I have written several months ago a post on how to install the wmic command on a linux system. Some additional steps are required now to get the wmic command on an Ubuntu 16.04 LTS server.
Description
Windows Management Instrumentation Command-line (WMIC) uses Windows Management Instrumentation (WMI) to enable system management from the command line.
Installation
Pre-requisites
$ sudo aptitude install autoconf $ mkdir -p /data/tools $ cd /data/tools/ $ wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2 $ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch $ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch2 $ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch3v2 $ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch4 $ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch5 $ bzip2 -cd wmi-1.3.14.tar.bz2 | tar xf - $ cd wmi-1.3.14/
Patch
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch $ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch2 $ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch3v2 $ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch4 $ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch5
The current sources are outdated and use some deprecated instructions. Before running the compilation, please follow these steps:
- Edit the file GNUmakefile and add the following line at the top after the license info:
ZENHOME=$(HOME) - Edit the file /data/tools/wmi-1.3.14/Samba/source/pidl/pidl : remove the line number 583
defined @$pidl || die "Failed to parse $idl_file"; - Edit the file /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
- Line 508: replace gnutls_transport_set_lowat(tls->session, 0); by gnutls_record_check_pending(tls->session);
- Line 579: remove the line gnutls_certificate_type_set_priority(tls->session, cert_type_priority);
- Line 587: replace gnutls_transport_set_lowat(tls->session, 0); by gnutls_record_check_pending(tls->session);
Compilation
$ sudo make "CPP=gcc -E -ffreestanding" $ sudo cp Samba/source/bin/wmic /usr/local/bin/
Usage
Usage: wmic -U user%password //host "query" Options -?, --help Show this help message -A, --authentication-file=FILE Get the credentials from a file --delimiter=STRING delimiter to use when querying multiple values, default to '|' -d, --debuglevel=DEBUGLEVEL Set debug level --debug-stderr Send debug output to STDERR -i, --scope=SCOPE Use this Netbios scope -k, --kerberos=STRING Use Kerberos -l, --log-basename=LOGFILEBASE Basename for log/debug files --leak-report enable full talloc leak reporting on exit --leak-report-full enable talloc leak reporting on exit -m, --maxprotocol=MAXPROTOCOL Set max protocol level --namespace=STRING WMI namespace, default to root\cimv2 -N, --no-pass Don't ask for a password -n, --netbiosname=NETBIOSNAME Primary netbios name --option=name=value Set smb.conf option from command line -O, --socket-options=SOCKETOPTIONS socket options to use --password=STRING Password -P, --machine-pass Use stored machine account password (implies -k) --realm=REALM Set the realm name -R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only --simple-bind-dn=STRING DN to use for a simple bind -S, --signing=on|off|required Set the client signing state -s, --configfile=CONFIGFILE Use alternative configuration file --usage Display brief usage message --use-security-mechanisms=STRING Restricted list of authentication mechanisms available for use with this authentication -U, --user=[DOMAIN\]USERNAME[%PASSWORD] Set the network username -V, --version Print version -W, --workgroup=WORKGROUP Set the workgroup name
Examples
Note: For a complete list of classes you can request, please refer to http://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx
Get system information
$ wmic -U unknown //192.168.1.12 "select * from Win32_ComputerSystem" Password for [WORKGROUP\unknown]: CLASS: Win32_ComputerSystem AdminPasswordStatus|AutomaticResetBootOption|AutomaticResetCapability|BootOptionOnLimit|BootOptionOnWatchDog|BootROMSupported| BootupState|Caption|ChassisBootupState|CreationClassName|CurrentTimeZone|DaylightInEffect|Description|Domain|DomainRole| EnableDaylightSavingsTime|FrontPanelResetStatus|InfraredSupported|InitialLoadInfo|InstallDate|KeyboardPasswordStatus|LastLoadInfo| Manufacturer|Model|Name|NameFormat|NetworkServerModeEnabled|NumberOfLogicalProcessors|NumberOfProcessors|OEMLogoBitmap|OEMStringArray| PartOfDomain|PauseAfterReset|PowerManagementCapabilities|PowerManagementSupported|PowerOnPasswordStatus|PowerState|PowerSupplyState| PrimaryOwnerContact|PrimaryOwnerName|ResetCapability|ResetCount|ResetLimit|Roles|Status|SupportContactDescription|SystemStartupDelay| SystemStartupOptions|SystemStartupSetting|SystemType|ThermalState|TotalPhysicalMemory|UserName|WakeUpType|Workgroup 3|True|True|0|0|True|Normal boot|UNKNOWN-7C76953|3|Win32_ComputerSystem|120|True|AT/AT COMPATIBLE|WORKGROUP|0|True|3|False|NULL|(null)| 3|(null)|innotek GmbH|VirtualBox|UNKNOWN-7C76953|(null)|True|1|1|NULL|(vboxVer_4.2.12,vboxRev_84980)|False|-1|NULL|False|3|0|3|(null)| Unknown|1|-1|-1|(LM_Workstation,LM_Server,NT,Potential_Browser)|OK|NULL|30|("Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect)| 0|X86-based PC|3|1073201152|UNKNOWN-7C76953\unknown|6|(null)
