GPO

WMI filters

20th March 2019 /

This article describes the following:

  • What is WMI?
  • Creating WMI filters
  • Generate WMI code
  • More than 30 GPO WMI filtering examples
  • Testing WMI filters

What is WMI?

WMI is an uniform way to gain access to system or administrative information in a database-like kind of way. Most common syntax of a WMI query is:

SELECT [property] from [wmi class]

Creating WMI filters

You create a WMI filter following the next steps:

1. Start Group Policy Management Console and connect to the domain.

2. Right click WMI Filters en choose New.

3. Enter a title and description for the filter and click Add.

4. Enter the query and click OK.

5. Repeat steps 3 and 4 if you want to enter multiple queries in 1 filter.

6. Click Save.

It looks simple and in fact it is. The harder part is how to build the query.

Generate WMI code

If you have any scripting experience (or just the feeling) I recommend downloading Microsoft’s WMI Code Creator.

This tools makes it easy to create and test a WMI query just by selecting the class, property and value. The screen dumps shows how to create the a filter that checks the existence of drive D:.

Download: WMI Code Creator

WMI filtering is slow, isn’t it?

There’s a wide spread rumor that WMI filtering shouldn’t be used because it is slow. You should keep in mind that WMI is a powerful tool. It’s possible to create a query that searches the entire C: drive to see if there is a file named coffee.txt. Yes, that would be a slow query.

The examples in this article though are much simpler and most shouldn’t take more than a second to execute. When in doubt it is wise to measure the time to execute.

Example WMI filters

Far more easy than creating a filter is to use someone else’s filters. These examples are tested on Windows 2008 R2 and Windows 7 and should work on earlier Windows versions.

If not mentioned otherwise, the namespace used in the examples is root\CIMv2.

Computer properties

Computer is a laptop (because it has a battery)

SELECT * FROM Win32_Battery

Screen resolution is at least 1280×720

SELECT * FROM Win32_DisplayControllerConfiguration WHERE HorizontalResolution>1279 AND VerticalResolution>719

System is running on batteries

SELECT * FROM BatteryStatus Where Discharging = True

NOTE: Namespace for this filter: \root\WMI

Computer has at least 2GB RAM memory

SELECT * FROM Win32_ComputerSystem WHERE TotalPhysicalMemory > 2000000000

Drive D: contains at least 100GB free space

SELECT * FROM Win32_LogicalDisk WHERE FreeSpace > 100000000000 AND Caption = “D:”

Computer contains an Intel Processor

SELECT * FROM Win32_Processor WHERE Manufacturer = “GenuineIntel”

Computer has more than 2 logical processors

SELECT * FROM Win32_ComputerSystem where NumberOfLogicalProcessors > 2

Computer has more than 1 physical processor

SELECT * FROM Win32_ComputerSystem where NumberOfProcessors > 1

Computer contains an IRDA device

SELECT * FROM CIM_InfraredController

Computer contains a floppy drive

SELECT * FROM Win32_FloppyDrive

Computer contains an active Trusted Platform Module (TPM)

SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True

NOTE: Namespace for this filter: root\CIMV2\Security\MicrosoftTpm

Computer is a Compaq Presario SR5115NL

SELECT * FROM Win32_ComputerSystem WHERE manufacturer = “Compaq-Presario” and Model = “GN729AA-ABH SR5115NL”

Windows Operating System

64 bits OS installed

SELECT OSArchitecture FROM Win32_OperatingSystem WHERE OSArchitecture = “64-bit”

OS Windows 7

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.1%” and ProductType = “1”

OS Windows 7 with service pack 1

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.1%” and ProductType = “1” and ServicePackMajorVersion = “1”

OS Windows Vista

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.0%” and ProductType = “1”

OS Windows XP

SELECT * FROM Win32_OperatingSystem WHERE Version = “5.1%” and ProductType = “1”

OS windows 2000 workstation

SELECT * FROM Win32_OperatingSystem WHERE Version = “5.0%” and ProductType = “1”

OS Windows 2008 R2 server

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.1%” and ProductType <> “1”

OS Windows 2008 R2 server with service pack 1

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.1%” and ProductType <> “1” and ServicePackMajorVersion = “1”

OS Windows 2008 server

SELECT * FROM Win32_OperatingSystem WHERE Version = “6.0%” and ProductType <> “1”

OS Windows 2003 server

SELECT * FROM Win32_OperatingSystem WHERE Version = “5.2%” and ProductType <> “1”

OS windows 2000 server

SELECT * FROM Win32_OperatingSystem WHERE Version = “5.0%” and ProductType <> “1”

Software and settings

Time zone + 1 (bias is the time zone GMT+0 offset in minutes)

SELECT * FROM win32_timezone WHERE bias = 60

Windows feature webserver is installed

SELECT * FROM Win32_ServerFeature WHERE Name=”Web Server (IIS)”

Service DHCP Server starts automatically

SELECT * FROM Win32_Service WHERE Caption=”DHCP Server” AND StartMode=”Auto”

Share Backup$ is defined on this computer

SELECT * FROM Win32_Share WHERE Caption=”Backup$”

File C:\windows\system32\notepad.exe exists

SELECT * FROM CIM_Datafile WHERE Name=”C:\\windows\\system32\\notepad.exe”

Local user JDoe exists

SELECT * FROM Win32_UserAccount WHERE Name=”JDoe” AND LocalAccount=True

Local group WSUS-administrators exists

SELECT * FROM Win32_Group WHERE LocalAccount=True AND Name=”WSUS-administrators”

Microsoft Office is installed (slow query!!)

SELECT * FROM Win32_Product WHERE Caption LIKE “Microsoft Office%”

Active Directory

Computer is an AD client computer

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = “1”

Computer is an AD domain controller

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = “2”

Computer is an AD member server

SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = “3”

AD Site-name is Amsterdam

SELECT * FROM Win32_NTDomain WHERE ClientSiteName = “Amsterdam”

Date and time

It is monday (1=monday, 2=thuesday, etc)

SELECT DayOfWeek FROM Win32_LocalTime WHERE DayOfWeek = 1

It is February (1=Januari, 2=February, etc)

SELECT DayOfWeek FROM Win32_LocalTime WHERE month = 2

Testing WMI filters

You succeeded in creating the WMI filter and applied it to a GPO, but does it work correctly? To test this you can run Group Policy Results in the Group Policy Management Console.

The screen dump shows the WMI filter applied to GPO Dummy having value True, which means that the GPO will be applied.

NOTE: You might need to refresh the policies using gpupdate

If you are familiair with Powershell you can check the performance of the WMI filter using the command:

measure-Command {Get-WmiObject -query ‘[query]’}

This post applies to: Windows 2003, Windows 2008, Windows 2012, Windows XP, Windows Vista, Windows 7, Windows 8.

Leave a Reply

Your email address will not be published. Required fields are marked *