WMIC command on Ubuntu 16.04 LTS

I have written several months ago a post on how to install the wmic command on a linux system. Some additional steps are required now to get the wmic command on an Ubuntu 16.04 LTS server.

Description

Windows Management Instrumentation Command-line (WMIC) uses Windows Management Instrumentation (WMI) to enable system management from the command line.

Installation
Pre-requisites
$ sudo aptitude install autoconf
$ mkdir -p /data/tools
$ cd /data/tools/
$ wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2
$ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch
$ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch2
$ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch3v2
$ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch4
$ wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch5
$ bzip2 -cd wmi-1.3.14.tar.bz2 | tar xf -
$ cd wmi-1.3.14/
Patch
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch2
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch3v2
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch4
$ patch -p1 < /data/tools/openvas-wmi-1.3.14.patch5

The current sources are outdated and use some deprecated instructions. Before running the compilation, please follow these steps:

  • Edit the file GNUmakefile and add the following line at the top after the license info:
    ZENHOME=$(HOME)
  • Edit the file /data/tools/wmi-1.3.14/Samba/source/pidl/pidl : remove the line number 583
    defined @$pidl || die "Failed to parse $idl_file";
  • Edit the file /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
    • Line 508: replace gnutls_transport_set_lowat(tls->session, 0); by gnutls_record_check_pending(tls->session);
    • Line 579: remove the line gnutls_certificate_type_set_priority(tls->session, cert_type_priority);
    • Line 587: replace gnutls_transport_set_lowat(tls->session, 0); by gnutls_record_check_pending(tls->session);
Compilation
$ sudo make "CPP=gcc -E -ffreestanding"
$ sudo cp Samba/source/bin/wmic /usr/local/bin/
Usage
Usage: wmic -U user%password //host "query"
Options
-?, --help
Show this help message
-A, --authentication-file=FILE
Get the credentials from a file
--delimiter=STRING
delimiter to use when querying multiple values, default to '|'
-d, --debuglevel=DEBUGLEVEL
Set debug level
--debug-stderr
Send debug output to STDERR
-i, --scope=SCOPE
Use this Netbios scope
-k, --kerberos=STRING
Use Kerberos
-l, --log-basename=LOGFILEBASE
Basename for log/debug files
--leak-report
enable full talloc leak reporting on exit
--leak-report-full
enable talloc leak reporting on exit
-m, --maxprotocol=MAXPROTOCOL
Set max protocol level
--namespace=STRING
WMI namespace, default to root\cimv2
-N, --no-pass
Don't ask for a password
-n, --netbiosname=NETBIOSNAME
Primary netbios name
--option=name=value
Set smb.conf option from command line
-O, --socket-options=SOCKETOPTIONS
socket options to use
--password=STRING
Password
-P, --machine-pass
Use stored machine account password (implies -k)
--realm=REALM
Set the realm name
-R, --name-resolve=NAME-RESOLVE-ORDER
Use these name resolution services only
--simple-bind-dn=STRING
DN to use for a simple bind
-S, --signing=on|off|required
Set the client signing state
-s, --configfile=CONFIGFILE
Use alternative configuration file
--usage
Display brief usage message
--use-security-mechanisms=STRING
Restricted list of authentication mechanisms available for use with this authentication
-U, --user=[DOMAIN\]USERNAME[%PASSWORD]
Set the network username
-V, --version
Print version
-W, --workgroup=WORKGROUP
Set the workgroup name
Examples

Note: For a complete list of classes you can request, please refer to http://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx

