Querying Windows endpoints with WMI using Orbital
On top of existing osquery tables, Orbital allows you to query your endpoints using a familiar SQL syntax against a set of exposed Microsoft WMI Classes. Like existing osquery tables, classes can be queried for data using the
SELECT statement, e.g.:
SELECT InstallState FROM Win32_OptionalFeature WHERE Name = 'TelnetClient';
Queries against WMI Classes can be combined with queries against other non-WMI Orbital tables (e.g. using
JOIN) which allows for complex querying capabilities between multiple data sources.
The following exposed classes are outlined below with their corresponding WMI Namespace.
Note: Not all WMI namespaces are supported by all versions of Windows. Please refer to the Reference links provided in the class descriptions for more information on the minimum supported Windows version for each namespace.
- Description: This class represents a device connected to a computer running on a Microsoft Windows operating system that can produce a printed image or text on paper or other medium.
- Name: Name of the printer
- Default: If TRUE, the printer is the default printer
- Direct: If TRUE, the print job is sent directly to the printer. If FALSE, the print job is spooled.
- DoCompleteFirst: Start jobs that are finished spooling first
- HorizontalResolution: Horizontal resolution of the printer—in pixels per inch
- VerticalResolution: Vertical resolution of the printer—in pixels per inch
- KeepPrintedJobs: Spooler should not delete documents after they are printed
- Local: Directly connected to a computer. If both Local and Network bits are set, this indicates a network printer.
- Network: Attached to a network. If both Local and Network bits are set, this indicates a network printer.
- PortName: Port that is used to transmit data to a printer
- PrintJobDataType: Data type of a print job waiting for the Windows-based printing device
- PrintProcessor: Name of the print spooler that handles print jobs
- Priority: Priority of the printer. Jobs on a higher priority printer are scheduled first.
- Published: If TRUE, the printer is published in the network directory service.
- Queued: If TRUE, the printer buffers and queues print jobs.
- RawOnly: If TRUE, the printer accepts only raw data to be spooled.
- Shared: If TRUE, the printer is available as a shared network resource.
- WorkOffline: If TRUE, you can queue print jobs on the computer when the printer is offline.
- PrinterPaperNames: Array of paper sizes supported by the printer.
- CapabilityDescriptions: Printer capabilities
- Description: This class defines summary assessment information for the most recent formal assessment.
- CPUScore: A score for the processors on the computer
- D3DScore: Windows 8.1 only
- DiskScore: A score for the sequential read throughput on the primary hard disk on the computer
- GraphicsScore: A score for the graphics capabilities of the computer
- MemoryScore: A score for the memory throughput and capacity of the computer
- TimeTaken: This property must be set to ‘MostRecentAssessment’ in the WHERE clause of your WQL query
- WinSATAssessmentState: State of the assessment
- WinSPRLevel: Base score for the computer
- Description: This class epresents the types of information that will be gathered from memory when the operating system fails. This includes boot failures and system crashes.
- AutoReboot: System will automatically reboot during a recovery operation
- DebugFilePath: Full path to the debug file. A debug file is created with the memory state of the computer after a computer failure
- DebugInfoType: Type of debugging information written to the log file
- OverwriteExistingDebugFile: New debug file will overwrite an existing one
- SendAdminAlert: Alert message will be sent to the system administrator in the event of an operating system failure
- WriteDebugInfo: Debugging information is to be written to a log file
- WriteToSystemLog: Events will be written to a system log
- Description: This class represents files that are shortcuts to other files, directories, and commands.
- AccessMask: Bitmask that represents the access rights required to access or perform specific operations on the file
- Caption: A short textual description of the object
- Archive: If True, the file should be archived
- Compressed: If True, the file is compressed
- CreationDate: Date and time of the file’s creation; UNIX epoch format, e.g. 1597943950
- Encrypted: If True, the file is encrypted
- EncryptionMethod: Free-form string that identifies the algorithm or tool used to encrypt a logical file
- Extension: File name extension
- FileName: File name
- Hidden: If True, the file is hidden
- Path: Path of the file including the leading and trailing backslashes
- Target: Name of the object that this is a shortcut to
- Status: String that indicates the current status of the object
- Description: This class contains data on a system registry file.
