Windows Management Instrumentation (WMI) and Common Information Model (CIM) provide powerful interfaces for managing Windows systems programmatically. While many administrators are familiar with querying WMI classes for information, the ability to invoke methods on these classes opens up a world of system management possibilities. I thought I would take some time to explores the purpose of WMI methods, how to discover them, and the various approaches to invoking them using both traditional WMI cmdlets and modern CIM cmdlets in PowerShell. This is not something you will use every day, but it is handy information to have in your back pocket, especially because working with WMI methods is not as intuitive.

Why WMI Methods?

WMI methods serve as the action-oriented components of the Windows Management Instrumentation framework. While WMI properties provide read-only or read-write access to system information, methods enable you to perform operations, execute functions, and trigger system changes. Think of WMI properties as the "nouns" of system management and WMI methods as the "verbs." We use the "noun" metaphor all the time in PowerShell, including cmdlets built on WMI such as Get-Volume.

The primary purposes of WMI methods include:

System Configuration and Management

WMI methods allow administrators to modify system configurations programmatically. For example, you can change network adapter settings, modify registry values, or update system policies without directly manipulating the underlying components. Ideally, you will be able to find a PowerShell command that abstracts this functionality, but sometimes you need to get down and dirty with WMI methods.

Process and Service Control

Methods provide fine-grained control over processes and services. You can start, stop, pause, or restart services, terminate processes, or create new processes with specific parameters and security contexts.

> Commands like Start-Service, Stop-Service, and Stop-Process are built using the .NET Framework to access the Windows APIs for managing services and processes. These are not using WMI methods in the way I am discussing here, but they are similar in that they provide a programmatic interface to manage system components.

Hardware Management

WMI methods enable interaction with hardware components. You can perform operations such as ejecting removable media, resetting network adapters, or configuring BIOS settings on supported systems.

Security Operations

Many WMI classes expose methods for security-related operations, including user account management, permission modifications, and security policy enforcement.

Event Management

WMI methods can trigger events, create event subscriptions, or respond to system events programmatically. I've written about this in the first year of this newsletter. It might be time to revisit that topic.

Remote Management

One of the most powerful aspects of WMI methods is their ability to operate on remote systems, enabling centralized management of distributed environments.

Consider this fundamental example of using a WMI method to restart a service. This code requires Windows PowerShell.

# Using WMI to restart the Windows Time service
$service = Get-WmiObject -Class Win32_Service -Filter "Name='W32Time'"
$result = $service.StopService()
if ($result.ReturnValue -eq 0) {
    Start-Sleep -Seconds 2
    $result = $service.StartService()
    Write-Host "Service restart completed with return value: $($result.ReturnValue)"
}

The WMI service object contains methods like StopService and StartService, which you can invoke to control the service's state.

PS C:\> $service | Get-Member -MemberType method


   TypeName: System.Management.ManagementObject#root\cimv2\Win32_Service

Name                  MemberType Definition
----                  ---------- ----------
Change                Method     System.Management.ManagementBaseObject Chang...
ChangeStartMode       Method     System.Management.ManagementBaseObject Chang...
Delete                Method     System.Management.ManagementBaseObject Delete()
GetSecurityDescriptor Method     System.Management.ManagementBaseObject GetSe...
InterrogateService    Method     System.Management.ManagementBaseObject Inter...
PauseService          Method     System.Management.ManagementBaseObject Pause...
ResumeService         Method     System.Management.ManagementBaseObject Resum...
SetSecurityDescriptor Method     System.Management.ManagementBaseObject SetSe...
StartService          Method     System.Management.ManagementBaseObject Start...
StopService           Method     System.Management.ManagementBaseObject StopS...
UserControlService    Method     System.Management.ManagementBaseObject UserC...

When you invoke a method, you will get a result object.

PS C:\> $result


__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 0
PSComputerName   :

The ReturnValue property indicates the success or failure of the operation, with 0 typically indicating success. For other values, you would need to refer to the WMI documentation for the specific class to understand what the return codes mean.

This simple example demonstrates how WMI methods bridge the gap between information gathering and system modification, providing a programmatic interface for system administration tasks.

Discovery

Before you can effectively use WMI methods, you need to understand how to discover them and their parameters. PowerShell provides several tools for method discovery, with Get-CimClass being the most powerful and modern approach.

Method Discovery with Get-CimClass

The Get-CimClass cmdlet is your primary tool for exploring WMI classes and their associated methods. This cmdlet provides comprehensive information about class structures, including properties, methods, and their parameters.

Basic Class Discovery

To begin exploring WMI methods, start by identifying the classes that contain the functionality you need:

# Find all classes related to processes
PS C:\> Get-CimClass -ClassName "*Process*" | Where CimClassName -notMatch "Perf" | Select-Object CimClassName

CimClassName
------------
Win32_ProcessTrace
Win32_ProcessStartTrace
Win32_ProcessStopTrace
CIM_Process
Win32_Process
CIM_Processor
Win32_Processor
CIM_AssociatedProcessorMemory
Win32_AssociatedProcessorMemory
CIM_ProcessExecutable
Win32_SessionProcess
Win32_ComputerSystemProcessor
Win32_SystemProcesses
CIM_ProcessThread
CIM_OSProcess
Win32_NamedJobObjectProcess
Win32_ProcessStartup

I'm filtering out the performance classes because they are not useful for our purposes. You can also use Get-CimClass to explore other classes related to services, network configurations, and more.