The Microsoft Windows Management Instrumentation (WMI) technology is the Microsoft implementation of the Distributed Management Task Force (DMTF) Web-Based Enterprise Management (WBEM) initiative that extends the Common Information Model (CIM) to represent management objects in Windows-based management environments. The Common Information Model, also a DMTF standard, is an extensible data model for logically organizing management objects in a consistent, unified manner in a managed environment.
Based on the Common Information Model, WBEM is a DMTF initiative and technology that establishes management infrastructure standards and provides a standardized way to access information from various hardware and software management systems in an enterprise environment. Using WBEM standards, developers can create tools and technologies that reduce the complexity and costs of enterprise management. By providing such standards, WBEM contributes to industry-wide efforts to lower total cost of ownership (TCO). TCO refers to the administrative costs associated with computer hardware and software purchases, deployment and configuration, hardware and software updates, training, maintenance, and technical support.
WBEM provides a point of integration through which data from management sources can be accessed, and it complements and extends existing management protocols and instrumentation such as Simple Network Management Protocol (SNMP), Desktop Management Interface (DMI), and Common Management Information Protocol (CMIP).
Windows Management Instrumentation Technology
The Windows Management Instrumentation (WMI) technology is a management infrastructure that supports the syntax of CIM, the Managed Object Format (MOF), and a common programming interface. The MOF syntax defines the structure and contents of the CIM schema in human and machine-readable form. Windows Management Instrumentation offers a powerful set of services, including query-based information retrieval and event notification. These services and the management data are accessed through a Component Object Model (COM) programming interface. The WMI scripting interface also provides scripting support.
The WMI technology provides:
- Access to monitor, command, and control any
managed object through a common, unifying set of interfaces,
regardless of the underlying instrumentation mechanism. WMI is an
- A consistent model of Windows operating
system operation, configuration, and status.
- A COM Application Programming Interface (API)
that supplies a single point of access for all management
- Interoperability with other Windows
management services. This approach can simplify the process of
creating integrated, well-architected management solutions.
- A flexible, extensible architecture.
Developers can extend the information model to cover new devices,
applications, and so on, by writing code modules called WMI
- Extensions to the Windows Driver Model (WDM)
to capture instrumentation data and events from device drivers and
- A powerful event architecture. This allows
management information changes to be identified, aggregated,
compared, and associated with other management information. These
changes can also be forwarded to local or remote management
- A rich query language that enables detailed
queries of the information model.
- A scriptable API which developers can use to
create management applications. The scripting API supports several
languages, including Microsoft Visual Basic; Visual Basic for
Applications (VBA); Visual Basic, Scripting Edition (VBScript);
Microsoft JScript development software. Besides VBScript and
JScript, developers can use any scripting language implementation
that supports Microsoft ActiveX scripting technologies with this
API (for example, a Perl scripting engine). Additionally, you can
use the Windows Script Host or Microsoft Internet Explorer to write
scripts using this interface. Windows Script Host, like Internet
Explorer, serves as a controller engine of ActiveX scripting
engines. Windows Script Host supports scripts written in VBScript,
WMI Architecture Overview
The WMI technology architecture consists of the following:
- A management infrastructure - This includes
the CIM Object Manager, which provides applications with uniform
access to management data and a central storage area for management
data called the CIM Object Manager repository.
- WMI Providers - These function as
intermediaries between the CIM Object Manager and managed objects.
Using the WMI APIs, providers supply the CIM Object Manager with
data from managed objects, handle requests on behalf of management
applications, and generate event notifications.
The management infrastructure consists of CIM Object Manager and the CIM Object Manager repository. Applications depend on the Object Manager to handle the interface between management applications and data providers. WMI facilitates these communications by providing a common programming interface to Windows management services using COM. This COM API supplies event notification and query processing services, and can be used in several programming language environments such as C and C++. The CIM Object Manager repository holds the CIM and extension schemas, and data information or data source details. CIM Object Manager uses the schema data in this repository when servicing requests from management applications for managed objects.
Managed objects are either physical or logical enterprise components that are modeled using CIM. For example, a managed object can be hardware such as a cable, or software such as a database application. Management applications can access managed objects through CIM Object Manager.
