Windows Management Instrumentation WMI Security Technology Learning

时间 2019-11-19

标签 windows management instrumentation wmi security technology learning 栏目 Windows 繁體版

原文原文链接

目录php

0. 引言
1. WMI(Windows Management Instrumentation)简介
2. 基于WMI的攻击向量
3. WMI编程示例

0. 引言html

在进行服务器主机的入侵检测、安全攻防的研究中，经常会涉及到大量的和windows操做系统功能、资源、设备相关的操做(例如经过WMI COM API关闭FTP匿名登陆等)，而WMI提供了一个对windows操做系统底层各类异构模块/资源的统一接口，经过研究WMI(Windows Management Instruction)技术能够更加深刻地了解若是经过API方式操做windows系统的基础服务，经过WMI技术，咱们能够实现java

1. windows操做系统的配置加固
2. 当前系统的安装程序的列表探测，肯定系统安装的反病毒软件

0x1: COM Component(COM组件)技术ios

由于WMI是架构在COM技术之上的，在开始学习WMI技术以前，咱们先来学习一下windows中的COM Component组件技术程序员

组件对象模型(Component Object Model COM)，是微软的一套软件组件的二进制接口标准。这使得跨编程语言的进程间通讯、动态对象建立成为可能。COM是多项微软技术与框架的基础，包括shell

1. OLE
2. OLE自动化
3. ActiveX
4. COM+
5. DCOM
6. Windows shell
7. DirectX
8. Windows Runtime
9. WMI
..

什么是COM组件数据库

1. COM组件是以WIN32动态连接库(DLL)、或可执行文件(EXE)形式发布的可执行代码组成，但要注意的是，COM组件不是DLL，只是利用DLL来给组件提供动态连接的能力
2. COM组件是遵循COM规范编写的
3. COM组件是一些小的二进制可执行文件
4. COM组件能够给应用程序、操做系统以及其余组件提供服务
5. 自定义的COM组件能够在运行时刻同其余组件链接起来构成某个应用程序
6. COM组件能够动态的插入或卸出应用
7. COM组件必须是动态连接的
8. COM组件必须隐藏(封装)其内部实现细节
9. COM组件必须将其实现的语言隐藏
10. COM组件必须以二进制的形式发布
11. COM组件必须能够在不妨碍已有用户的状况下被升级
12. COM组件能够透明的在网络上被从新分配位置
13. COM组件按照一种标准的方式来宣布它们的存在

Relevant Link:编程

http://freebird.blog.51cto.com/372076/184567/
http://zh.wikipedia.org/wiki/%E7%BB%84%E4%BB%B6%E5%AF%B9%E8%B1%A1%E6%A8%A1%E5%9E%8B
http://baike.baidu.com/view/185316.htm
http://www.cppblog.com/3522021224/archive/2007/06/22/26803.html

1. WMI(Windows Management Instrumentation)简介windows

Windows Management Instrumentation是用于提供共同的界面和对象模式以便访问api

1. 操做系统
2. 设备
3. 应用程序
4. 服务的管理信息

若是此服务被终止，多数基于 Windows 的软件将没法正常运行。若是此服务被禁用，任何依赖它的服务将没法启动，WMI是windows中的一个核心服务，它提供了一个标准的基础结构来监视和管理系统资源的服务

WMI是Microsoft实现的一个Web-Based Enterprise Management(WBEM)的执行方式，支持Distributed Management Task Force(DMTF)，WMI提供您管理服务的能力

经过这张架构图，咱们获得以下结论

1. WMI Providers And Managemed Object
这是整个WMI体系的最底层，它对全部的"提供者(Provider)"提供了封装和抽象，包括
1.1 Native C/C++ Provider COM object
A WMI provider is a COM object that monitors one or more "managed objects" for WMI. A "managed object" is a logical or physical enterprise component, such as a hard disk drive,
network adapter, database system, operating system, process, or service.
1) SNMP WMI Provider: SNMP Managed Entity
2) Cimv2 WMI Provider: Windows(Win32) Managed Entity
3) Security Provider: Retrieves or changes security settings that control ownership, auditing, and access rights to files, directories, and shares
....
4) Any Managed Entity(Native Code)
Similar to a driver, a provider supplies WMI with data from a managed object and handles messages from WMI to the managed object. WMI providers consist of a DLL file and a
Managed Object Format (MOF) file that defines the classes for which the provider returns data and performs operations. Providers, like WMI C++ applications, use the COM API for
WMI.