- CurrentSize: Current physical size of the Windows registry
- InstallDate: Indicates when the object was installed. Lack of a value does not indicate that the object is not installed; UNIX epoch format, e.g. 1597943950
- MaximumSize: Maximum size of the Windows registry
- ProposedSize: Proposed size of the Windows registry
- Status: String that indicates the current status of the object: OK, Degraded, Pred Failed
- Description: This class represents the status of the optional features that are present on the operating system.
- Description: Optional feature description.
- InstallDate: Optional feature installation date
- Status: Optional feature status
- Caption: Optional feature caption
- Name: Optional feature name
- InstallState: Optional feature installation state
- Description: This class lists instances from the Windows event log.
- Category: Event log source
- Data: List of the binary data that accompanied the report of the Windows event
- EventCode: Value of the lower 16-bits of the EventIdentifier property
- EventIdentifier: Event ID
- EventType: Type of event
- LogFile: Name of Windows event log file
- Message: Event message as it appears in the Windows event log
- RecordNumber: Identifies the event within the Windows event log file
- SourceName: Name of the source that generated the entry
- TimeGenerated: The time when the event is generated; UNIX epoch format, e.g. 1597943950
- TimeWritten: The time when the event is written to the log file; UNIX epoch format, e.g. 1597943950
- User: User name of the logged-on user when the event occurred
- Type: Type of the event
Note: Win32_NtLogEvent will attempt to query all Windows events that exist on the endpoint. For performant queries on endpoints with many Windows events it is strongly recommended to add a
WHERE clause to limit the number of results, e.g.
WHERE TimeGenerated >= 1597943950.
- Description: This class represent a logical file or directory of the operating system events.
- AccessMask: Bitmask that represents the access rights required to access or perform specific operations on the event log file
- Archive: If True, a file that contains Windows events should be archived
- Compressed: If True, a file that contains Windows events is compressed
- CreationDate: Date that the file that contains Windows events was created; UNIX epoch format, e.g. 1597943950
- Drive: Drive letter of the file that contains Windows events
- Encrypted: File that contains Windows events is encrypted
- EncryptionMethod: Algorithm or tool used to encrypt the logical file
- Extension: File name extension of the file that contains Windows events
- FileName: File name of the file that contains Windows events
- FileSize: Size of the file that contains Windows events (in bytes)
- Hidden: If True, a file that contains Windows events is hidden
- InUseCount: Number of ‘file opens’ that are currently active against the file that contains Windows events
- LastAccessed: Date and time that the file that contains Windows events was last accessed; UNIX epoch format, e.g. 1597943950
- LastModified: Date and time that the file that contains Windows events was last modified; UNIX epoch format, e.g. 1597943950
- LogfileName: Name of the file that contains Windows events
- MaxFileSize: Maximum size (in bytes) permitted for the file that contains Windows events
- NumberOfRecords: Number of records in the file that contains Windows events
- OverwriteOutDated: Number of days after which an event can be overwritten
- OverWritePolicy: Current overwrite policy the Event Log service employs for this log file
- Sources: List of applications that are registered to log into this log file
- Status: Current status of the object
- Writeable: If True, a file that contains Windows events can be written
- Readable: If True, a file that contains Windows events can be read
- Description: This class contains information about a user account.
- AccountType: Describes the characteristics of a Windows user account.
- Name: Account user name.
- Disabled: If true, Windows user account is disabled.
- Domain: Name of the Windows domain to which a user account belongs.
- InstallDate: Date the object is installed. This property does not need a value to indicate that the object is installed.
- LocalAccount: If true, the account is defined on the local computer.
- Lockout: If true, the user account is locked out of the Windows operating system.
