As seen in previous part 2 and part 1

We’ve gone from knowing nothing to having something that we can query the WMI interface with. Using two open source projects (WMI Mapper and wbemcli) to get the information out. Now we dive head into what you do to actually get the information that we want to from WMI.

As we saw from the previous lesson. There’s a lot of information available in WMI/WBEM, a lot of it for the linux people is quite frankly a lot of trash. For the windows people I would suspect it is as well, but wbem does allow you to make changes to the system and applications at the moment with wbem. For this document we will only cover actually getting information.

The first step is to try and find out if you can query the server in question. Using wbemcli typ in the following:

wbemcli -nl gc 'http://NA\jjackson:password@host:5988/root/MicrosoftExchangeV2

Please note that the NA is the domain that I am part of otherwise its your normal http://username:password@blah:port. Post 5988 is the default for http and 5989 for https. The above will return something like the following, just much larger and with more items.

.internal:5988/root/MicrosoftExchangeV2:Exchange_Logon : CIM_LogicalElement
-AdapterSpeed
-Caption
-ClientIP
-ClientMode
-ClientName
-ClientVersion
-CodePageID
-Description
-FolderOperationRate
-HostAddress
-InstallDate
-LastOperationTime
-Latency
-LocaleID
-LoggedOnUserAccount
-LoggedOnUsersMailboxLegacyDN
-LogonTime
-MacAddress
-MailboxDisplayName
-MailboxLegacyDN
-MessagingOperationRate
-Name
-OpenAttachmentCount
-OpenFolderCount
-OpenMessageCount
-OtherOperationRate
-ProgressOperationRate
-RowID
-RPCSucceeded
-ServerName
-Status
-StorageGroupName
-StoreName
-StoreType
-StreamOperationRate
-TableOperationRate
-TotalOperationRate
-TransferOperationRate

That’s the class you’re looking at and what values can be returned from that class. To get the values you need to run the following:

wbemcli -nl ei 'http://NA\jjackson:password@.internal:5988/root/MicrosoftExchangeV2:Exchange_Logon'

For all possible return values you’ll get that information. In this case for each user logged into exchange you’ll get this information for.

-AdapterSpeed
-Caption
-ClientIP
-ClientMode
-ClientName
-ClientVersion=”OLEDB”
-CodePageID=1252
-Description
-FolderOperationRate=0
-HostAddress=”ExOleDb”
-InstallDate
-LastOperationTime=20080426161105.000872+000
-Latency
-LocaleID=1033
-LoggedOnUserAccount=”NT AUTHORITY\SYSTEM”
-LoggedOnUsersMailboxLegacyDN
-LogonTime=20080426161105.000872+000
-MacAddress
-MailboxDisplayName=”NT AUTHORITY\SYSTEM”
-MailboxLegacyDN
-MessagingOperationRate=0
-Name
-OpenAttachmentCount=0
-OpenFolderCount=1
-OpenMessageCount=0
-OtherOperationRate=0
-ProgressOperationRate=0
-RowID=61
-RPCSucceeded
-ServerName=”.internal”
-Status
-StorageGroupName=”First Storage Group”
-StoreName=”Public Folder Store (.internal)”
-StoreType=2
-StreamOperationRate=0
-TableOperationRate=0
-TotalOperationRate=0
-TransferOperationRate=0

That’s the basics of getting information from WMI. It now becomes a matter of doing a lot of filtering and using some of the other options potentially to make it cleaner.

But this is as far as I’ve gotten so I figured I’d provide at least this much information to help get people started on doing this.