1.2 .NET C#、VB.NET、And so on
COM Inter-Op
1) .NET Managed Application/Entity

2. WMI Infrastructure
The WMI infrastructure is a Microsoft Windows operating system component
2.1 WMI Core(CIM Object Managedr)
2.2 WMI Repository
WMI repository is organized by WMI namespaces，WMI的namespace由系统自身建立和Provider建立2部分组成，例如
1) root\default
2) root\cimv2
3) root\subscription
...
由底层的Provider建立的namespace
4) /LM/MSFTPSVC/n
..
The WMI service acts as an intermediary between the providers, management applications, and the WMI repository. Only static data about objects is stored in the repository,
such as the classes defined by providers. WMI obtains most data dynamically from the provider when a client requests it. You also can set up subscriptions to receive event
notifications from a provider
简单来讲，WMI Repository就至关于一个保存WMI信息的数据库，而底层的Provider所提供的信息就至关于一个个独立的数据表，在WMI中称之为命名空间namespace，咱们在进行WMI查询以前，须要明确指定须要查询的namespace

3. WMI Consumers(Management Applications)
A WMI consumer is a management application or script that interacts with the WMI infrastructure. A management application can query, enumerate data, run provider methods, or
subscribe to events by calling either the "COM API" for WMI or the Scripting API for WMI. The only data or actions available for a managed object, such as a disk drive or a
service, are those that a provider supplies.
这一层是程序员能直接接触到的API层面的东西，咱们可使用C++、WMI Script脚本编写代码去操做WMI COM API对WMI进行操做
3.1 C/C++ Client
3.2 Scripts
3.3 .NET Client Application

关于WMI COM API接口的相关信息，请参阅
http://msdn.microsoft.com/en-us/library/aa389276(v=vs.85).aspx

关于Scripting API for WMI接口的相关信息，请参阅(Scripting API For WMI本质上仍是调用的COM API)
http://msdn.microsoft.com/en-us/library/aa393258(v=vs.85).aspx

0x1: WMI的功能

1. Windows管理规范(Windows Management Instrumentation)是一项核心的 Windows 管理技术
2. 用户可使用 WMI 管理本地和远程计算机
3. WMI 经过编程和脚本语言为平常管理提供了一条连续一致的途径。例如，用户能够：
    1) 在远程计算机器上启动一个进程 
    2) 设定一个在特定日期和时间运行的进程 
    3) 远程启动计算机。
    4) 得到本地或远程计算机的已安装程序列表。
    5) 查询本地或远程计算机的 Windows 事件日志

在使用WMI的时候，咱们常常会涉及到的2个话题就是命名空间namespace、以及COM API接口

0x2: WMI的命令空间namespace

strComputer = "."
Call EnumNameSpaces("root")

Sub EnumNameSpaces(strNameSpace)
    WScript.Echo strNameSpace 
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & _
        "\" & strNameSpace)
    Set colNameSpaces = objWMIService.InstancesOf("__NAMESPACE")
    For Each objNameSpace In colNameSpaces
        Call EnumNameSpaces(strNameSpace & "\" & objNameSpace.Name)
    Next
End Sub

在命令行下输入指令

//若是不加CScript，就会以弹框的形式进行输出
CScript enumwmi.vbs

获得命令空间的枚举结果

Microsoft (R) Windows Script Host Version 5.8
版权全部(C) Microsoft Corporation 1996-2001。保留全部权利。