Management applications are applications or Windows services that use or process information originating from managed objects. Management applications can access managed object information by making a request to CIM Object Manager through one of the methods in the WMI API.
WMI providers are standard COM and Distributed Component Object Model (DCOM) servers that function as mediators between managed objects and the CIM Object Manager. If the CIM Object Manager receives a request from a management application for data that is not available from the CIM Object Manager repository or for event notifications that are not supported by the CIM Object Manager, it forwards the request to a WMI provider. Providers supply data and event notifications for managed objects that are specific to their particular domain.
To implement a provider, you should use one of the following supported server types:
• Microsoft Windows 2008 services, local or remote.
• Standard executables (.exe files), local or remote.
• In-process dynamic-link libraries (DLLs).
Note that local or remote Windows 2008 services and standard executables are recommended server types.
WMI ships with built-in providers (or standard providers) that supply data from sources such as the system registry. The built-in providers include:
- Active Directory Provider - Acts as a gateway
to all the information stored in the Active Directory service.
Allows information from both WMI and Active Directory to be
accessed using a single API.
- Windows Installer Provider - Allows complete
control of Windows Installer and installation of software through
WMI. Also supplies information about any application installed with
- Performance Counter Provider - Exposes the
raw performance counter information used to compute the performance
values shown in the System Monitor tool. Any performance counters
installed on a system will automatically be visible through this
- Registry Provider - Allows Registry keys to
be created, read, and written. WMI events can be generated when
specified Registry keys are modified
- SNMP Provider - Acts as a gateway to systems
and devices that use the Simple Network Management Protocol (SNMP)
for management. SNMP MIB object variables can be read and written.
SNMP traps can be automatically mapped to WMI events.
- Event Log Provider - Provides access to data
and event notifications from the Windows Server 2008 Event Log.
- Win32 ProviderProvides information about the
operating system, computer system, peripheral devices, file systems
and security information.
- WDM Provider - Supplies low level Windows
Driver Model driver information for user input devices, storage
devices, network interfaces, and communications ports.
- View Provider - Allows new aggregated classes
to be built up from existing classes. Source classes can be
filtered for only the information of interest, information from
multiple classes can be combined into a single class and data from
multiple machines can be aggregated into a single view.
The WMI technology also provides support for third party custom providers. Custom providers can be used to service requests related to managed objects that are environment-specific. Providers typically use the MOF language to define and create classes. Providers use the WMI API to access the CIM Object Manager repository, and to respond to CIM Object Manager requests made initially by applications.
Simple Network Management Protocol Overview
Simple Network Management Protocol (SNMP) is a network management standard that defines a strategy for managing TCP/IP networks.
SNMP uses a distributed architecture that includes:
- Multiple managed nodes, each with an SNMP
entity called an agent which provides remote access to management
- At least one SNMP entity referred to as a
manager which runs management applications to monitor and control
managed elements. Managed elements are devices such as hosts,
routers, and so on; they are monitored and controlled by accessing
their management information.
- A management protocol, SNMP, is used to
convey management information between the management stations and
agents. Management information refers to a collection of managed
objects that reside in a virtual information store called a
Management Information Base (MIB).
To communicate host information, management systems and agents use SNMP messages. These messages are sent using the User Datagram Protocol (UDP) and are routed between the management system and host by using the Internet Protocol (IP).
A Management Information Base contains the information requested by the management system. The MIB for a networked computer may include information on the configuration and performance of the network interface card, the available hard drive space, the version of drivers and applications, and so on. Additional MIBs may be written and loaded, to expose the data that is specified for collection, as long as the system itself supports the collection of the requested information.
Processing Information Requests
When a management system requests information, the following sequence occurs:
- A management system sends a request to an agent using the
agent's IP address.
- The agent forms an SNMP datagram that contains an SNMP message
and the community name to which the management system belongs.
- The SNMP agent receives the datagram and confirms the community
name. If the community name is valid, the SNMP agent retrieves the
appropriate data. Otherwise, if the community name is invalid, the
request is rejected. If the agent has been configured to send an
authentication trap, a trap message is sent.
