1. WMIC stands for Windows Management Instrumentation Command-line It lets administrative users access all kinds of detailed information about a Windows machine, including detailed attributes of thousands of settings and objects. WMIC is built into Windows XP Professional, Windows 2003 and Windows Vista.
C:\> wmic process
2. When you run this command, the output may not be an easy to understand format but the same can be formatted in several different ways, but two of the most useful for analysing a system for compromise are the "list full" option, which shows a huge amount of detail for each area of the machine a user is interested in, and the "list brief" output, which provides one line of output per report item in the list of entities, such as running processes, autostart programs and available shares. For example, we can look at a summary of every running process on a machine by running:
C:\> wmic process list brief
3. That command will show the name, process ID and priority of each running process, as well as other less-interesting attributes.
C:\> wmic process list full
4. This command shows all kinds of details, including the full path of the executable associated with the process and its command-line invocation. When
investigating a machine for infection, an administrator should look at each process to determine whether it has a legitimate use on the machine, researching unexpected or unknown processes using a search engine.
5. Beyond the process alias, users could substitute startup to get a list of all auto-start programs on a machine, including programs that start when the system boots up or a user logs on, which could be defined by an auto-start registry key or folder:
C:\> wmic startup list full
6. A lot of malware automatically runs on a machine by adding an auto-start entry alongside the legitimate ones which may belong to antivirus tools and various system tray programs. Users can look at other settings on a machine with WMIC by replacing "startup" with "QFE" (an abbreviation which stands for Quick Fix Engineering) to see the patch level of a system, with "share" to see a list of Windows file shares made available on the machine and with "useraccount" to see detailed user account settings.
7. A handy option within WMIC is the ability to run an information-gathering command on a repeated basis by using the syntax "/every:[N]" after the rest of the WMIC command. The [N] here is an integer, indicating that WMIC should run the given command every [N] seconds. That way, users can look for changes in the settings of the system over time, allowing careful scrutiny of the output. Using this function to pull a process summary every 5 seconds, users could run:
C:\> wmic process list brief /every:1
Hitting CTRL+C will stop the cycle.
https://orcid.org/0000-0002-9097-2246
