Debugging (Tracing) WMI queries?

Question

I've got a third-party program that's making WMI queries to local WMI providers (so it's not using DCOM, so packet-sniffers are out). I'd like to find out what queries these are.

It's also on XP, so the new Vista WMI tracing infrastructure is out, as well, unfortunately.

Any pointers?

score 3 · Answer 1 · answered Dec 29 '08 at 22:36

3

Have you tried setting the WMI logging level to Verbose using wmimgmt.msc? (More info on the MSDN Logging WMI Activity page)

You should then see the queries logged to the %windir%\system32\wbem\logs\wbemcore.log file.

-dave

answered Dec 29 '08 at 22:36

David Gardiner

16,892
20
80
117

Yes, I have. There's not enough information in that log file. I want to specifically see which queries/methods are being executed, and in which namespace. Ideally, I want a complete dump of every call to the IWbemServices interface. – Roger Lipscombe Dec 30 '08 at 11:37
It should be noted that you cannot enable logging, or configure the logging path, through **wmimgmt.msc** on Windows Vista. – Ian Boyd Oct 28 '09 at 20:11

joshperry · Answer 2 · 2008-12-22T06:24:33.990

1

I believe that WMI uses DCOM for communication, you can use WireShark to do a packet capture of the DCOM packets. I believe that the dissector in WireShark for DCOM is usable though it still might help to reference this article (old, but should still be pertinent).

This will not work for WMI queries to localhost so you'll need to make sure it's querying a remote computer.

If you do want to log local queries take a look at this MSDN article on logging WMI queries.

edited Dec 22 '08 at 06:24

answered Dec 19 '08 at 15:11

joshperry

41,167
16
88
103

Local, not remote; clarified question. – Roger Lipscombe Dec 19 '08 at 15:17

Debugging (Tracing) WMI queries?

2 Answers2