- The SNMP datagram is returned to the management system with the
The following SNMP message types are used:
- GetThis is a request message. SNMP management
systems use Get messages to request information about a MIB entry
on an SNMP agent.
- GetnextA type of request message that can be
used to browse an entire tree of managed objects.
- GetbulkA type of request that specifies that
the agent transfer as much data as possible, within the limits of
- SetThis is used to send and assign an updated
MIB value to an agent.
- Notify (or Trap)This is an unsolicited
message that an agent sends to a SNMP management system when it
detects a certain type of event has occurred locally on the managed
SNMP events (or traps) are sent unsolicited to a management station that filters the events; therefore, network traffic is involved. With WMI, the events are filtered locally and only those passing the filter criteria are sent over the network, thus reducing the required bandwidth for events of interest.
WMI SDK support for SNMP
The SNMP Provider includes the following components:
- Class, instance, and event Providers that
integrate the SNMP information modeling and processing into WMI.
These SNMP providers map collections of object values to property
values of CIM class instances.
- An SNMP information module compiler that
compiles native SNMP schema information into the format that CIM
The SNMP Providers return dynamic information. You can specify the set of classes that the instance Provider will operate against in one of two ways:
- Statically - By creating classes in the CIM
object repository namespace associated with the proxy device.
- Dynamically - By using the SNMP class
Provider, which returns the set of classes located within the SNMP
Module Information Repository (SMIR) namespace.
Additionally, you can also specify whether or not to use correlation for the set of classes returned from the SMIR namespace. Correlated classes define the set of classes that a given SNMP agent is known to support at the time the enumeration occurs. Noncorrelated enumeration returns all classes present within the SMIR namespace, regardless of whether the agent device supports them or not.
The SNMP Providers include:
- SNMP class and instance providers, which
applications use to access and modify data pertaining to SNMP
- SNMP event providers, which generate events
from SNMP traps and notifications. These report the same types of
events, but in different formats: Encapsulated and Referent.
Encapsulated means that the event class has simple properties
describing the information mapped directly from the TRAP-TYPE and
NOTIFICATION-TYPE macros, described in the next section. Referent
classes abstract the information present within the macros so that
properties which share the same class and instance are presented as
embedded objects. This allows extraction of the __RELPATH so that
the unique instance to which the trap is associated can be
retrieved after the receipt of the event. To choose a format,
consumers register for a particular class of events.
Mapping Device Data to CIM Classes
The SNMP Providers map device data to CIM classes through the following methods:
- Enumerating SNMP Class Definitions. To
enumerate a set of class definitions, applications can call
MIB objects are mapped to SNMP CIM classes using the OBJECT-TYPE macro; events are mapped to classes using the TRAP-TYPE and NOTIFICATION-TYPE macros.
The OBJECT-TYPE macro is used to describe the basic characteristics of a MIB object. The SNMPv1 TRAP-TYPE and SNMPv2C NOTIFICATION-TYPE macros describe the characteristics of an SNMP event.
- Instantiating SNMP Class Definitions. To
instantiate a class definition, applications can call
IWbemServices::GetObject or IWbemServices::GetObjectAsync.
- Enumerating SNMP Class Instances. The SNMP
instance Provider services requests to enumerate instances
associated with classes that represent device MIBs.
- Instantiating SNMP Class Instances. The SNMP
instance Provider processes requests to instantiate instances of
classes that represent MIB objects.
- Retrieving SNMP Class Instances. To retrieve
a particular instance of a SNMP CIM class, applications can call
IWbemServices::GetObject or IWbemServices::GetObjectAsync.
SNMP and the CIM Schema
The schema that SNMP uses to define objects differs from that used in the WMI Common Information Model. The SNMPv1 and SNMPv2 schema is called the Structure of Management Information (SMI); it is packaged as MIB files. To define objects, the MIB files use Abstract Syntax Notation 1 (ASN.1), a standard language, and macro definitions that are used as templates for describing the objects. These macros supply information about the object, including its name, identifier, syntax, description, access rights, and so on.
The WMI SNMP Providers convert these MIB macros:
- OBJECT-TYPEDescribes the basic
characteristics of an object, such as the object name, syntax,
access rights, and so forth. Pertains to SNMPv1 and SNMPv2C.
