腦産品編号和型号資訊
wmic baseboard get Product,SerialNumber
wmic bios get serialnumber
###
###安裝軟體
wmic product get name,version
wmic product list brief