Windows Remote Management and WMI - Win32 apps (2023)

  • Article
  • 4 minutes to read

Windows Remote Management can be used to retrieve data exposed by Windows Management Instrumentation (WMI and MI). You can obtain WMI data with scripts or applications that use the WinRM Scripting API or through the Winrm command-line tool.

WinRM supports most of the familiar WMI classes and operations, including embedded objects. WinRM can leverage WMI to collect data about resources or to manage resources on a Windows-based operating system. That means that you can obtain data about objects such as disks, network adapters, services, or processes in your enterprise through the existing set of WMI classes. You can also access the hardware data that is available from the standard WMI IPMI provider.

Identifying a WMI Resource

You can reference a WMI class as a resource in WinRM and in the WS-Management protocol: a type of managed entity, like a service or a disk.

A WMI class or method is identified by a URI, just as any other resource is when using the WS-Management protocol. The URI can specify a WMI resource (class), a WMI action (method), or identify a specific instance of a class in messages sent over a network. For more information, see Resource URIs.

Constructing the URI Prefix for WMI Classes

The URI prefix contains a fixed part and the WMI namespace. For example, the URI prefix in Windows Server that contains the fixed part of the prefix is:<WmiNamespace>. This allows the URI prefix to be generated for any WMI namespace. For example, to access the root\default WMI namespace, use the following URI prefix:

The majority of the WMI classes for management are in the root\cimv2 namespace. To access classes and instances in root\cimv2 namespace, use the URI prefix: For more information, see Resource URIs.

Generating a Complete URI for WMI Classes

The URI that you supply, either to the Winrm command-line tool or to a script, consists of the prefix plus the resource specification.

The following procedure describes how to generate a resource URI either to get a WMI class or to use in an enumerate operation.

(Video) Setting up a Remote WMI Connection - Part 01

To generate a resource URI for a WMI class

  1. Start with the prefix that indicates the WS-Management protocol schema should be used.

    The resource URI prefix for WMI classes is always the same. For more information, see URI Prefixes.

  2. Add the WMI namespace to the prefix.

  3. Add the class name.\_Service

  4. To set the value of a property, or to invoke a specific method, add the required key value or values for the class.\_Service?Name=Winmgmt

    (Video) WMI - Windows Management Instrumentation - [#12] PowerShell for IT Professionals

    If you leave the key value blank, you will not alter the original property value.


    Leaving the key value blank sets the property value to NULL.

Locating a WMI Resource with WinRM

You can obtain WMI data either through the command-line tool, Winrm, or through a Visual Basic script that uses the WinRM Scripting API. You do not use a WMI path to locate a resource. Instead, you convert the WMI namespace and hierarchy to a URI.

The WinRM URI for a WMI class contains two parts: the URI prefix and the class that you want to access.

For example, the following URI can be supplied to the Session.Enumerate method to list all the services on a computer. The URI prefix is, and the class is Win32_Service.

strResourceUri = ""

In WMI, list the data for all of the instances of a resource or class in several ways:

  • A query for all the instances of that resource.

    (Video) Windows WMI: WMI repository, Providers, Infrastructure, and namespaces

    Set colServices = objWMIService.ExecQuery("Select * from Win32_Service")

  • A call to SWbemServices.InstancesOf or SWbemObject.Instances_.

    Set colServices = InstancesOf("Win32_Service")

In WinRM, there is one way to list all of the instances of a resource: Session.Enumerate.

strResource = ""Set colServices = objSession.Enumerate( strResource )

Locating a Specific Instance of a WMI Resource

In WMI, you can designate a particular instance of a class either by specifying values for the key properties or by querying for an instance that matches a list of property values. Key properties have the WMI Key qualifier.

You can obtain a specific instance of a class in several ways:

  • A call to Session.Enumerate with the filter and dialect parameters to create a query.

    RemoteComputer = ""strDialect = ""strResource = "*"Set objWsman = CreateObject("Wsman.Automation")Set objSession = objWsman.CreateSession("https://" & RemoteComputer)strFilter = "SELECT * FROM Win32_Share WHERE Name='Admin$'"Set objResultSet = objSession.Enumerate(strResource, strFilter, strDialect)
  • A call to SWbemServices.Get. For Session.Get, you must supply one or more specific key values, preceded by a question mark (?).

    The format of the URI for a specific instance is\_Class?Key1=Value.

    strResourceUri = ""

    A WMI class may have more than one key. Key name-value pairs are separated by a "+" sign. In that case, the format is:\_Service?Key1=Value1+Key2=Value2.

    (Video) Agent-less remote administration with WMI and PowerShell

    The WinRM syntax to obtain a singleton WMI object is different from WMI. A singleton is a WMI class defined so that only one instance is allowed. Win32_CurrentTime or Win32_WMISetting are examples of a WMI singleton class.

    The WMI syntax for singletons is shown in the following VBScript code example.

    Set TimeObject = objWMIService.Get("Win32_CurrentTime=@")

    The following example shows the WinRM singleton syntax which does not use "@".

    strResourceUri = ""
  • Adding a selector to a ResourceLocator or IWSManResourceLocator object.

    The following VBScript code example shows how to use a selector to get a specific instance of Win32_Processor.

    strUri = ""Set objWsman = CreateObject("Wsman.Automation")Set Session = objWsman.CreateSessionSet Locator = objWsman.CreateResourceLocator(strUri)Locator.AddSelector "DeviceID", "CPU0"

About Windows Remote Management

URI Prefixes

Resource URIs

Scripting in Windows Remote Management


Should I disable Windows remote management? ›

Since there are known vulnerabilities in Windows Remote Management (WinRM), it is recommended and best practice to disable it if your environment does not utilize or need WinRM.

What is Windows WMI used for? ›

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems.

How do I disable remote WMI in Windows? ›

In the Control Panel, click Security and then click Windows Firewall. Click Change Settings and then click the Exceptions tab. In the Exceptions window, select the check box for Windows Management Instrumentation (WMI) to enable WMI traffic through the firewall. To disable WMI traffic, clear the check box.

What is the difference between WMI and WinRM? ›

WMI is the Windows Management Instrumentation system. WMI collects status reports on the services that are integrated into the Windows system. WinRM is a remote protocol. In truth, WinRM extracts WMI data from remote computers, so it uses WMI as a local agent.

What Windows services should I disable? ›

12 Windows 10 Services That Are Safe to Disable
  • Disable Windows Defender. ...
  • Windows Mobile Hotspot Service. ...
  • Print Spooler. ...
  • Fax Service. ...
  • Downloaded Maps Manager. ...
  • Windows 10 Security Center. ...
  • Certificate Propagation Service. ...
  • Universal Telemetry Client (UTC)
Sep 1, 2022

Can Windows Remote Desktop be monitored? ›

1) Can Remote Desktop (RDP) Be Monitored? Yes. Using CurrentWare's remote desktop monitoring software you can monitor the computer activities of your end-users. This includes logon/logoff events, internet history, and application usage.

What can be monitored by WMI? ›

Through WMI you can access many Windows system status values and configurations. WMI can also be used to monitor things like Active Directory, SharePoint, or a SQL database. WMI Monitoring with PRTG also provides you with important metrics like bandwidth usage, memory load or free disk space.

What is WMI malware? ›

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components.

Do I need WMI? ›

Disabling WMI: While it's possible to disable the WMI system, you're strongly advised not to do this. It is a crucial element of your Windows operating system. If you disable it, most Windows software won't operate correctly.

Is WMI a virus? ›

Is the WMI Provider Host (WmiPrvSE.exe) safe? Yes. The WMI Provider Host process is a legitimate system process that comes installed on your Windows 10 computer. It's required to run in order to make your PC functional.

Can I turn off WMI? ›

To stop a WMI service: Navigate to the command prompt. Enter net stop winmgmt.

Can I delete WMI? ›

The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence. Right-click the malicious WMI database entry and select Delete .

How do I know if my Windows is WMI? ›

Alternatively, you can open WMI properties by going to Control Panel -> Administrative Tools -> Computer Management. In the left-hand pane, click Services & Applications -> WMI Control, right-click and select Properties. If WMI is working correctly, you will see Successfully connected window as shown below.

What is replacing WMI? ›

Common Information Model (CIM) cmdlets were introduced in PowerShell version 3.0. The CIM cmdlets are designed so they can be used on both Windows and non-Windows machines. The WMI cmdlets are deprecated so my recommendation is to use the CIM cmdlets instead of the older WMI ones.

How can I tell if Windows has WinRM? ›

WINRM is the thing that PowerShell uses it for remoting purposes. So before connecting to remote server it is necessary to test remote WINRM connectivity with PowerShell. We need to use Test- WS command for it. If you get the below response, then the WinRM connection is successful.

What services can I disable in Windows 10 to make it faster? ›

Here are five services you can safely turn off in Windows 10 to give your PC a much-needed speed boost.
  1. Turn off the Print Spooler. When was the last time you printed something directly from your computer? ...
  2. Shut down fax services. ...
  3. Turn off Bluetooth. ...
  4. End remote desktop services. ...
  5. Touch keyboard & handwriting panel services.
Jun 28, 2022

What are the unnecessary processes in Windows 10? ›

Windows 10 Unnecessary Services You Can Disable Safely
  • Some Common Sense Advice First.
  • The Print Spooler.
  • Windows Image Acquisition.
  • Fax Services.
  • Bluetooth.
  • Windows Search.
  • Windows Error Reporting.
  • Windows Insider Service.
Nov 27, 2020

Does disabling Windows services improve performance? ›

Windows 10 services are important components to maintain the smooth running of your computer. However, not all of them are necessary for you. You can disable unnecessary service in Windows 10 to improve your computer performance.

How can I tell if someone is using my remote desktop? ›

Click Remote Client Status to navigate to the remote client activity and status user interface in the Remote Access Management Console. You will see the list of users who are connected to the Remote Access server and detailed statistics about them.

Can you tell if someone is monitoring your computer? ›

If you have suspicions that your computer is being monitored you need to check the start menu see which programs are running. Simply go to 'All Programs' and look to see if something like the software mentioned above is installed. If so, then someone is connecting to your computer without you knowing about it.

Can you tell if someone is remotely accessing your computer? ›

Check the list of recently accessed files and apps. Both Windows PCs and Macs make it easy to view a list of the last files you've accessed, as well as your most recently-used apps. If you see something unfamiliar in these lists, someone may have access to your computer.

How do you clean WMI? ›

Type net stop winmgmt into the command prompt and press enter. When prompted if you wish to continue, type Y and press enter. Type winmgmt /resetrepository into the command prompt and press enter. Restart your computer to pick up the changes.

How do I find WMI information? ›

To access WMI information on a remote computer, the cmdlet must run under an account that is a member of the local administrators group on the remote computer. Or, the default access control on the WMI namespace of the remote repository can be changed to give access rights to other accounts.

Is WMI a security risk? ›

Since its introduction, system administrators have used WMI to automate tasks and remotely manage systems in their environment. The same capabilities that attract administrators and developers to WMI also attract cyber threat actors (CTAs). CTAs often use WMI to deploy and execute various malware.

What happens if WMI is corrupted? ›

If the Repository becomes corrupted, then the WMI service will not be able to function correctly. If you suspect WMI or repository corruption, rebuilding repository is the last thing you should do. Deleting and rebuilding the repository can cause damage to the system or to installed applications.

Is WMI enabled by default? ›

Allowing Users Access to a Specific WMI Namespace

By default, this permission is enabled only for administrators. An administrator can enable remote access to specific WMI namespaces for a nonadministrator user.

Why is my WMI provider host using so much CPU? ›

WMI Provider Host shouldn't normally use much CPU, as it shouldn't normally be doing anything. It may occasionally use some CPU when another piece of software or script on your PC asks for information via WMI, and that's normal. High CPU usage is likely just a sign that another application is requesting data via WMI.

Is WMI a service? ›

WMI is a platform for managing and monitoring the operating system and other Microsoft applications and services on personal computers, servers, and other network devices.