- TEXTUAL-CONVENTIONAssigns a name and, in some
cases, a range of values to an existing datatype. Pertains to
- TRAP-TYPEDescribes event messages (traps).
Pertains to SNMPv1 only.
- NOTIFICATION-TYPEDescribes event messages
(notifications). Pertains to SNMPv2C only.
The SNMP class Provider enumerates and instantiates a set of class definitions against a CIM namespace. It does so by using an MIB correlator and the SNMP Module Information Repository, an SNMP schema database. The SNMP class Provider supports correlated and non-correlated modes. You designate one of these modes by setting a context value (IWbemContext) correlate of type Boolean and passing this into the IWbemServices method. The SNMP class provider supports both enumeration of class definitions and retrieval of a class definition.
The SNMP instance provider maps SNMP MIB objects to class instances.
To define a view of a network device, an SNMP namespace is used. You can create an SNMP namespace by using the WMI SDK's WMI Common Information (CIM) Studio application, by compiling a MOF file, or programmatically with the WMI API.
The Namespace system class is used to represent an SNMP namespace. To generate a new namespace, you create an instance of this class. You must associate at least one descriptor (or qualifier) with the class instance. The qualifiers contain implementation-specific context information, and transport properties that define how the SNMP Providers access an SNMP agent.
SNMP Device Representation
SNMP devices are represented within WMI by using a proxy namespace that contains a set of instance qualifiers. These qualifiers describe the transport characteristics pertaining to the device. WMI uses a MOF file, snmpreg.mof, to create the \\.\root\snmp\localhost namespacethis is a standard namespace that represents the local SNMP agent.
SNMPv2C is supported within the WMI context. The main purpose of SNMPv2C was to provide a stronger security context for SNMP. This version uses the simple and unsecure password-based authentication feature, known as the community feature (provided in SNMPv1). The SNMPv2 SMI makes certain additions and enhancements to the community security, such as including bit strings, network addresses, and counters to the SNMPv1 SMI specific data types. Additionally, the SNMPv2 SMI specifies information modules, which specify a group of related definitions. SNMPv2 also defines two new protocol operations: GetBulk and Inform.
WMI security validates a user's logon information both for the local computer and for remote access. WMI grants a validated user some form of controlled access to the entire CIM repository. In its current release, WMI does not provide security for system resources such as individual classes and instances. However, administrators can use WMI to control global permissions on schema operations, such as limiting the access of some users to read-only operations. WMI also supports per namespace security. In addition, the SNMP Provider provides support for all SNMP-based security, including the security enhancements in SNMPv2C.
SNMP Information Module Compiler
The SNMP information module compiler is used to compile native SNMP management information that is defined in a MIB into an equivalent CIM schema definition that can be used with the SNMP Providers. The CIM schema can exist as output in a MOF file or it can be loaded into an SNMP schema database (the SNMP Module Information Repository or SMIR). The SNMP dynamic class Provider uses the SNMP Module Information Repository to create and retrieve instances of class definitions.
The SNMP information module compiler runs in command-line mode as an executable file, using one SNMP information module as input, and any additional files that might be needed to resolve external references. SNMP information modules are collections of management information that typically consist of a combination of MIB modules, and AGENT-CAPABILITIES and MODULE-COMPLIANCE statements. AGENT-CAPABILITIES statements describe an agent's compliance to the set of MIB modules it supports. MODULE-COMPLIANCE statements describe an agent's capabilities regarding object definitions.
The SNMP information module compiler also provides the following functionality:
- Performs checking operations on the
information module. For example, it checks local syntax and
external references against information in the subsidiary
- Removes all previously loaded data from the
SMIR, or removes data loaded from one information module.
- Returns either the ASN.1 module name of a
specified file, or the ASN.1 module names of all imported modules
in a specified file.
- Returns the ASN.1 module names of all SNMP
information modules currently loaded in the SMIR.
- Performs automatic resolution of imported
modules instead of requiring users to manually specify the required
- Performs a silent-loading mode of operation
that does not generate output, but can be used to load data into
the SMIR during an installation operation.