root
root\subscription
root\subscription\ms_804
root\subscription\ms_409
root\DEFAULT
root\DEFAULT\ms_804
root\DEFAULT\ms_409
root\CIMV2
root\CIMV2\Security
root\CIMV2\Security\MicrosoftTpm
root\CIMV2\Security\MicrosoftVolumeEncryption
root\CIMV2\ms_804
root\CIMV2\power
root\CIMV2\power\ms_804
root\CIMV2\power\ms_409
root\CIMV2\ms_409
root\CIMV2\TerminalServices
root\CIMV2\TerminalServices\ms_804
root\CIMV2\TerminalServices\ms_409
root\CIMV2\Applications
root\CIMV2\Applications\WindowsParentalControls
root\CIMV2\Applications\Games
root\CIMV2\Applications\Games\ms_804
root\CIMV2\Applications\Games\ms_409
root\Cli
root\Cli\MS_804
root\Cli\MS_409
root\nap
root\MicrosoftIISv2
root\MicrosoftIISv2\MS_804
root\SECURITY
root\SecurityCenter2
root\RSOP
root\RSOP\User
root\RSOP\User\S_1_5_21_911831770_3020607629_1626131430_1001
root\RSOP\User\S_1_5_21_1831597161_2851159394_2615556374_500
root\RSOP\User\S_1_5_21_1650095739_3452460257_125639005_500
root\RSOP\User\S_1_5_21_3111613574_2524581245_2586426736_500
root\RSOP\User\S_1_5_21_3727386885_3056668215_3391246470_197649
root\RSOP\User\S_1_5_21_2209633111_3508286175_922290665_500
root\RSOP\User\S_1_5_21_1991281308_1550804765_3468072676_1000
root\RSOP\User\ms_804
root\RSOP\User\S_1_5_21_1991281308_1550804765_3468072676_500
root\RSOP\User\S_1_5_21_911831770_3020607629_1626131430_500
root\RSOP\User\ms_409
root\RSOP\User\S_1_5_21_3952311282_3270686217_2811382985_500
root\RSOP\Computer
root\RSOP\Computer\ms_804
root\RSOP\Computer\ms_409
root\WebAdministration
root\WebAdministration\MS_804
root\WMI
root\WMI\MS_804
root\WMI\ms_409
root\directory
root\directory\LDAP
root\directory\LDAP\ms_804
root\directory\LDAP\ms_409
root\Policy
root\Policy\ms_804
root\Policy\ms_409
root\Interop
root\Interop\ms_804
root\Interop\ms_409
root\ServiceModel
root\SecurityCenter
root\Microsoft
root\Microsoft\SqlServer
root\Microsoft\SqlServer\ServerEvents
root\Microsoft\SqlServer\ServerEvents\SQLEXPRESS
root\Microsoft\SqlServer\ComputerManagement10
root\Microsoft\SqlServer\ComputerManagement10\ms_804
root\Microsoft\HomeNet
root\aspnet

链接到指定的WMI命名空间namespace以后，就能够借助相应的COM API对namespace中存储的信息进行读写了，这里要特别注意的是

WMI namespace是一个层次树tree结构，每一层的Class都有本身对应的成员属性properties，咱们在获取信息的时候，须要明白本身须要获取的信息位于Class Tree的哪一层，这有点相似java中的jar包，每一层都不断嵌套，同时每一层又都有本身的独有的东西，不能递归包含

http://www.wutils.com/wmi/classes/IIsFtpServerSetting.html

0x3: WMI COM API接口

You can use the WMI Component Object Model (COM) API to write management client applications or create a new WMI provider. The COM API reference provides information for advanced system administrators, as well as developers who are writing client and provider applications.

1. IEnumWbemClassObject    
Enumerator that works with objects of type IWbemClassObject. It is similar to standard COM enumerators, such as IEnumVariant.

2. IMofCompiler    
Implemented by Mofd.dll, this interface provides a COM interface that is used by the MOF compiler and any other applications that compile MOF files.

3. IUnsecuredApartment    
Used to simplify the process of making asynchronous calls from a client process.

4. IWbemBackupRestore    
Backs up and restores the contents of the WMI repository.

5. IWbemCallResult
Used for semisynchronous calls of the IWbemServices interface. When making such calls, the called IWbemServices method returns immediately, along with an IWbemCallResult object.

6. IWbemCausalityAnalysis    
Tracks child requests that are generated from a parent request.

7. IWbemClassObject    
Contains and manipulates both class definitions and class object instances. Developers need not implement this interface; WMI provides its implementation.

8. IWbemConfigureRefresher    
Used by client code to add or remove enumerators, objects, and nested refreshers into a refresher.

9. IWbemContext    
Optionally used to communicate additional context information to providers when submitting IWbemServices calls to Windows Management.

10. IWbemDecoupledBasicEventProvider    
Registers decoupled providers with WMI.

11. IWbemDecoupledRegistrar    
Associates decoupled providers with WMI. This interface allows a process-hosted provider to define the interoperability lifetime of the interface and coexist with other providers.

