WMIMon

This command line tool allows to monitor WMI activity on Windows platform.

If you don’t have Visual Studio to build it, you can download binaries from https://github.com/luctalpe/WMIMon/blob/master/Downloads/WMIMon_Binaries.zip

Features

It is a real-time ETL consumer for the WMI-Activity event log channel. It will allow to also get information about the WMI client process (executable). You can specify a regular expression to filter and limit output to a specific executable,username,client computername, Process ID,query.

Scenarios

This tool may be useful for several scenarios:

Finding which executable/computer/user are executing specific queries and putting load on your system

Learn WMI queries done by your components or a component tha you need to troubleshoot

Execute a specific script when a WMI error code is returned to a client

Sample 1

Allow to view all WMI activity C:\Temp>WMIMOn ***** *** Successfully Created ETW Session WMITrace_{1B701051-0E73-4EEE-85B7-567AC21B1E55} ***** *** Successfully Added Provider to ETW Session ***** 14:38:22.372 Grp=125426 _ClientProcessId=3092 [MsMpEng.exe] LUCT10 NT AUTHORITY\SYSTEM IWbemServices::Connect ***** 14:38:22.376 Grp=125427 Op=125428 _ClientProcessId=3092 [MsMpEng.exe] LUCT10 NT AUTHORITY\SYSTEM Start IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct ***** 14:38:22.380 Stop Op=125426 0x0 ***** 14:38:22.380 Stop Op=125428 0x0

Sample 2

Will monitor all queries containing CreateSnaphost. When this query is executed, the prowershell script listvar.ps1 is executed.This script will display all WMIMON powershell variable and will display informations for the WMI current process ($WMIMOM_PID variable) PS C:\temp\WMIMon> type .\listvar.ps1 ls variable:WMI* get-process -ID $WMIMON_PID PS C:\temp\WMIMon> .\WMIMon.exe "-filter=.*Virtual.*CreateSnapshot" "-action=.\listvar.ps1" Parsing: filtering on .*virtual.*createsnapshot Parsing: Powershell action when filter is found : .\listvar.ps1 ***** *** Successfully Created ETW Session WMITrace_{81830E71-72D7-4228-94CE-A02FE99A01B8} ***** *** Successfully Added Provider to ETW Session ***** 14:46:46.615 Grp=12388022 Op=12388023 _ClientProcessId=3448 [mmc.exe] LUCT2016 LUCT2016\luct Start IWbemServices::ExecMethod - root\virtualization\v2 : \.\ROOT\virtualization\v2:Msvm_VirtualSystemSnapshot Service.CreationClassName="Msvm_VirtualSystemSnapshotService",Name="vssnapsvc",SystemCreationClassName="Msvm_ComputerSys tem",SystemName="LUCT2016"::CreateSnapshot Name Value ---- ----- WMIMON_PID 3448 WMIMON_EXECUTABLE mmc.exe WMIMON_COMPUTER LUCT2016 WMIMON_USER LUCT2016\luct WMIMON_STOPSTATUS 0 WMIMON_ACTIVITY 14:46:46.615 Grp=12388022 Op=12388023 _ClientProcessId=3448 [mmc.exe] LUCT2016 LUCT201... WMIMON_RELATEDACTIVITY Id : 3448 Handles : 1715 CPU : 17070.078125 SI : 2 Name : mmc ***** 14:46:46.659 Stop Op=12388023 0x0

Usage