Get list of running processes
$ wmic -U unknown%oopsoops //192.168.1.12 "select caption, name, parentprocessid, processid from win32_process" CLASS: Win32_Process Caption|Handle|Name|ParentProcessId|ProcessId System Idle Process|0|System Idle Process|0|0 System|4|System|0|4 smss.exe|460|smss.exe|4|460 csrss.exe|924|csrss.exe|460|924 winlogon.exe|948|winlogon.exe|460|948 services.exe|992|services.exe|948|992 lsass.exe|1004|lsass.exe|948|1004 VBoxService.exe|1168|VBoxService.exe|992|1168 svchost.exe|1220|svchost.exe|992|1220 svchost.exe|1332|svchost.exe|992|1332 MsMpEng.exe|1576|MsMpEng.exe|992|1576 svchost.exe|1616|svchost.exe|992|1616 svchost.exe|1712|svchost.exe|992|1712 svchost.exe|1940|svchost.exe|992|1940 spoolsv.exe|244|spoolsv.exe|992|244 explorer.exe|916|explorer.exe|788|916 VBoxTray.exe|1288|VBoxTray.exe|916|1288 concentr.exe|1388|concentr.exe|916|1388 msseces.exe|1400|msseces.exe|916|1400 ctfmon.exe|1424|ctfmon.exe|916|1424 wfcrun32.exe|1472|wfcrun32.exe|1220|1472 svchost.exe|1812|svchost.exe|992|1812 dsNcService.exe|1908|dsNcService.exe|992|1908 jqs.exe|280|jqs.exe|992|280 TeamViewer_Service.exe|780|TeamViewer_Service.exe|992|780 alg.exe|3556|alg.exe|992|3556 wmiapsrv.exe|532|wmiapsrv.exe|992|532 wscntfy.exe|1640|wscntfy.exe|1616|1640 wmiprvse.exe|4000|wmiprvse.exe|1220|4000
References
WMIC command on Ubuntu 16.04 LTS
hello,
I installed wmic according to your descriptions. My problem is that when I run below command with quotation in RecordNumber it does not run correctly and generate error code ([wmi/wmic.c:212:main()] ERROR: Retrieve result data.NTSTATUS: NT code 0xc002001b – NT code 0xc002001b) but without quotation it run correctly.
/usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
What is the reason?!
Thanks
Hello,
You can troubleshoot the issue by performing these three steps:
– connect locally on the windows host and run the following command in a Powershell window (admin mode) : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
– connect on another windows host and try the same with the command : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’” -computername host
– on your linux box, try again with the command : /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
On the linux box, try different commands : use ip address, change the username (admin, non admin, local, …)
Waiting for your feedback
Have a nice day
Nico
hello,
I installed wmic according to your descriptions. My problem is that when I run below command with quotation in RecordNumber it does not run correctly and generate error code ([wmi/wmic.c:212:main()] ERROR: Retrieve result data.NTSTATUS: NT code 0xc002001b – NT code 0xc002001b) but without quotation it run correctly.
/usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
What is the reason?!
Thanks
Hello,
You can troubleshoot the issue by performing these three steps:
– connect locally on the windows host and run the following command in a Powershell window (admin mode) : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
– connect on another windows host and try the same with the command : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’” -computername host
– on your linux box, try again with the command : /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
On the linux box, try different commands : use ip address, change the username (admin, non admin, local, …)
Waiting for your feedback
Have a nice day
Nico
For host machine how to use Wmic?
Please give example
Hello Ronil,
On host machine linux, wmic can be used as shown in my following post : https://www.shellandco.net/wmic-command-ubuntu-16-04-lts/
Command example:
/usr/bin/wmic -Udomain.local/myusername%mypassword //10.11.12.13 “select PercentFreeSpace from Win32_PerfFormattedData_PerfDisk_LogicalDisk where name=’C:'” –delimiter=;
Cheers,
Nico
For host machine how to use Wmic?
Please give example
Hello Ronil,
On host machine linux, wmic can be used as shown in my following post : https://www.shellandco.net/wmic-command-ubuntu-16-04-lts/
Command example:
/usr/bin/wmic -Udomain.local/myusername%mypassword //10.11.12.13 “select PercentFreeSpace from Win32_PerfFormattedData_PerfDisk_LogicalDisk where name=’C:'” –delimiter=;
Cheers,
Nico
Hi Nicolas,
Thanks so much for the steps, It works in my environment.
