WMI Tester – WBEMTEST.exe

WMI Tester = wbemtest.exe

See more on WBEMTEST here

Walkthrough of WBEMTEST

This is a page to extend your scripting skills.  Microsoft has kept quiet about a powerful hidden tool that will expose all the observable processes and their values.  The challenge is to develop scripts to collect just the information you need.

Open the command prompt C:\> and then type wbemtest.exe, now press Enter.  Most of the buttons are disabled on the main WMI Tester window, which means that you haven’t connected to WMI – yet.

Click Connect to connect to the WMI service on a local (or remote) computer. The Connect dialog is displayed, which provides a text entry field labelled Namespace that contains root\default as its default value. Change the Namespace field’s value to root\cimv2 and click the Connect dialog’s Connect button to return to the main WMI Tester window.

The Namespace identifier in the main window’s upper-left hand corner should read root\cimv2. Notice all of the buttons are now enabled, which indicates that you have successfully connected to WMI on the local host under the context of your current credentials. Click Enum Classes to open the Superclass Info dialog.
In the Superclass Info dialog, leave the Enter Superclass name field blank, click the Recursive option, and click OK to enumerate all CIM classes defined in the root\cimv2 namespace.

At this point, you should be looking at a Query Result dialog that lists hundreds of class definitions. The number of classes largely depends on the version of Windows you’re running. If you’re using Windows 2003, for example, you should see somewhere in the neighbourhood of 600 class definitions. If you’re running Windows XP, you should see approximately 900.

Notice that the classes listed at the top of the Query Result dialog are prefaced with two underscores. These are system classes. System classes are predefined CIM classes that support internal WMI configuration and operations, such as provider registration, namespace security, and event notification. For now, ignore the system classes and scroll down the Query Result dialog until you get to classes that begin with CIM_.

Classes whose names begin with CIM_ are the core and common base classes maintained by the DMTF. Continue scrolling until you reach the classes that begin with Win32_.

Classes whose names begin with Win32_ are Microsoft extension classes, which represent Windows-specific managed resources. If this is the first time you’ve examined the root\cimv2 namespace, you might want to become familiar with the comprehensive set of classes in the root\cimv2 namespace, especially the classes that have a Win32_ prefix.

Scroll down the Query Result dialog until you reach the Win32_Process class, and double-click the class name to open the Object editor for Win32_Process dialog.
The Object editor dialog reveals the definition and implementation details (properties and methods) of the selected class. Recall from our earlier discussion that the class definition is the blueprint for a WMI-manageable resource.
Select the Hide System Properties check box to hide the system properties. The remaining Win32_Process properties represent the information you can retrieve from the processes running on a local or remote computer.

To complete your WMI scripting exercise, try retrieving the Name, Handle, and ProcessID properties. Use one of the three previous listings as your template and try running your script before proceeding to Step 7.

Note To run the script on your local computer, set the value of the strComputer variable to "." (a single dot inside quotation marks).
After you run your newly created GetProcesses.vbs script, you can verify the script’s results using WMI Tester. In the Object editor for Win32_Process dialog, click Instances. The resulting Query Result dialog lists the instances of the processes running on your computer. Double-click on a specific process instance to view the details for that instance.
 

There is more information on WMI and Scriptomatic in your eBook.