{
	"id": "24bf6fd1-0a7d-4709-a2d2-c6f89a986729",
	"created_at": "2026-04-06T00:09:22.396004Z",
	"updated_at": "2026-04-10T03:21:57.328072Z",
	"deleted_at": null,
	"sha1_hash": "e3807f16bdac6cd413474336201f0ea15e9a94a6",
	"title": "WMI Architecture - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94496,
	"plain_text": "WMI Architecture - Win32 apps\r\nBy stevewhims\r\nArchived: 2026-04-05 16:43:38 UTC\r\nIn this article\r\n1. Objects, Consumers, and Infrastructure of WMI\r\n2. WMI Components\r\n3. Related topics\r\nWMI provides a uniform interface for any local or remote applications or scripts that obtain management data\r\nfrom a computer system, a network, or an enterprise. The uniform interface is designed such that WMI client\r\napplications and scripts do not have to call a wide variety of operating system application programming interfaces\r\n(APIs). Many APIs cannot be called by automation clients like scripts or Visual Basic applications. Other APIs do\r\nnot make calls to remote computers.\r\nTo obtain data from WMI, write a client script or application that accesses WMI Classes or provide data to WMI\r\nby writing a WMI provider. For more information, see Using WMI.\r\nObjects, Consumers, and Infrastructure of WMI\r\nThe following diagram shows the relationship between the WMI infrastructure and the WMI providers and\r\nmanaged objects, and it also shows the relationship between the WMI infrastructure and the WMI consumers.\r\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture\r\nPage 1 of 4\n\nWMI Components\r\nThe following list describes the key WMI components:\r\nManaged objects and WMI providers\r\nA WMI provider is a COM object that monitors one or more managed objects for WMI. A managed object\r\nis a logical or physical enterprise component, such as a hard disk drive, network adapter, database system,\r\noperating system, process, or service.\r\nSimilar to a driver, a provider supplies WMI with data from a managed object and handles messages from\r\nWMI to the managed object. WMI providers consist of a DLL file and a Managed Object Format (MOF)\r\nfile that defines the classes for which the provider returns data and performs operations. Providers, like\r\nWMI C++ applications, use the COM API for WMI. For more information, see Providing Data to WMI.\r\nAn example of a provider is the preinstalled Registry provider, which accesses data in the system registry.\r\nThe Registry provider has one WMI class, StdRegProv, with many methods but no properties. Other\r\npreinstalled providers, such as the Win32 provider, usually have classes with many properties but few\r\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture\r\nPage 2 of 4\n\nmethods, such as Win32_Process or Win32_LogicalDisk. The Registry provider DLL file, Stdprov.dll,\r\ncontains the code that dynamically returns data when requested by client scripts or applications.\r\nWMI MOF and DLL files are located in %WINDIR%\\System32\\Wbem, along with the WMI Command-Line Tools, such as Winmgmt.exe and Mofcomp.exe. Provider classes, such as Win32_LogicalDisk, are\r\ndefined in MOF files, and then compiled into the WMI repository at system startup.\r\nWMI infrastructure\r\nThe WMI infrastructure is a Microsoft Windows operating system component know as the WMI\r\nservice(winmgmt). The WMI infrastructure has two components: the WMI Core, and the WMI repository.\r\nThe WMI repository is organized by WMI namespaces. The WMI service creates some namespaces such\r\nas root\\default, root\\cimv2, and root\\subscription at system startup and preinstalls a default set of class\r\ndefinitions, including the Win32 Classes, the WMI System Classes, and others. The remaining namespaces\r\nfound on your system are created by providers for other parts of the operating system or products. For more\r\ninformation and a list of WMI providers found in most operating system versions, see WMI Providers.\r\nThe WMI service acts as an intermediary between the providers, management applications, and the WMI\r\nrepository. Only static data about objects is stored in the repository, such as the classes defined by\r\nproviders. WMI obtains most data dynamically from the provider when a client requests it. You also can set\r\nup subscriptions to receive event notifications from a provider. For more information, see Monitoring\r\nEvents.\r\nWMI consumers\r\nA WMI consumer is a management application or script that interacts with the WMI infrastructure. A\r\nmanagement application can query, enumerate data, run provider methods, or subscribe to events by calling\r\neither the COM API for WMI or the Scripting API for WMI. The only data or actions available for a\r\nmanaged object, such as a disk drive or a service, are those that a provider supplies.\r\nUsing WMI\r\nWMI Providers\r\nCreating a WMI Application or Script\r\nWMI Tasks for Scripts and Applications\r\nProviding Data to WMI\r\nWMI Classes\r\nMonitoring Events\r\nCalling a Method\r\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture\r\nPage 3 of 4\n\nAdditional resources\r\nTraining\r\nLast updated on 01/07/2021\r\nSource: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture\r\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture"
	],
	"report_names": [
		"wmi-architecture"
	],
	"threat_actors": [],
	"ts_created_at": 1775434162,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3807f16bdac6cd413474336201f0ea15e9a94a6.pdf",
		"text": "https://archive.orkl.eu/e3807f16bdac6cd413474336201f0ea15e9a94a6.txt",
		"img": "https://archive.orkl.eu/e3807f16bdac6cd413474336201f0ea15e9a94a6.jpg"
	}
}