Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Say what’s up to PowerShell 5 (Part 21/27) - fixedByVonnie

Say what’s up to PowerShell 5 (Part 21/27)

Today we’re going to talk about how PowerShell exposes information at the hardware and software layer of your computers and servers.

There are basically two standards; two ways to tap into the system information:

  • WMI
  • CIM

WMI is the Windows Management Instrumentation and has been around for ages.  It uses DCOM and RPC (which isn’t very Firewall friendly) to tap into system information.  It’s basically a PowerShell 1.0 and 2.0 thing so you really shouldn’t be using it unless you have no choice.  The nice thing about WMI is you get real-time data from the server through WMI queries.  The data is live.

CIM is the Common Information Model which is hte new way for working with WMI stuff.  It uses HTTP or HTTPS via the WSMAN protocol and is the preferred way of tapping into system information.  With the CIM standard, isn’t live because it converted into an XML format and sent over the network that way.  But the advantage is that it can give you a performance boost and the architecture isn’t as bulky as WMI.

Both WMI and CIM access the same underlying data sources they are simply two distinct communication methods for tapping into that data.

Data is grouped into folder-like structures known as Namespaces.  And inside those folders we have Classes.  Remember from the post on Objects: Classes are just a way to represent data.

So the class is the factory or blueprint for building objects.  It specifies all the actions and features of the object just like a factory specifies all the actions and properties of new car.

And then inside the Classes we have Instances which are just live versions of the class.  These are the live objects that were born from that class and all these objects have their own Properties (attributes) and Methods (actions) associated with them.

Exploring the CIM

Let’s use Get-Command to see all the CimCmdlet modules.

gcm "cim"


The most popular are:

  • Get-CimClass
  • Get-CimInstance
  • Get-CimAssociatedInstance

Looking at Get-CimClass

Now you can type Get-CimClass to list all the classes in the CIMv2 namespace.  This is the most popular namespace but you could always change this with the -Namespace parameter and pressing tab a few times to cycle through it.


Or if you want to find a specific method you could search for classes that have a specific name.

Get-CimClass -ClassName *disk*
Get-CimClass ClassName

Or a specific property or method.  It doesn’t matter you can do it all.

Get-CimClss -MethodName *dhcp*

Get-CimClass Method Name

Get-CimInstance is in the hizzzous

So what’s the deal with Get-CimInstance?  This is the live instance of the class; the object as it were.

Let’s say we want to peek into the data repository that represents our hard drives.

We could type:

Get-CimInstance -ClassName win32_

and keep hitting tab until we find win32_LogicalDisk.

And you can filter the output further with the -Filter parameter.

Get-CimInstance -ClassName win32_LogicalDisk -Filter 'DriveType = 3'

The nice thing about using -Filter rather than piping it to Where-Object {$_.DriveType -eq 3} is that the former filters on the server.  The later filters on the client.

Get-CimClass Method Name

So if you use the -Filter parameter you can dramatically reduce your network traffic because all that unnecessary data never gets sent across the link.

The disadvantage is that it using WQL (WMI Query Language) instead of the traditional PowerShell -eq, -ne, -gt etc… parameters but that’s not really a big deal when you realize all the advantages you get from CIM:

  • Lightweight
  • Firewall friendly
  • Future proof (Microsoft is moving everything toward CIM and away from WMI)
  • Tab Completion (WMI doesn’t let you tab complete values)

Let’s look a CIM associations next.

Get-CimAssociatedInstance, GCAI!

GCAI is pretty cool.  So let’s save our previous cmdlet into a variable named $cdrive for the C:\ drive and then use the GCAI alias to see which classes are associated with this particlar logical drive.

$cdrive = Get-CimInstance -ClassName Win32_LogicalDisk -Filter 'DriveType = 3'

and then,,,

gcai $cdrive


And to see what all these fields mean pipe the whole shebang to Get-Member

gcai $cdrive | gm

or if you want something specific use the -ResultClassName parameter and start tab completing your commands.

gcai $cdrive -ResultClassName Win32_DiskPartition | ft -auto

Disk Partition

So this particular partition is associated with my C:\ drive.

You can also control how you want your CIM objects to behave with methods…

Watch this.

Creation CIM actions with methods

So let’s say we want to see what we can do with our Win32_Process Instances.

We can just save it into a variable and then attach .CimClassMethods to it like so:

$processes = Get-CimClass Win32_Process


Remember, when I typed $processes. I just pressed tab to cycle through all the options before I found CimClassMethods.  This is why PowerShell is so awesome because PowerShell helps you learn how to use PowerShell in an intuitive way.


Now that we know the methods we can do some pretty cool stuff

For example, let’s update the $processes variable to have all the processes that have “dns” somewhere in the name.

Then we’ll use Invoke-CimMethod and the -MethodName parameter to invoke the GetOwner method.

Bam, now we see the owner of the process – just like that.



Connect with Vonnie on Twitter

Posted in Windows, Windows 10 Tagged with: