注意:wmic命令需要本地管理员或域管理员才可以进⾏正常使⽤,普通权限⽤户若想要使⽤wmi,可以修改 普通⽤户的ACL,不过修改⽤户的ACL也需要管理员权限,这⾥笔者单独罗列⼩结:普通⽤户使⽤wmic。以下 命令均在2008R2、2012R2、2016上进⾏测试,部分命令在虚拟机中测试不⾏,例如查询杀软。
wmic logon list brief #登录⽤户 wmic ntdomain list brief #域控机器 wmic useraccount list brief #⽤户列表 wmic share get name,path #查看系统共享 wmic service list brief |more #服务列表 wmic startup list full #识别开机启动的程序,包括路径 wmic fsdir "c:\test" call delete #删除C盘下的test⽬录 wmic nteventlog get path,filename,writeable #查看系统中开启的⽇志 wmic nicconfig get ipaddress,macaddress #查看系统中⽹卡的IP地址和MAC地址 wmic qfe get description,installedOn #使⽤wmic识别安装到系统中的补丁情况 wmic product get name,version #查看系统中安装的软件以及版本,2008R2上执⾏后⽆反应。 wmic useraccount where "name='%UserName%'" call rename newUserName #更改当前⽤户名 wmic useraccount where "name='Administrator'" call Rename admin #更改指定⽤户名 wmic bios list full | findstr /i "vmware" #查看当前系统是否是VMWARE,可以按照实际情况进⾏筛选 wmic desktop get screensaversecure,screensavertimeout #查看当前系统是否有屏保保护,延迟是多少 wmic process where name="vmtoolsd.exe" get executablepath #获取指定进程可执⾏⽂件的路径 wmic environment where "name='temp'" get UserName,VariableValue #获取temp环境变量
###查询当前主机的杀毒软件 wmic process where "name like '%forti%'" get name wmic process where name="FortiTray.exe" call terminate wmic /namespace:\rootsecuritycenter2 path antivirusproduct GET displayName,productState,pathToSignedProductExe wmic /namespace:\rootsecuritycenter2 path antispywareproduct GET displayName,productState, pathToSignedProductExe
wmic /namespace:\rootsecuritycenter2 path antivirusproduct GET displayName,productState,pathToSignedProductExe wmic /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List ###
###查询windows机器版本和服务位数和.net版本 wmic os get caption wmic os get osarchitecture wmic OS get Caption,CSDVersion,OSArchitecture,Version wmic product where "Name like 'Microsoft .Net%'" get Name, Version ###
###查询本机所有盘符 wmic logicaldisk list brief wmic logicaldisk get description,name,size,freespace /value ###
###卸载和重新安装程序 wmic product where "name like '%Office%'" get name wmic product where name="Office" call uninstall ###
### 查看某个进程的详细信息 (路径,命令⾏参数等) wmic process where name="chrome.exe" list full wmic process where name="frp.exe" get executablepath,name,ProcessId 进程路径 wmic process where caption="frp.exe" get caption,commandline /value ###
### 更改PATH环境变量值,新增c:whoami wmic environment where "name='path' and username='<system>'" set VariableValue="%path%;c:whoami ###
### 查看某个进程的详细信息-PID wmic process list brief tasklist /SVC | findstr frp.exe wmic process where ProcessId=3604 get ParentProcessId,commandline,processid,executablepath,name,CreationClassName,CreationDate ###
### 终⽌⼀个进程 wmic process where name ="xshell.exe" call terminate ntsd -c q -p 进程的PID taskkill -im pid ###
###获取电脑产品编号和型号信息 wmic baseboard get Product,SerialNumber wmic bios get serialnumber ###
###安装软件 wmic product get name,version wmic product list brief