# WMI
- WMI allows admin to create their own objects: create a process, services, ...
- WMI provider host process **WmiPrvse.exe**, this executable responsible for executing WMI activity
## Components:
1. WMI Providers: COM servers that monitor managed objects. A WMI provider normally consists of a MOF file, which defines the data and event classes for which the provider returns data, and a DLL file which contains the code that supplies data. These providers are typically DLLs and can be found in `C:\Windows\System32\wbem\*`.
2. Managed objects: processes, services, operating system...
3. WMI infrastructure: WMI service (winmgmt):
3.1. The CIM object manager (CIMON): this component handles the connect between management application and provider.
3.2. WMI/CIMON object repository is organized by WMI namespaces. Holding a collection of provider at `C:\Windows\System32\wbem\Repository\`
4. Management Application (WMI consumer): The client application (exe excutable, vbscript, powershell script,...) interacts with WMI infrastructure.
- [WMI service](http://revertservice.com/10/winmgmt/) (winmgmt) is stored within **wmisvc.dll** which is loaded and runs inside of **svchost.exe**. Look at WinMgmt config within registry:
![](https://i.imgur.com/LWpxNcc.png)
![](https://i.imgur.com/MIxrQfG.png)
- Another WMI binary on disk called WmiPrvSe (WMI provider Host) is used to load correct COM server (WMI providers), its parent is **svchost.exe** process with commandline: `C:\Windows\system32\svchost.exe -k DcomLaunch -p`. This svchost is launched under **services.exe**.
![](https://i.imgur.com/k0UHMrg.png)
### WMI called in high level:
1. WMI service (wmisvc.dll) is launched within the SVCHOST process via `C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt`
2. Management application (powershell.exe) executes WMI method.
3. WmiPrvSe is launched via `C:\Windows\system32\wbem\wmiprvse.exe -Secured -Embedding`, under the DCOMLaunch svchost process.
4. The WMI services loads the appropriate WMI provider into WmiPrvSe.
5. WmiPrvSe executes the function expressed by the method
### Practice:
- 2 different WMI cmdlet via powershell: WMI cmdlets and CIM cmdlets
Find WMI class that allows us to create a process
```bash=
#
PS C:\Users\v13td0x> Get-CimClass -MethodName *Create*
NameSpace: ROOT/cimv2
CimClassName CimClassMethods CimClassProperties
------------ --------------- ------------------
Win32_ShadowStorage {Create} {AllocatedSpace, DiffVolume, MaxSpace, UsedSpace...}
StdRegProv {CreateKey, Delet... {}
Win32_ScheduledJob {Create, Delete} {Caption, Description, InstallDate, Name...}
Win32_DfsNode {Create} {Caption, Description, InstallDate, Name...}
Win32_BaseService {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_SystemDriver {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_Service {StartService, St... {Caption, Description, InstallDate, Name...}
Win32_Share {Create, SetShare... {Caption, Description, InstallDate, Name...}
Win32_ClusterShare {Create, SetShare... {Caption, Description, InstallDate, Name...}
Win32_ShadowCopy {Create, Revert} {Caption, Description, InstallDate, Name...}
Win32_Process {Create, Terminat... {Caption, Description, InstallDate, Name...} ## <<<------
PS C:\Users\v13td0x> (Get-CimClass -ClassName Win32_Process).CimClassMethods['Create'].Parameters
Name CimType Qualifiers ReferenceClassName
---- ------- ---------- ------------------
CommandLine String {ID, In, MappingStrings}
CurrentDirectory String {ID, In, MappingStrings}
ProcessStartupInformation Instance {EmbeddedInstance, ID, In, MappingStrings}
ProcessId UInt32 {ID, MappingStrings, Out}
```
- U can see WMI class called **Win32_Process** that holds a method called `Create`. Next, let's find WMI provider is. As mentioned before, are essentially just COM servers. Which means they are stored in registry behind a CLSID.
- And the params we need on **Win32_Prcess.Create** method
```bash=
PS C:\Users\v13td0x> (Get-CimInstance __Provider -Filter "Name = '$(([WmiClass] 'Win32_Process').Qualifiers['provider'].Value)'").CLSID
{d63a5850-8f16-11cf-9f47-00aa00bf345c}
# use that CLSID for find out
PS C:\Users\v13td0x> Get-ItemPropertyValue -Path "Registry::HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InprocServer32\" -Name '(default)'
C:\Windows\system32\wbem\cimwin32.dll
```
So, what we have?
> WMI Class : Win32Process
> Method: Create(CommandLine, CurrentDirectory, ProcessStartupInformation, ProcessId)
> Provider: cimwin32.dll
> Namespace: ROOT/cimv2
## References:
https://jsecurity101.medium.com/wmi-internals-part-1-41bb97e7f5eb