Get system information
$ wmic -U unknown //192.168.1.12 "select * from Win32_ComputerSystem"
Password for [WORKGROUP\unknown]:
CLASS: Win32_ComputerSystem
AdminPasswordStatus|AutomaticResetBootOption|AutomaticResetCapability|BootOptionOnLimit|BootOptionOnWatchDog|BootROMSupported|
BootupState|Caption|ChassisBootupState|CreationClassName|CurrentTimeZone|DaylightInEffect|Description|Domain|DomainRole|
EnableDaylightSavingsTime|FrontPanelResetStatus|InfraredSupported|InitialLoadInfo|InstallDate|KeyboardPasswordStatus|LastLoadInfo|
Manufacturer|Model|Name|NameFormat|NetworkServerModeEnabled|NumberOfLogicalProcessors|NumberOfProcessors|OEMLogoBitmap|OEMStringArray|
PartOfDomain|PauseAfterReset|PowerManagementCapabilities|PowerManagementSupported|PowerOnPasswordStatus|PowerState|PowerSupplyState|
PrimaryOwnerContact|PrimaryOwnerName|ResetCapability|ResetCount|ResetLimit|Roles|Status|SupportContactDescription|SystemStartupDelay|
SystemStartupOptions|SystemStartupSetting|SystemType|ThermalState|TotalPhysicalMemory|UserName|WakeUpType|Workgroup
3|True|True|0|0|True|Normal boot|UNKNOWN-7C76953|3|Win32_ComputerSystem|120|True|AT/AT COMPATIBLE|WORKGROUP|0|True|3|False|NULL|(null)|
3|(null)|innotek GmbH|VirtualBox|UNKNOWN-7C76953|(null)|True|1|1|NULL|(vboxVer_4.2.12,vboxRev_84980)|False|-1|NULL|False|3|0|3|(null)|
Unknown|1|-1|-1|(LM_Workstation,LM_Server,NT,Potential_Browser)|OK|NULL|30|("Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect)|
0|X86-based PC|3|1073201152|UNKNOWN-7C76953\unknown|6|(null)
Get list of running processes
$ wmic -U unknown%oopsoops //192.168.1.12 "select caption, name, parentprocessid, processid from win32_process"
CLASS: Win32_Process
Caption|Handle|Name|ParentProcessId|ProcessId
System Idle Process|0|System Idle Process|0|0
System|4|System|0|4
smss.exe|460|smss.exe|4|460
csrss.exe|924|csrss.exe|460|924
winlogon.exe|948|winlogon.exe|460|948
services.exe|992|services.exe|948|992
lsass.exe|1004|lsass.exe|948|1004
VBoxService.exe|1168|VBoxService.exe|992|1168
svchost.exe|1220|svchost.exe|992|1220
svchost.exe|1332|svchost.exe|992|1332
MsMpEng.exe|1576|MsMpEng.exe|992|1576
svchost.exe|1616|svchost.exe|992|1616
svchost.exe|1712|svchost.exe|992|1712
svchost.exe|1940|svchost.exe|992|1940
spoolsv.exe|244|spoolsv.exe|992|244
explorer.exe|916|explorer.exe|788|916
VBoxTray.exe|1288|VBoxTray.exe|916|1288
concentr.exe|1388|concentr.exe|916|1388
msseces.exe|1400|msseces.exe|916|1400
ctfmon.exe|1424|ctfmon.exe|916|1424
wfcrun32.exe|1472|wfcrun32.exe|1220|1472
svchost.exe|1812|svchost.exe|992|1812
dsNcService.exe|1908|dsNcService.exe|992|1908
jqs.exe|280|jqs.exe|992|280
TeamViewer_Service.exe|780|TeamViewer_Service.exe|992|780
alg.exe|3556|alg.exe|992|3556
wmiapsrv.exe|532|wmiapsrv.exe|992|532
wscntfy.exe|1640|wscntfy.exe|1616|1640
wmiprvse.exe|4000|wmiprvse.exe|1220|4000
<>

References

Source 1
Source 2
Source 3

WMIC command on Ubuntu 16.04 LTS

24 thoughts on “WMIC command on Ubuntu 16.04 LTS

  • June 30, 2018 at 5:40 am
    Permalink

    hello,
    I installed wmic according to your descriptions. My problem is that when I run below command with quotation in RecordNumber it does not run correctly and generate error code ([wmi/wmic.c:212:main()] ERROR: Retrieve result data.NTSTATUS: NT code 0xc002001b – NT code 0xc002001b) but without quotation it run correctly.
    /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
    What is the reason?!
    Thanks

