通过Powershell调取wmic

无标签
发布日期:   2021-06-23

通过Powershell调取wmic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
使用wmic识别安装到系统中的补丁情况
C:\> wmic qfe get description,installedOn
识别开机启动的程序,包括路径
C:\>wmic startup list full
查看系统中网卡的IP地址和MAC地址
D:\>wmic nicconfig get ipaddress,macaddress
用户列表
D:\>wmic useraccount list brief
查看当前系统是否有屏保保护,延迟是多少
D:\>wmic desktop get screensaversecure,screensavertimeout
域控机器
D:\>wmic ntdomain list brief
登录用户
D:\>wmic logon list brief
查看系统中开放的共享
D:\>wmic share get name,path
D:\>net share
卸载和重新安装程序
wmic product where "name like '%Office%'" get name
wmic product where name="Office" call uninstall
查看系统中开启的日志
C:\>wmic nteventlog get path,filename,writeable查看系统中安装的软件以及版本
C:\>wmic product get name,version
服务列表
wmic service list brief |more
查看某个进程的详细信息 (路径,命令行参数等)
C:\>wmic process where name="chrome.exe" list full
终止一个进程
D:\>wmic process where name="xshell.exe" call terminate
D:\>ntsd -c q -p 进程的PID
D:\>taskkill -im pid
查看当前系统是否是VMWARE
C:\>wmic bios list full | find /i "vmware"
杀毒软件
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
wmic process where "name like '%forti%'" get name
wmic process where name="FortiTray.exe" call terminate
虚拟机检测
1. 判断TotalPhysicalMemory和NumberOfLogicalProcessors
$VMDetected = $False
$Arguments = @{
Class = 'Win32_ComputerSystem'
Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory <
2147483648'
}
if (Get-WmiObject @Arguments) {
$VMDetected = $True
"In vm"
}
else{
"Not in vm"
}2. 判断虚拟机进程
$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter
'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning)
{ $VMwareDetected = $True
"in vm"
}
else
{
"not in vm"
}
获取电脑产品编号和型号信息
wmic baseboard get Product,SerialNumber
wmic bios get serialnumber
安装软件
wmic product get name,version
wmic product list brief
通过Powershell调取wmi
操作系统相关信息
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS
文件/目录列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile
磁盘卷列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume
注册表操作Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents
当前进程
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
列举服务
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service
日志
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent
登陆账户
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
共享
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share
补丁
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering
杀毒软件
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
文章作者: thirteensummer
文章链接: https://thirteensummer.github.io/2021/06/23/tong-guo-powershell-diao-qu-wmi/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 thirteensummer !
无标签
  目录