12. IWbemEventConsumerProvider    
Provides the primary interface for an event consumer provider. Through this interface and the FindConsumer method, an event consumer provider can indicate which event consumers should receive a given event.

13. IWbemEventProvider    
Used to initiate communication with an event provider.

14. IWbemEventProviderQuerySink
Optionally implemented by event providers who want to know what kinds of event query filters are currently active to optimize performance.

15. IWbemEventProviderSecurity    
Optionally implemented by event providers who want to restrict consumer access to their event.

16. IWbemEventSink    
Initiates communication with an event provider using a restricted set of queries. This interface extends IWbemObjectSink, providing new methods dealing with security and performance.

17. IWbemHiPerfProvider    
Enables providers to supply refreshable objects and enumerators.

18. IWbemHiPerfEnum    
Used in refresher operations to provide rapid access to enumerations of instance objects.

19. IWbemLocator
Obtains the initial namespace pointer to the IWbemServices interface for WMI on a specific host computer.

20. IWbemObjectAccess    
Provides access to the methods and properties of an object. An IWbemObjectAccess object is a container for an instance updated by a refresher.

21. IWbemObjectSink    
Used to receive both the results of IWbemServices and certain types of event notifications.

22. IWbemObjectTextSrc    
Used to translate IWbemClassObject instances to and from differing text formats.

23. IWbemPropertyProvider
Supports retrieving and updating individual properties in an instance of a WMI class.

24. IWbemProviderIdentity    
Implemented by an event provider if the provider registers itself using more than one Name (multiple instances of __Win32Provider) with the same CLSID value. The class provides a mechanism for distinguishing which named provider should be used.

25. IWbemProviderInit    
Used to initialize providers.

26. IWbemProviderInitSink
Implemented by WMI and called by providers to report initialization status.

27. IWbemQualifierSet    
Acts as a container for the entire set of named qualifiers for a single property or entire object (a class or instance).

28. IWbemQuery    
Provides an entry point through which a WMI Query Language (WQL) query can be parsed.

29. IWbemRefresher    
Provides an entry point through which refreshable objects such as enumerators or refresher objects, can be refreshed.

30. IWbemServices    
Used by clients and providers to access WMI services. The interface is implemented only by WMI and is the primary WMI interface.

31. IWbemStatusCodeText    
Extracts text string descriptions of error codes or the name of the subsystem where the error occurred.

32. IWbemUnboundObjectSink    
Implemented by all logical event consumers. It is a simple sink interface that accepts delivery of event objects.

Relevant Link:

http://blog.csdn.net/wzsy/article/details/1632792
http://msdn.microsoft.com/zh-cn/library/aa394553(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/aa394570(v=vs.85).aspx
http://msdn.microsoft.com/zh-cn/library/aa393964(v=vs.85).aspx
http://msdn.microsoft.com/zh-cn/library/aa394582(v=vs.85).aspx
http://blog.itpub.net/7868752/viewspace-1056801/

2. 基于WMI的攻击向量

WMI(Windows管理规范)做为一项Windows管理技术，方便用户对计算机进行远程管理。可是它的易用性也致使了系统的安全性大幅降低。让用户的电脑除了本身帐号密码的保护外再没有什么安全保护措施

咱们接下来一块儿学习一下黑客是如何经过WMI技术对操做系统进行攻击的

0x1: 漏洞风险的原由

从WMI本质的功能看，它是为了让计算机的管理更容易，同时方便管理员远程操做系统而产生的，通常状况下，在本地计算机上执行的WMI操做也能够在远程计算机上执行，只要用户拥有该计算机的管理员权限
若是用户对远程计算机拥有权限而且远程计算机支持远程访问，那么用户就能够链接到该远程计算机并执行拥有相应权限的操做

所以，WMI可以成为远程控制下的一个"合法通道"，有了这个通道，入侵者不须要对本身进行假装，没必要再为探测出对方帐号的密码为空后，找不到链接对方系统的通道而发愁。
从安全攻防的角度来看，这就是一个典型的接口安全问题，一个本来是正常提供功能的接口由于没有进行必要的访问权限、使用权限的控制而致使"接口滥用"，从而给了黑客可乘之机