    Reply
    • July 3, 2018 at 8:22 am
      Permalink

      Hello,

      You can troubleshoot the issue by performing these three steps:
      – connect locally on the windows host and run the following command in a Powershell window (admin mode) : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
      – connect on another windows host and try the same with the command : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’” -computername host
      – on your linux box, try again with the command : /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”

      On the linux box, try different commands : use ip address, change the username (admin, non admin, local, …)

      Waiting for your feedback

      Have a nice day

      Nico

      Reply
  • June 30, 2018 at 5:40 am
    Permalink

    hello,
    I installed wmic according to your descriptions. My problem is that when I run below command with quotation in RecordNumber it does not run correctly and generate error code ([wmi/wmic.c:212:main()] ERROR: Retrieve result data.NTSTATUS: NT code 0xc002001b – NT code 0xc002001b) but without quotation it run correctly.
    /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
    What is the reason?!
    Thanks

    Reply
    • July 3, 2018 at 8:22 am
      Permalink

      Hello,

      You can troubleshoot the issue by performing these three steps:
      – connect locally on the windows host and run the following command in a Powershell window (admin mode) : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”
      – connect on another windows host and try the same with the command : get-wmiobject -query “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’” -computername host
      – on your linux box, try again with the command : /usr/local/bin/wmic -U domain/user%password //host “select * from Win32_NTLogEvent where Logfile = ‘Security’ and RecordNumber > ‘216665699’”

      On the linux box, try different commands : use ip address, change the username (admin, non admin, local, …)

      Waiting for your feedback

      Have a nice day

      Nico

      Reply
  • July 4, 2018 at 8:00 am
    Permalink

    For host machine how to use Wmic?
    Please give example

    Reply
  • July 4, 2018 at 8:00 am
    Permalink

    For host machine how to use Wmic?
    Please give example

    Reply
  • September 26, 2018 at 8:11 pm
    Permalink

    Hi Nicolas,
    Thanks so much for the steps, It works in my environment.
    But however I got error like this when I tried to quer ythe __systemclass in one of my namespace
    wmic -U XXXX –password=XXXX –namespace=ROOT\\Citrix //192.168.1.217 “select * from __systemclass”
    [wmi/wmic.c:212:main()] ERROR: Retrieve result data.
    NTSTATUS: NT_STATUS_BUFFER_TOO_SMALL – Buffer too small

    Is there a config parameter I can set tp max the buffer?

    Thanks,
    George

    Reply
  • September 26, 2018 at 8:11 pm
    Permalink

    Hi Nicolas,
    Thanks so much for the steps, It works in my environment.
    But however I got error like this when I tried to quer ythe __systemclass in one of my namespace
    wmic -U XXXX –password=XXXX –namespace=ROOT\\Citrix //192.168.1.217 “select * from __systemclass”
    [wmi/wmic.c:212:main()] ERROR: Retrieve result data.
    NTSTATUS: NT_STATUS_BUFFER_TOO_SMALL – Buffer too small

    Is there a config parameter I can set tp max the buffer?

    Thanks,
    George

    Reply
  • October 2, 2018 at 7:56 pm
    Permalink

    This is a great article, worked perfectly for me.

    You can edit the pidl and tls.c files with the following commands:

    sudo sed -i ’13i\ZENHOME=$(HOME)’ /data/tools/wmi-1.3.14/GNUmakefile
    sudo sed -i ‘583d’ /data/tools/wmi-1.3.14/Samba/source/pidl/pidl
    sudo sed -i ‘508s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
    sudo sed -i ‘587s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
    sudo sed -i ‘579d’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c

    it will make easier the installation and even let you create a bash script to configure wmi : )

    regards,

    Julian Gomez
    Samana Group LLC

    Reply
  • October 2, 2018 at 7:56 pm
    Permalink

    This is a great article, worked perfectly for me.

    You can edit the pidl and tls.c files with the following commands:

    sudo sed -i ’13i\ZENHOME=$(HOME)’ /data/tools/wmi-1.3.14/GNUmakefile
    sudo sed -i ‘583d’ /data/tools/wmi-1.3.14/Samba/source/pidl/pidl
    sudo sed -i ‘508s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
    sudo sed -i ‘587s/gnutls_transport_set_lowat(tls->session, 0);/gnutls_record_check_pending(tls->session);/’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c
    sudo sed -i ‘579d’ /data/tools/wmi-1.3.14/Samba/source/lib/tls/tls.c

    it will make easier the installation and even let you create a bash script to configure wmi : )

    regards,

    Julian Gomez
    Samana Group LLC

    Reply
  • November 24, 2018 at 8:12 pm
    Permalink

    Hello,

    doesn’t work for me 🙁
    I have this error :
    heimdal/lib/roken/getprogname.c:36:7: error: expected declaration specifiers or ‘…’ before string constant
    RCSID(“$Id: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $”);

    Any idea ?

    Reply
  • November 24, 2018 at 8:12 pm
    Permalink

    Hello,

    doesn’t work for me 🙁
    I have this error :
    heimdal/lib/roken/getprogname.c:36:7: error: expected declaration specifiers or ‘…’ before string constant
    RCSID(“$Id: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $”);

    Any idea ?

    Reply
  • September 20, 2019 at 1:30 am
    Permalink

    Help me please!!
    How to check active user on host?

    Reply
      • September 20, 2019 at 8:31 am
        Permalink

        I try get active user on windows computer via
        username=( $(wmic -U domain/login%password //$host « select LastUseTime, LocalPath from Win32_UserProfile where Loaded=true » | grep Users | sed ‘s/^\(.*\)\..*\\\(.*\)|.*$/\1 \2/’ | sort -r | head -n 1 | cut -f2 -d’ ‘ | sed ‘s/\.DOMAIN*//’ | tr « A-Z » « a-z »))

        I receive username – it Ok.
        But, user may be inactive state.

        Reply
        • September 20, 2019 at 10:29 am
          Permalink

          Hi, if you have access to the windows host can you execute this powershell line and give the result ? Get-wmiobject -query “select lastusetime,loaded,localpath from win32_userprofile”

          Reply
        • September 20, 2019 at 10:30 am
          Permalink

          It is also important to know that your query will return username of current “disconnected” user session

          Reply
  • September 20, 2019 at 1:30 am
    Permalink

    Help me please!!
    How to check active user on host?

    Reply
      • September 20, 2019 at 8:31 am
        Permalink

        I try get active user on windows computer via
        username=( $(wmic -U domain/login%password //$host « select LastUseTime, LocalPath from Win32_UserProfile where Loaded=true » | grep Users | sed ‘s/^\(.*\)\..*\\\(.*\)|.*$/\1 \2/’ | sort -r | head -n 1 | cut -f2 -d’ ‘ | sed ‘s/\.DOMAIN*//’ | tr « A-Z » « a-z »))

        I receive username – it Ok.
        But, user may be inactive state.

        Reply
        • September 20, 2019 at 10:30 am
          Permalink

          It is also important to know that your query will return username of current “disconnected” user session

          Reply
  • June 27, 2022 at 10:27 am
    Permalink

    wmic on Ubuntu Linux works correct to a “Windows Server 2012 R2 Standard” system.

    For example:
    wmic //system-name -U domain/account%password “select caption from win32_computersystem”
    CLASS: Win32_ComputerSystem
    Caption|Name
    SYSTEM-NAME|SYSTEM-NAME

    After the installation of KB5014741 on the “Windows Server 2012 R2 standard ”
    the wmic on Ubuntu give a “Access denied”

    wmic //system-name -U domain/account%password “select caption from win32_computersystem”
    [wmi/wmic.c:196:main()] ERROR: Login to remote object.
    NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied

    The wmic from a Windows 10 system still works to that “Windows Server 2012 R2 standard “.

    Is the wmic protocol changed in the KB5014741 security update?

    Reply

Leave a Reply

Your email address will not be published.