- PasswordChangeable: If true, the password on this user account can be changed.
- PasswordExpires: If true, the password on this user account expires.
- PasswordRequired: If true, a password is required on a Windows user account. If false, this account does not require a password.
- SID: Security identifier (SID) for this account.
- SIDType: Enumerated value that specifies the type of SID.
- Status: Current status of an object. Various operational and nonoperational statuses can be defined: OK, Degraded, Pred Failed, Error, Unknown.
- Description: This class represents the system driver for a base service.
- AcceptPause: Service can be paused.
- AcceptStop: Service can be stopped.
- Caption: Short description of the object.
- CreationClassName: Name of the first concrete class to appear in the inheritance chain used in the creation of an instance. When used with the other key properties of the class, this property allows all instances of this class and its subclasses to be uniquely identified.
- Description: Description of the object.
- DesktopInteract: This service can create or communicate with windows on the desktop.
- DisplayName: Display name of the service.
- ErrorControl: Severity of the error if this service fails to start during startup. This value indicates the action taken by the startup program if failure occurs.
- ExitCode: Windows error code defining any problems encountered in starting or stopping the service.
- InstallDate: Object was installed. This property does not need a value to indicate that the object is installed.
- Name: Unique identifier for the service which provides an indication of the functionality that is managed.
- PathName: Fully qualified path to the service binary file that implements the service.
- ServiceSpecificExitCode: Service-specific error code for errors that occur while the service is either starting or stopping.
- ServiceType: Type of service provided to calling processes.
- Started: Service has been started.
- StartMode: Start mode of the system driver.
- StartName: Account name under which the service runs.
- State: Current state of the base service.
- Status: Current status of the object.
- SystemName: Name of the system that hosts this service.
- Description: The Win32_Processor WMI class represents a device that can interpret a sequence of instructions on a computer running on a Windows operating system.
- Architecture: Processor architecture used by the platform.
- Availability: Represents the asset tag of this processor.
- Caption: Short description of an object .
- Characteristics: Defines which functions the processor supports.
- ConfigManagerErrorCode: Windows API Configuration Manager error code.
- ConfigManagerUserConfig: If TRUE, the device is using a configuration that the user defines.
- CpuStatus: Current status of the processor. Status changes indicate processor usage, but not the physical condition of the processor.
- CurrentClockSpeed: Current speed of the processor, in MHz.
- CurrentVoltage: Voltage of the processor.
- ExtClock: External clock frequency, in MHz. If the frequency is unknown, this property is set to NULL.
- Family: Processor family type.
- L2CacheSize: Size of the Level 2 processor cache. A Level 2 cache is an external memory area that has a faster access time than the main RAM memory.
- L2CacheSpeed: Clock speed of the Level 2 processor cache. A Level 2 cache is an external memory area that has a faster access time than the main RAM memory.
- L3CacheSize: Size of the Level 3 processor cache. A Level 3 cache is an external memory area that has a faster access time than the main RAM memory.
- L3CacheSpeed: Clockspeed of the Level 3 property cache. A Level 3 cache is an external memory area that has a faster access time than the main RAM memory.
- LoadPercentage: Load capacity of each processor, averaged to the last second. Processor loading refers to the total computing burden for each processor at one time.
- MaxClockSpeed: Maximum speed of the processor, in MHz.
- NumberOfCores: Number of cores for the current instance of the processor.
- NumberOfEnabledCore: The number of enabled cores per processor socket.
- NumberOfLogicalProcessors: Number of logical processors for the current instance of the processor.
- PowerManagementCapabilities: Array of the specific power-related capabilities of a logical device.
- PowerManagementSupported: If TRUE, the power of the device can be managed, which means that it can be put into suspend mode, and so on.
- ProcessorId: Processor information that describes the processor features.
- SerialNumber: The serial number of this processor.
- Status: Current status of an object.
- Version: Processor revision number that depends on the architecture.
- Description: This class exposes the product-independent properties of the Software Licensing service.