0x2: 黑客可能采用的攻击方式

前面介绍了WMI的原理，下面咱们实际了解下，如何经过WMI进行入侵，咱们知道WMI是windows操做系统中的一个比较基础的服务，默认状况下操做系统都会开启这个服务端口的，即这条"WMI入侵通道"相对来讲是比较畅通的，对黑客来讲，它所须要的就是经过其余的途径得到一个能够登陆系统的账号、密码

1. 扫描135端口
要寻找能够经过WMI入侵的远程计算机，只要对135端口进行扫描就能够了。由于WMI服务默认打开的就是135端口。例如能够采用NTscan扫描工具，由于它不但能够对IPC$、SMB、WMI这些信息进行扫描，同时还能够对扫描到的远程帐户
进行弱口令猜想，功能相对来讲比较强大。

2. 运行NTscan，在程序窗口的"配置"区域中进行设置。首先在"起始IP"和"结束"选项中输入扫描的IP地址范围，接着选择"WMI扫描"选项，而且在"扫描打开端口的主机"选项后输入"135"，最后点击"开始"按钮就开始进行扫描 

3. 开启终端服务
找到能够入侵的远程计算机之后，就能够开始入侵操做了。首先是开启终端服务(Terminal Service) 
要注意的是，经过WMI通道执行系统指令须要咱们提供一对可能登陆系统的账号密码(这是这种攻击姿式的关键)

0x3: 如何防护WMI入侵

咱们知道，攻防是一种针锋相对的技术，经过研究黑客在攻击时所采用的攻击向量的关键点，在这个关键点上进行过滤、或者阻断从而达到防护的目的

1. 屏闭135端口防护入侵
从WMI入侵的过程当中咱们能够看出，整个过程当中使用的端口都是135。因此为了防止别人经过WMI进行入侵，咱们可使用防火墙对135端口进行屏蔽，这样就能够达到防范相似的入侵。用户增强本身的帐号密码强度，也能够有效防范入侵

2. 增强账号安全管理
从本质上讲，WMI是一个正常的功能通道，WMI自己并非漏洞，产生漏洞的是系统账号的泄漏，致使黑客滥用这个通道进行高危指令的执行，因此，咱们能够从问题的源头入手，部署高强度密码策略，按期更换密码等措施解决问题

Relevant Link:

http://blog.itpub.net/7868752/viewspace-1056801/

3. WMI编程示例

操做WMI的方式有如下几种方式

1. Scripts written in Microsoft ActiveX script hosting, including Visual Basic Scripting Edition (VBScript) and Perl
2. Windows PowerShell
3. Visual Basic applications
4. Active Server Pages
5. C++ applications
6. .NET Framework applications written in C#, Visual Basic .NET, or J#

不论采用哪一种方式，对WMI的操做都必须完成如下几个基本步骤

1. Obtaining Data from WMI：从WMI获取数据
    1) Decide which language to use
    2) Ensure that your connections to remote computers work
    3) Connecting to WMI on remote computers requires the correct security settings
    4) After connecting to WMI, you can obtain data through queries and enumerations.
    5) Registry data is available through WMI and you can create new keys and values or modify existing ones
    6) You can subscribe to event notifications through WMI, either temporarily between system reboots or permanently.
    7) Performance counter data for a system is available through WMI.

2. Providing Data to WMI
Decide on the type of provider to write. you can take several other approaches to writing a WMI COM provider:
    1) Using the WMI ATL Wizard in Visual Studio.
    2) Using COM directly in any integrated development environment.
    3) Using WMI in the .NET Framework to create a managed code provider.
    4) Using the provider framework classes is not recommended.

3. Important Tasks for WMI
    1) WMI Tasks for Scripts and Applications
    2) Creating a WMI Application or Script
    3) Connecting to WMI on a Remote Computer
    4) Connecting to WMI on a Remote Computer by Using Windows PowerShell
    5) Monitoring Events
    6) Providing Data to WMI
    7) Getting and Providing Data on a 64-bit Computer

这里咱们以最经常使用的C++、VBS Scripts方式进行编程学习

0x1: C++ applications

// wmi_getsysinfo.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"

#include <iostream>
#include <comdef.h>
#include <Wbemidl.h>

# pragma comment(lib, "wbemuuid.lib")

using namespace std;

int _tmain(int argc, _TCHAR* argv[])
{
    HRESULT hres;

