Blog >> Windows Management Instrumention

Investigating Windows Management Instrumentation (WMI)

16/06/2022 Thursday

Windows Management Instrumentation (WMI) is the infrastructure for management of data and administrative operations on Windows operating systems. WMI contains a vast variety of tools for controlling Windows operating systems locally and remotely. WMI is used especially in enterprise networks for getting information about accounts, processes, configuring networking and running commands over the Windows Remote Management (WinRM).

Digital Forensics Value of Windows Management Instrumentation (WMI)

WMI is installed by default on all Windows platforms. Even though it is a system administration tool, an attacker can use WMI for; data collection, VM and AV detection, code execution, lateral movement, persistance and data theft. Therefore, during an investigation of a hacking case WMI artifacts are very important. Remote WMI use over the WinRM is important as well. It is not enabled by default. If it is enabled, analysts may forget to check malicious use of the protocol. Periodically network forensic analysis of TCP ports 5985 and 5986 are required for detecting the malicious use of remote WMI.

Location of WMI Artifact

The information gathered by WMI is stored a collection of system files and those files are called repository.
The default location of WMI is, "C:\Windows\System32\Wbem\Repository\"

Structure of WMI Artifact

This part provides general overview of WMI architecture. WMI is constructed using Object-Oriented hierarchy and structured in parent-child relationship. Root Namesapace is at the top and child of a namespace is a namespace or a class. Being a special namespace, the Root expands into Child namespaces. A child namespace is the parent of one or more classes. Classes expand into Objects. Objects are the leaves which contain the information. WMI has a query language similar to SQL and called WQL. Using the tree structure and hierarchy, administrators can query objects and retrieve information. WQL runs on the Windows terminal and WMIC (WMI Command-line), which is a command-line interface to WMI.

WMI components

%SystemRoo%\System32\wbem\Repository path contains

Analyzing Windows Management Instrumentation with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze WMI artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows LogFile artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the WMI artifact in ArtiFast software.

Windows WMI Artifact

The artifact contains WMI repository content. The details you can view include:

For more information or suggestions please contact: