Determine
user currently logged in remotely
wmic /node:remotecomputer computersystem get
username
For
a text file of the manual run
wmic /?:full > wmic_docs.txt
Remotely
list startup apps
wmic /node:machinename startup list full
wmic STARTUP GET Caption, Command, User
Reboot
or Shutdown a box
wmic os where buildnumber="2600"
call reboot -- Get build# from OS Info (see below)
Kill
a process – use with care
wmic process where name="cmd.exe"
delete
Get
OS Information and export to CSV, html, xsl, mof
wmic /output:wmicbuild.csv os get /all
/format:csv
wmic /output:wmicbuild.html os get /all
/format:htable
List
running processes and output to HTML/XSL form.
wmic /output:wmic.html process list full
/format:hform
Query
Device Driver Status
wmic
/output:savrt.csv sysdriver where name="savrt" list status
/format:csv
Query this status on all machines in
the domain. You have all the machines in the domain in a text file
wmic
/node:"@targets.txt" /output:savrt.csv sysdriver where name="savrt"
list status /format:csv
Get
a list of NICs and IP’s in use
netsh int ip show config
wmic nicconfig where IPEnabled='true'
Remotely
change the IP to a static IP (Index is Interface#)
wmic /node:machinename nicconfig where Index=1
call EnableStatic ("172.16.10.10"), ("255.255.0.0")
Remotely
change IP to use DHCP
wmic /node:machinename nicconfig where Index=1
call EnableDHCP
Remotely
Display machine’s MAC Address
wmic /node:machinename nic get macaddress
Get
Process Owner or OwnerSID
wmic process where name="cmd.exe"
call getowner
wmic process where name="cmd.exe"
call getownersid
Remotely
list running processes every second
wmic /node:machinename process list brief
/every:1
Delete
ARPCache
netsh int ip delete arpcache
System
Information
Remotely
display System Info
wmic /node:machinename computersystem list
full
Full
Drive Info
wmic diskdrive list full
wmic partition list full
Bios
Info
wmic bios list full
List
all Hotfixes and Services Packs
wmic qfe
List
HotfixID, description and Install date
wmic qfe where "not description like "
get description,hotfixid,installedon
example: wmic qfe where
hotfixid="KB958644" list full <lists patch info for MS08-067>
Remotely
List Local Enabled Accounts
wmic /node:machinename USERACCOUNT WHERE
"Disabled=0 AND LocalAccount=1" GET Name
Start
a service
wmic /node:machinename 4 service lanmanserver
CALL Startservice
Change
startup mode for a service
wmic /node:machinename service where (name
like "Fax" OR name like "Alerter") CALL ChangeStartMode
Disabled
List
Services with brief description
wmic service list brief
List
useraccounts
wmic useraccount
wmic useraccount list brief
Enable
RDP
wmic /node:"machinename 4" path
Win32_TerminalServiceSetting where AllowTSConnections=“0” call
SetAllowTSConnections “1”
List
ShadowCopy Info
wmic
shadowcopy list brief
List
Event Logs
wmic ntevent list brief --- Brief takes a
while, full takes even longer
wmic nteventlog where (description like
"%secevent%") call cleareventlog
Remotely
output Logon Events to a html file
wmic /node:machinename /output:wmicevents.html
ntevent where (message like "%logon%") list brief /format:htform
List
number of times a user logged on
wmic netlogin where (name like
"%adm%") get numberoflogons
Display
Shares
wmic share list brief