    /*
    Initialize COM.
    因为用C++编写WMI应用是基于COM技术的，因此必须初始化COM库 
    */
    hres =  CoInitializeEx(0, COINIT_MULTITHREADED); 
    if (FAILED(hres))
    {
        cout << "Failed to initialize COM library. " 
            << "Error code = 0x" 
            << hex << hres << endl;
        return 1;              // Program has failed.
    }

    /*
    Initialize
    初始化COM库安全级别
    */
    hres =  CoInitializeSecurity(
        NULL,     
        -1,      // COM negotiates service                  
        NULL,    // Authentication services
        NULL,    // Reserved
        RPC_C_AUTHN_LEVEL_DEFAULT,    // authentication
        RPC_C_IMP_LEVEL_IMPERSONATE,  // Impersonation
        NULL,             // Authentication info 
        EOAC_NONE,        // Additional capabilities
        NULL              // Reserved
        );
    if (FAILED(hres))
    {
        cout << "Failed to initialize security. " 
            << "Error code = 0x" 
            << hex << hres << endl;
        CoUninitialize();
        return 1;          // Program has failed.
    }

    // Obtain the initial locator to Windows Management
    // on a particular host computer.
    IWbemLocator *pLoc = 0;
    /*
    链接到WMI命名空间
    经过调用CoCreateInstance初始化WMI的定位器(IWbemLocator类型的实例)
    */
    hres = CoCreateInstance(
        CLSID_WbemLocator,             
        0, 
        CLSCTX_INPROC_SERVER, 
        IID_IWbemLocator, (LPVOID *) &pLoc);
    if (FAILED(hres))
    {
        cout << "Failed to create IWbemLocator object. "
            << "Error code = 0x"
            << hex << hres << endl;
        CoUninitialize();
        return 1;       // Program has failed.
    }

    IWbemServices *pSvc = 0;

    // Connect to the root\cimv2 namespace with the
    // current user and obtain pointer pSvc
    // to make IWbemServices calls.
    /*
    调用IWbemLocator::ConnectServer方法，经过这个定位器链接到WMI的命名空间，经过把一个IWbemServices的实例以参数形式传递给ConnectServer方法，就会建立这个服务。如咱们须要一些BIOS信息，那么须要使用的WMI提供程序是Win32_BIOS，则须要链接到ROOT//CIMV2命名空间中。
    */
    hres = pLoc->ConnectServer(
        _bstr_t(L"ROOT\\CIMV2"), // WMI namespace
        NULL,                    // User name
        NULL,                    // User password
        0,                       // Locale
        NULL,                    // Security flags                 
        0,                       // Authority       
        0,                       // Context object
        &pSvc                    // IWbemServices proxy
        );                            
    if (FAILED(hres))
    {
        cout << "Could not connect. Error code = 0x" 
            << hex << hres << endl;
        pLoc->Release();     
        CoUninitialize();
        return 1;                // Program has failed.
    }

    cout << "Connected to ROOT\\CIMV2 WMI namespace" << endl;

    // Set the IWbemServices proxy so that impersonation
    // of the user (client) occurs.
    /*
    设置WMI服务的安全级别
    根据上一步获得的服务，设置相应的服务安全级别。一般来讲，若是咱们没有设置适当的安全属性，COM安全方案不容许一个进程去访问另外一个进程，所以若是咱们要访问一个外部进程的对象，那么咱们应该设置适当的IWbemServices的安全级别。
    */
    hres = CoSetProxyBlanket(

        pSvc,                         // the proxy to set
        RPC_C_AUTHN_WINNT,            // authentication service
        RPC_C_AUTHZ_NONE,             // authorization service
        NULL,                         // Server principal name
        RPC_C_AUTHN_LEVEL_CALL,       // authentication level
        RPC_C_IMP_LEVEL_IMPERSONATE,  // impersonation level
        NULL,                         // client identity 
        EOAC_NONE                     // proxy capabilities     
        );
    if (FAILED(hres))
    {
        cout << "Could not set proxy blanket. Error code = 0x" 
            << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();     
        CoUninitialize();
        return 1;               // Program has failed.
    }