How do you tell if a Windows process is a virus? ›

Scan the EXE with an Antivirus

Perhaps one of the quickest ways to tell if a file is a virus is by scanning it with your antivirus. Windows has several free antiviruses you can install. These antivirus programs usually allow you to right-click on the questionable file and select to scan it.

How do you know if an app is a virus Pc? ›

An increase in random pop-ups and new apps.

If your device is housing a malicious app or a virus, you may notice an increase in random pop-ups (more than usual). And, if you take a closer look at your app library, you may even see app icons from apps you never downloaded.

What ports does WMI use? ›

What Ports Does WMI Use? WMI uses TCP port 135 and a range of dynamic ports: 49152-65535 (RPC dynamic ports – Windows Vista, 2008 and above), TCP 1024-65535 (RPC dynamic ports – Windows NT4, Windows 2000, Windows 2003), or you can set up WMI to use a custom range of ports.

Why is WMI corrupted? ›

If you're getting that error this means that part of the operating system is broken. This is usually caused by partial (and failed) driver installation and/or “cleaner utilities”.

What is WMI subscription? ›

Windows Management Instrumentation (WMI) Event Subscriptions are one of many ways to establish persistence on a network. The technique, IDT1084 on Mitre ATT&CK, can be fairly discreet and has been used by APT29 to establish backdoors.

How do I know if my WMI is corrupted? ›

  1. Open an elevated command prompt.
  2. Verify the WMI repository is not corrupt by running the following command: winmgmt /verifyrepository. If the repository is not corrupted, a “WMI Repository is consistent” message will be returned. If you get something else, go to step 3. ...
  3. Run the following commands to repair WMI:

How do I check my WMI remote? ›

The process to perform a quick test of the WMI services on a remote machine is not much different than testing the local services.
  1. Click Start, click Run, type wmimgmt. ...
  2. Right-click WMI Control (Local), and then click Connect to another computer.
  3. Click Another computer, and then enter the name of the remote computer.
Mar 15, 2019

How can you tell what Windows system you have? ›

Which version of Windows operating system am I running?
  1. Select Start > Settings > System > About . Open About settings.
  2. Under Device specifications > System type, see if you're running a 32-bit or 64-bit version of Windows.
  3. Under Windows specifications, check which edition and version of Windows your device is running.

How do I enable WMI on my remote computer? ›

Enable remote Windows Management Instrumentation (WMI) requests
  1. On the target server, go to. Administrative Tools. ...
  2. Expand. Services and Applications. ...
  3. Right-click. WMI Control. ...
  4. On the. WMI Control Properties. ...
  5. Security. .
  6. Add. if you want to add a monitoring user.
  7. Check. Remote Enable. ...
  8. Check if the connection is successful.

Does WMI work on Windows 10? ›

Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10.

Is WinRM the same as RDP? ›

WinRM is a protocol for remote management, while Remote Desktop (RDP) is a protocol for remote desktop access. WinRM allows for remote execution of management commands, while RDP provides a graphical interface for remote desktop access.

Is WinRM enabled by default Windows 10? ›

WinRM is enabled by default on all Windows Server operating systems (since Windows Server 2012 and above), but disabled on all client operating systems like Windows 10, Windows 8 and Windows 7.

How do I enable WinRM on a remote computer? ›

Enabling the WinRM Service
  1. Open up the GPMC and create a GPO. ...
  2. Select Windows Remote Management (WS-Management).
  3. In the configuration panel check the box for Define this policy setting.
  4. Select the radio button for Automatic to set the WinRm service to start automatically on boot.
  5. Click OK to confirm the setting.
Jan 29, 2021

Is IT okay to disable remote Access Connection Manager? ›

It's a good idea to keep the remote access feature turned off unless you actively need it. By default, the feature is disabled.

Should I disable remote management on router? ›

Remote Management is a feature that lets you connect to your router or gateway over the Internet when you are not at home. Most people do not need to use this feature, and it is turned off by default. We recommend that you leave the Remote Management feature turned off whenever you are not using it.

Should I disable remote registry? ›

The recommended state for this setting is: Disabled. Rationale: In a high security environment, exposing the registry to remote access is an increased security risk.

Should I disable Remote Desktop Services? ›

Introduction. It is always advisable to reduce security risks by disable unnecessary services. These instructions disable Remote Desktop Protocol (RDP) service, which is commonly leveraged by adversaries to attack Windows computers, such as the RDP Exploit BlueKeep.

Can remote access be hacked? ›

Even at home, you aren't always safe. Malicious hackers can easily hack your Wi-Fi network, take over remote access of your computer, or hack your passwords with phishing attacks. To protect your personal information, sensitive documents, and financial accounts, you need to secure your personal devices.

What happens when someone remote access to your computer? ›

This can be even worse than just conning you out of money, as undetected malware can allow hackers to steal your identity, including your passwords and financial information, over and over again, even if you get new passwords and account numbers.

Should I allow remote access to my computer? ›

Remote access solutions could leave you vulnerable. If you don't have proper security solutions in place, remote connections could act as a gateway for cybercriminals to access your devices and data. Hackers could use remote desktop protocol (RDP) to remotely access Windows computers in particular.

What feature should you disable on your router? ›

Disable Universal Plug-and-Play (UPnP), which many home routers have enabled by default. UPnP can help devices on your home network connect to each other, but the added convenience isn't worth the security risk. This feature can make it easier for malware to spread through your network.

Can anyone log into my router? ›

Can a Wi‑Fi router be hacked? It's entirely possible that your router might have been hacked and you don't even know it. By using a technique called DNS (Domain Name Server) hijacking, hackers can breach the security of your home Wi‑Fi and potentially cause you a great deal of harm.

Should I enable remote management on my router? ›

Remote management is off by default. Because a hacker might try to break your router password, it is best to turn remote management off after use, so that the router cannot be administered from the WAN. To set the router password: Never use remote management unless the router password is changed from the default!

How do I prevent someone from accessing my registry? ›

Navigate to User Configuration > Administrative Templates > System. Then, double-click Prevent access to registry editing tools on the right under Setting. Select Enabled in the upper-left and click OK.

Is remote registry a security risk? ›

In a high security environment, exposing the registry to remote access is an increased security risk.

Is IT good to clean Windows Registry? ›

The short answer is no - don't attempt to clean the Windows Registry. The Registry is a system file that holds lots of vital information about your PC and how it works. Over time, installing programs, updating software and attaching new peripherals can all add to the Registry.

Is remote desktop risky? ›

Foremost, you should never allow RDP connections over the open internet. Hackers use tools that continuously scan the internet for open RDP ports like port 3389, and even with a strict password policy and multi-factor authentication you're vulnerable to cyber attacks if your RDP is open to the internet.

Is remote desktop monitored? ›

Remote desktop sessions do not grant any access without permission. Also your employer is not allowed to monitor your home computer without your consent. The only what can be monitored is your work within the Citrix/Terminal session. This is what you do at your work computer.

Is remote desktop unsafe? ›

Is RDP secure? Remote Desktop Protocol is designed to enable authorized users to access data and remote systems. However, RDP security is not infallible. There are certain vulnerabilities inherent to using RDP that threat actors can potentially exploit to gain unauthorized access.


1. Execute a WMI Query Remotely using Pass The Hash
(Jose Bravo)
2. Set wmi permissions for non-admins users
(Tips For IT Pros)
3. WMI using PowerShell
(Koenig Solutions)
4. Windows OS Version Using WMI and C#
5. 15 CIM and WMI in PowerShell Part 1
(Ashish Raj)
6. Abusing Windows Management Instrumentation (WMI)
(Black Hat)
Top Articles
Latest Posts
Article information

Author: Annamae Dooley

Last Updated: 11/30/2022

Views: 5555

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Annamae Dooley

Birthday: 2001-07-26

Address: 9687 Tambra Meadow, Bradleyhaven, TN 53219

Phone: +9316045904039

Job: Future Coordinator

Hobby: Archery, Couponing, Poi, Kite flying, Knitting, Rappelling, Baseball

Introduction: My name is Annamae Dooley, I am a witty, quaint, lovely, clever, rich, sparkling, powerful person who loves writing and wants to share my knowledge and understanding with you.