But however I got error like this when I tried to quer ythe __systemclass in one of my namespace
wmic -U XXXX –password=XXXX –namespace=ROOT\\Citrix //192.168.1.217 “select * from __systemclass”
[wmi/wmic.c:212:main()] ERROR: Retrieve result data.
NTSTATUS: NT_STATUS_BUFFER_TOO_SMALL – Buffer too small
Is there a config parameter I can set tp max the buffer?
Thanks,
George
Hi Nicolas,
Thanks so much for the steps, It works in my environment.
But however I got error like this when I tried to quer ythe __systemclass in one of my namespace
wmic -U XXXX –password=XXXX –namespace=ROOT\\Citrix //192.168.1.217 “select * from __systemclass”
[wmi/wmic.c:212:main()] ERROR: Retrieve result data.
NTSTATUS: NT_STATUS_BUFFER_TOO_SMALL – Buffer too small
Is there a config parameter I can set tp max the buffer?
Thanks,
George
This is a great article, worked perfectly for me.
You can edit the pidl and tls.c files with the following commands:
sudo sed -i ’13i\ZENHOME=$(HOME)’ /data/tools/wmi-1.3.14/GNUmakefile
sudo sed -i ‘583d’ /data/tools/wmi-1.3.14/Samba/source/pidl/pidl
sudo sed -i ‘508s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
sudo sed -i ‘587s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
sudo sed -i ‘579d’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
it will make easier the installation and even let you create a bash script to configure wmi : )
regards,
Julian Gomez
Samana Group LLC
This is a great article, worked perfectly for me.
You can edit the pidl and tls.c files with the following commands:
sudo sed -i ’13i\ZENHOME=$(HOME)’ /data/tools/wmi-1.3.14/GNUmakefile
sudo sed -i ‘583d’ /data/tools/wmi-1.3.14/Samba/source/pidl/pidl
sudo sed -i ‘508s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
sudo sed -i ‘587s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
sudo sed -i ‘579d’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
it will make easier the installation and even let you create a bash script to configure wmi : )
regards,
Julian Gomez
Samana Group LLC
Hello,
doesn’t work for me 🙁
I have this error :
heimdal/lib/roken/getprogname.c:36:7: error: expected declaration specifiers or ‘…’ before string constant
RCSID(“$Id: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $”);
Any idea ?
Hello,
doesn’t work for me 🙁
I have this error :
heimdal/lib/roken/getprogname.c:36:7: error: expected declaration specifiers or ‘…’ before string constant
RCSID(“$Id: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $”);
Any idea ?
Help me please!!
How to check active user on host?
Hello Vok. What do you mean ? Can you provide more details?
I try get active user on windows computer via
username=( $(wmic -U domain/login%password //$host « select LastUseTime, LocalPath from Win32_UserProfile where Loaded=true » | grep Users | sed ‘s/^\(.*\)\..*\\\(.*\)|.*$/\1 \2/’ | sort -r | head -n 1 | cut -f2 -d’ ‘ | sed ‘s/\.DOMAIN*//’ | tr « A-Z » « a-z »))
I receive username – it Ok.
But, user may be inactive state.
Hi, if you have access to the windows host can you execute this powershell line and give the result ? Get-wmiobject -query “select lastusetime,loaded,localpath from win32_userprofile”
It is also important to know that your query will return username of current “disconnected” user session
Help me please!!
How to check active user on host?
Hello Vok. What do you mean ? Can you provide more details?
I try get active user on windows computer via
username=( $(wmic -U domain/login%password //$host « select LastUseTime, LocalPath from Win32_UserProfile where Loaded=true » | grep Users | sed ‘s/^\(.*\)\..*\\\(.*\)|.*$/\1 \2/’ | sort -r | head -n 1 | cut -f2 -d’ ‘ | sed ‘s/\.DOMAIN*//’ | tr « A-Z » « a-z »))
I receive username – it Ok.
But, user may be inactive state.
It is also important to know that your query will return username of current “disconnected” user session
wmic on Ubuntu Linux works correct to a “Windows Server 2012 R2 Standard” system.
For example:
wmic //system-name -U domain/account%password “select caption from win32_computersystem”
CLASS: Win32_ComputerSystem
Caption|Name
SYSTEM-NAME|SYSTEM-NAME
After the installation of KB5014741 on the “Windows Server 2012 R2 standard ”
the wmic on Ubuntu give a “Access denied”
wmic //system-name -U domain/account%password “select caption from win32_computersystem”
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied
The wmic from a Windows 10 system still works to that “Windows Server 2012 R2 standard “.
Is the wmic protocol changed in the KB5014741 security update?