WMIC 总结（一）

使用WMIC管理wmi

wmic logon list brief             #登录用户
wmic ntdomain list brief          #域控机器
wmic useraccount list brief       #用户列表
wmic share get name,path          #查看系统共享
wmic service list brief | more    #服务列表
wmic startup list full            #识别开机启动的程序，包括路径
wmic fsdir "c:\\test" call delete #删除C盘下的test目录
wmic nteventlog get path,filename,writeable #查看系统中开启的日志
wmic nicconfig get ipaddress,macaddress     #查看系统中网卡的IP地址和MAC地址
wmic qfe get description,installedon        #使用wmic识别安装到系统的补丁
wmic product get name,version     #查看系统安装的软件及版本，2008R2上执行后无反应
wmic useraccount where "name='%UserName%'" call rename newUserName #更改当前用户名
wmic useraccount where "name='Administrator'" call rename admin    #更改指定用户名
wmic bios list full | findstr /i "vmware" #查看当前系统是否是vmware，可以按照实际情况进行筛选
wmic desktop get screensaversecure,screensavertimeout  #查看当前系统是否有屏保保护，延迟是多少
wmic process where name="vmtoolsd.exe" get executablepath       #获取指定进程可执行文件的路径
wmic environment where "name='temp'" get UserName,VariableValue #获取temp环境变量
#查询Windows机器版本和服务位数和.Net版本
wmic os get caption
wmic os get osarchitecture
wmic os get caption,csdversion,osarchitecture,version
wmic product where "Name like 'Microsoft .Net%'" get Name,Version
 
#查询本机所有盘符
wmic logicaldisk list brief
wmic logicaldisk get description,name,size,freespace /value
 
#卸载和重新安装程序
wmic product where "name like '%office%'" get name
wmic product where name="Office" call uninstall
 
#查看某个进程的详细信息（路径、参数等）
wmic process where name="chrome.exe" list full 
wmic process where name="firefox.exe" get executablepath,name,processid
wmic process where caption="firefox.exe" get caption,commandline /value
 
#更改PATH环境变量值，新增c:\whoami
wmic environment where "name='path' and username='<system>'" set variablevalue="%path%;c:\whoami"
 
#查看某个进程的详细信息PID
wmic process list brief
tasklist /svc | findstr firefox.exe
wmic process where processid=6168 get parentProcessId,commandline,processid,executablepath,name,creationclassname,creationdate
 
#终止进程
wmic process where name="xshell.exe" call terminate
ntsd -c q -p PID
taskkill -im PID
 
#获取电脑产品编号和型号信息
wmic baseboard get product,serialnumber
 
#获取安装软件
wmic product get name,version
wmic product list brief
 服务管理

#更改telnet服务启动类型
wmic SERVICE where name="tlntsvr" set startmode="Auto"
 
#运行telnet服务
wmic SERVICE where name="tlntsvr" call startservice
 
#停止ICS服务
wmic SERVICE where name="ShardAccess" call stopservice
 
#删除test服务
wmic SERVICE where name="test" call delete
 目录管理

#列出c盘下名为test的目录
wmic FSDIR where "drive='c:' and filename='test'" list
 
#删除c:\test文件夹
wmic fsdir "c:\test" call delete
 
#重命名c:\test文件夹为abc
wmic fsdir "c:\test" rename "c:\abc"
wmic fsdir where (name='c:\test') rename "c:\abc"
 
#复制文件夹
wmic fsdir where name='d:\test' call copy "c:\test"
 
#重命名文件
wmic datafile "c:\test.txt" call rename "c:\abc.txt"
远程执行命令

#以administrator用户，x123456密码连接192.168.11.133，并在机器上执行ipconfig命令，将结果写入c:\ip.txt文件中
 
wmic /node:192.168.11.133 /user:administrator /password:x123456 process call create "cmd.exe /c ipconfig > c:\ip.txt"