WMI Query Analysis

 Home  Previous  Next

Objective

The aim of this tool is to execute WMI queries on your system and consolidate these queries within your PATROL environment along with the application monitoring under a single icon. It has the ability to query the WMI repository for class and instance information. For example, you can request that WMI return all the objects representing shut-down events from your desktop system. You can also retrieve class, instance, or schema data. Monitoring Studio enables you to run WMI queries remotely and you can also search for regular expressions and numeric values in the query output.

Definition

Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. WMI is the Microsoft implementation of Web Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), a computer industry standard for defining device and application characteristics so that system administrators and management programs can control devices and applications from multiple manufacturers or sources in the same way.

What does WMI do?

WMI provides users with information about the status of local or remote computer systems. It also supports such actions as the configuration of security settings, setting and changing system properties, setting and changing permissions for authorized users and user groups, assigning and changing drive labels, scheduling processes to run at specific times, backing up the object repository, and enabling or disabling error logging. You can use WMI to manage both local and remote computers. The word "Instrumentation" in WMI refers to the fact that WMI can get information about the internal state of computer systems, much like the dashboard instruments of cars can retrieve and display information about the state of the engine. WMI "instruments" by modeling objects such as disks, processes, or other objects found in Windows systems. For more information on WMI, please refer to About WMI in the Reference section.

Method (summary)

Launch the WMI query wizard
Identify the host of the remote element, enter a namespace
Enter the WMI query and user credentials

Result

An icon representing the WMI query appears in the console with two parameters: ReturnOutput and QueryStatus under it. You can now run String Searches and Extract Numeric Values from this output.

Create or edit a WMI query analysis

To setup WMI query analysis, right-click the main Monitoring Studio icon > KM Commands > New > WMI Query analysis

WIZ_WMIQuery_1Welcome

WMI Query Analysis Wizard — Welcome Page

To edit a WMI query analysis, right-click the WMI query icon > KM Commands > Edit.

Step 1: After launching the WMI wizard, identify the host

WIZ_WMIQuery_2Definition

WMI Query Analysis Wizard — Definition Page

Hostname: Enter the host name or IP address.
Name space: Enter the WMI namespace. A namespace is a logical group of related classes representing a specific technology or area of management. Example: root\cimv2
WMI Query: Enter your query. Example: SELECT * FROM Win32 process.

In case you need help to build your WMI query, you could download WMI CIM Studio, which is one of the WMI Administrative tools on the Microsoft site.

Username and Password: Enter your credentials: username and password

Click Next.

Step 2: Monitoring Studio settings

WIZ_WMIQuery_3Settings

WMI Query Analysis Wizard — Settings Page

Object display name: Label displayed in the PATROL Console for this WMI query object

Object internal identifier (ID): PATROL internal identifier.

What thresholds do you want to set for the newly created instance? A drop-down list allows you to select the mode of setting alert thresholds:

Use default thresholds: Uses the default thresholds set by Monitoring Studio
Set custom thresholds: Allows you to customize the thresholds for all parameters of the instance
Use default thresholds and customize them: Sets the default Monitoring Studio thresholds on certain parameters (see list of parameters with default thresholds) and then allows you to customize any/all of them. This is mainly intended to help save time if you wish to customize the thresholds of just one of many parameters for the instance, and leave the default settings for the others.
NoteIf you select Use default thresholds and customize them; on clicking Finish, the Set Thresholds panel will appear, and certain parameters for the instance may appear with an asterisk symbol - indicating that they already have thresholds. You can then customize (any/all) the thresholds of the parameters as per your specific needs.
Do not set any thresholds for now: No thresholds will be set on any parameter of the instance, and as a result no alerts will be triggered. Monitoring Studio will poll the object and return the output of the polling – but will not raise any alerts until you set thresholds.
TipThresholds can be set or modified at anytime by right-clicking on the instance > KM commands > Set Thresholds.

Click Finish. You can then add a string or numeric value search if you wish. An icon labeled WMI: [object name] will appear, with icons under it for QueryStatus, ReturnOutput. You can add numeric value extraction or string searches on this object.

WMI query analysis objects are instances of the SW_NT_WMI class.

See Also

About WMI

String Search

SW_NT_WMI

Text Pre-processing