- OA3xOriginalProductKey: Product Key
- OA3xOriginalProductKeyDescription: Product Key Description
- Version: Specifies the version of the Software Licensing service
- Description: The Win32_ShadowCopy class is a storage extent that represents a duplicate copy of the original volume at a previous time.
- VolumeName: Name of the original volume for which a shadow copy is made.
- DeviceObject: Windows object manager name for an underlying storage device that supports the original volume.
- ExposedLocally: If true, the shadow copy is exposed on the local computer with a drive letter or mount point. If ExposedLocally and ExposedRemotely are not set, the shadow copy is hidden.
- ExposedName: File system name of a shadow copy when it is exposed.
- ExposedPath: Path of a shadow copy when it is exposed.
- ExposedRemotely: If true, the shadow copy is exposed on a remote computer with a network share. If ExposedRemotely and ExposedLocally are not set, the shadow copy is hidden.
- ID: Unique identifier for a shadow copy on the system.
- InstallDate: Date and time the object was installed. This property does not need a value to indicate that the object is installed.
- OriginatingMachine: Name of the computer that hosts the original volume.
- Persistent: If true, the shadow copy is persistent across reboots.
- ServiceMachine: Name of the computer that services the shadow copy.
- Description: The Win32_Volume class represents an area of storage on a hard disk. The class returns local volumes that are formatted, unformatted, mounted, or offline. A volume is formatted by using a file system, such as FAT or NTFS, and might have a drive letter assigned to it. One hard disk can have multiple volumes, and volumes can span multiple physical disks. The Win32_Volume class does not support disk drive management.
- Capacity: Size of the volume in bytes.
- DeviceID: Unique identifier for the volume on this system.
- DriveLetter: Drive letter assigned to a volume. This property is NULL for volumes without drive letters.
- DriveType: Numeric value that corresponds to the type of disk drive that this logical disk represents.
- SerialNumber: Serial number of the volume.
- Description: This class exposes the product-specific properties and methods of the Software Licensing service.
- EvaluationEndDate: Specifies the expiration date of this product application. After this date, the LicenseStatus property is set to Unlicensed and cannot be activated.
- LicenseFamily: Specifies the group identifier for the SKU used to determine license relationships for add-ons.
- LicenseStatus: Specifies the license status of this product application.
- MachineURL: Specifies the software licensing server URL for the binding certificate.
- Name: Specifies the product name.
- ProductKeyID: Specifies the product key ID. Returns a null value if a product key is not installed.
- ProductKeyURL: Specifies the software licensing server URL for the product certificate.
- Description: This class lists data for the Trusted Platform Module (TPM), a hardware security chip that provides a root of trust for a computer system
- IsActivated_InitialValue: True if the device is activated
- IsEnabled_InitialValue: True if the device is enabled
- IsOwned_InitialValue: True if the device has an owner
- ManufacturerId: The identifying information that uniquely names the TPM manufacturer
- ManufacturerVersion: The version of the TPM, as specified by the manufacturer
- ManufacturerVersionInfo: Other manufacturer-specific version information for the TPM
- PhysicalPresenceVersionInfo: The version of the Physical Presence Interface, a communication mechanism used to run device operations that require physical presence, that the computer supports
- SpecVersion: The version of the Trusted Computing Group (TCG) specification that the TPM supports
- Description: This class lists third party AV products installed on the system.
- displayName: AV product display name
- instanceGuid: Unique identifier
- pathToSignedProductExe: Path to application
- pathToSignedReportingExe: Path to provider
- productState: Real-time protection and definition state
- timestamp: Installation timestamp
- Description: This class lists third party firewall products installed on the system.
- displayName: Firewall product display name.
- instanceGuid: Product GUID
- pathToSignedProductExe: Path to the product signed executable.
- pathToSignedReportingExe: Path to the product signed reporting executable.
- productState: Product state.
- timestamp: Product installation timestamp.
- Description: This class lists Windows Defender Device Guard hardware-based security features.