    //经过WQL使用WMI服务
    IEnumWbemClassObject* pEnumerator = NULL;
    hres = pSvc->ExecQuery(
        bstr_t("WQL"), 
        bstr_t("SELECT * FROM Win32_OperatingSystem"),
        WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, 
        NULL,
        &pEnumerator);

    if (FAILED(hres))
    {
        cout << "Query for processes failed. "
            << "Error code = 0x" 
            << hex << hres << endl;
        pSvc->Release();
        pLoc->Release();     
        CoUninitialize();
        return 1;               // Program has failed.
    }
    else
    { 
        IWbemClassObject *pclsObj;
        ULONG uReturn = 0;

        while (pEnumerator)
        {
            hres = pEnumerator->Next(WBEM_INFINITE, 1, 
                &pclsObj, &uReturn);

            if(0 == uReturn)
            {
                break;
            }

            VARIANT vtProp;

            // Get the value of the Name property
            hres = pclsObj->Get(L"Name", 0, &vtProp, 0, 0);
            wcout << "Manufacturer Name : " << vtProp.bstrVal << endl;
            VariantClear(&vtProp);
        }

    }

    // Cleanup
    // ========

    pSvc->Release();
    pLoc->Release();     
    CoUninitialize(); 

    return 0;
}

0x2: Scripts written in Microsoft ActiveX script hosting

' Check command line parameters
Select Case WScript.Arguments.Count
    Case 0
        ' Default if none specified is local computer (".")
        Set objWMIService = GetObject( "winmgmts://./root/cimv2" )
        Set colItems = objWMIService.ExecQuery( "Select * from Win32_ComputerSystem", , 48 )
        For Each objItem in colItems
            strComputer = objItem.Name
        Next
    Case 1
        ' Command line parameter can either be a computer name
        ' or "/?" to request online help
        strComputer = Wscript.Arguments(0)
        if InStr( strComputer, "?" ) > 0 Then Syntax
    Case Else
        ' Maximum is 1 command line parameter
        Syntax
End Select

On Error Resume Next
' Connect to computer's WMI service
Set objWMIService = GetObject( "winmgmts://" & strComputer & "/root/cimv2" )
' Display error number and description if applicable
If Err.Number Then ShowError()

' Collect BIOS information
Set colItems = objWMIService.ExecQuery( "Select * from Win32_BIOS where PrimaryBIOS = true", , 48 )
' Display error number and description if applicable
If Err.Number Then ShowError()

' Initialize screen output variable
strMsg = vbCrLf & "BIOS summary for " & strComputer & ":" & vbCrLf

' Prepare collected info for display
For Each objItem in colItems
    strMsg = strMsg _
           & "    BIOS Name       :  " & objItem.Name & vbCrLf _
           & "    Version         :  " & objItem.Version & vbCrLf _
           & "    Manufacturer    :  " & objItem.Manufacturer & vbCrLf _
           & "    SMBIOS Version  :  " & objItem.SMBIOSBIOSVersion & vbCrLf
Next

' Display the results
WScript.Echo strMsg

' Done
WScript.Quit(0)


Sub ShowError
    strMsg = vbCrLf & "Error # " & Err.Number & vbCrLf & _
             Err.Description & vbCrLf & vbCrLf
    Syntax
End Sub


Sub Syntax
    strMsg = strMsg & vbCrLf & "BIOS.vbs,  Version 1.00" & vbCrLf & _
             "Display BIOS information." & vbCrLf & vbCrLf & _
             "Usage:  CSCRIPT  BIOS.VBS  [ computer_name ]" & _
             vbCrLf & vbCrLf & _
             "Where:  " & Chr(34) & "computer_name" & Chr(34) & _
             " is the name of a WMI enabled computer on the network" & _
             vbCrLf & vbCrLf & _
             "Written by Rob van der Woude" & vbCrLf & _
             "http://www.robvanderwoude.com" & vbCrLf & vbCrLf & _
             "Created using Microsoft's Scriptomatic tool" & vbCrLf & _
             "http://www.microsoft.com/technet/treeview/default.asp?" & _
             "url=/technet/scriptcenter/WMImatic.asp" & vbCrLf
    WScript.Echo strMsg
    ' Abort with return code 1
    WScript.Quit(1)
End Sub

Relevant Link:

http://msdn.microsoft.com/en-us/library/aa390418(v=vs.85).aspx
http://www.robvanderwoude.com/wmiexamples.php
http://www.codeproject.com/Articles/46390/WMI-Query-Language-by-Example