- AvailableSecurityProperties: Security properties and their state.
- InstanceIdentifier: Device identifier.
- RequiredSecurityProperties: Required security properties to enable VB security.
- SecurityServicesConfigured: Status of HVCI service: enabled or not.
- SecurityServicesRunning: Status of HVCI service: running or not.
- UsermodeCodeIntegrityPolicyEnforcementStatus: Status of Code Integrity Policy Enforcement.
- Version: WMI class version.
- VirtualizationBasedSecurityStatus: Status of VBS.
- Description: This class lists Windows Defender malware detections and remediation status applied.
- ActionSuccess: Remediation success status.
- ActionTime: Remediation action time.
- CategoryID: Malware detection ID.
- CleaningAction: Remediation cleaning action.
- DetectionID: Malware detection ID.
- DetectionSource: Malware detection source.
- DetectionTime: Malware detection time.
- Domain: User domain.
- ErrorCode: Error code if cleaning action failed.
- ExecutionStatus: What happend to malware: allowed, blocked or executing.
- PackedXml: All-in-one state of data in XML format.
- Path: Path to infected source.
- PendingActions: Pending actions.
- Process: Infected process.
- SeverityID: Severity ID.
- ThreatID: Thread ID.
- ThreatName: Name of the threat.
- User: User account hosting the infected process.
- Description: This is the base status class for the user’s PC.
- AMEngineVersion: The AM Engine version (major, minor, build, revision)
- AMProductVersion: Product version (major, minor, build, revision)
- AMServiceEnabled: If the AM Engine is enabled
- AMServiceVersion: Service version (major, minor, build, revision)
- AntispywareEnabled: Specifies whether Antispyware protection is enabled
- AntispywareSignatureAge: Antispyware Signature age in days
- AntispywareSignatureLastUpdated: Antispyware Last updated local time. If this has never updated you will see a null value in this property
- AntispywareSignatureVersion: The Antispyware Signature version (major, minor, build, revision)
- AntivirusEnabled: Specifies whether Antivirus protection is enabled
- AntivirusSignatureAge: Antivirus Signature age in days- if signatures have never been updated you will see an age of 65535 days
- AntivirusSignatureLastUpdated: Antivirus Last updated local time
- AntivirusSignatureVersion: The Antivirus Signature version (major, minor, build, revision)
- BehaviorMonitorEnabled: Specifies whether behavior monitoring is enabled
- ComputerID: Computer ID created by MAPS
- ComputerState: The current computer state
- FullScanAge: Last full scan age in days- if signatures have never been updated you will see an age of 65535 days
- FullScanEndTime: Time of last Full Scan end
- FullScanStartTime: Time of last Full Scan start
- IoavProtectionEnabled: Scan all downloaded files and attachments
- LastFullScanSource: Last scan source
- LastQuickScanSource: Last scan source
- NISEnabled: If the NRI Engine is enabled
- NISEngineVersion: NRI Engine version (major, minor, build, revision)
- NISSignatureAge: NRI Signature age in days- if signatures have never been updated you will see an age of 65535 days
- NISSignatureLastUpdated: NRI Last updated local time
- NISSignatureVersion: The NRI Signature version (major, minor, build, revision)
- OnAccessProtectionEnabled: Specifies whether the computer is monitoring file and program activity on your computer
- QuickScanAge: Last quick scan age in days- if signatures have never been updated you will see an age of 65535 days
- QuickScanEndTime: Time of last Quick Scan end
- QuickScanStartTime: Time of last Quick Scan start
- RealTimeProtectionEnabled: Specifies whether real-time protection is enabled
- RealTimeScanDirection: Real-time scan direction enumeration
- Description: Represents a power plan on a system.
- Description: Specifies the description of the power plan.
- ElementName: Specifies the friendly name of the power plan.
- IsActive: Indicates whether the power scheme is currently active on the system. This property is set to TRUE if the power scheme is active; otherwise, it is set to FALSE.
Return to Table of Contents