Retrieving Managed Resources Using WMI Query Language

Microsoft® Windows® 2000 Scripting Guide

Querying WMI is the process of issuing a request for data or events that match some predefined criteria. For example, a WMI data query can request all services with a StartMode of Auto that are in a Stopped state. A WMI event query can request to be notified when a running service stops or a stopped service starts. Because the WMI query processor is an integral part of the WMI service, system administrators can query WMI for any piece of data defined in the CIM.

WMI queries provide a more efficient mechanism for retrieving object instances and instance data than the InstancesOf method. WMI queries return only those instances and data that match the query, whereas InstancesOf always returns all object instances of a specified class. Also, queries are processed on the target computer identified in the object path rather than on the source computer running the WMI script. Therefore, WMI queries can significantly reduce the amount of network traffic that would otherwise be encountered by less efficient data retrieval mechanisms such as InstancesOf.

To query WMI, a system administrator constructs a query string using the WMI Query Language (WQL). The query string defines the criteria that must be satisfied to result in a successful match. After the query string is defined, the query is submitted to the WMI service using one of several methods provided by the SWbemServices object. Object instances that satisfy the query are returned to the script in the form of an SWbemObjectSet collection.

WQL is a subset of the ANSI Structured Query Language (SQL) commonly used in database applications. For the most part, WQL can be used only to retrieve information; WQL does not support such SQL functions as UPDATE and DELETE. In addition, WQL does not let you specify a sort order for the data that is returned; you are limited to the sort order imposed on the data by WMI. (However, there are workarounds for this limitation. For examples, see "Creating Enterprise Scripts" in this book.)

Using WQL (and the ExecQuery method) rather than InstancesOf provides you with the flexibility to create scripts that return only the items that are of interest to you. For example, you can use a basic WQL query to return all properties of all instances of a given class; this is the same information that is returned by the InstancesOf method. However, you can also create targeted queries using WQL, queries that do such things as:

  • Return only selected properties of all the instances of a class.

  • Return all the properties of selected instances of a class.

  • Return selected properties of selected instances of a class.

Creating targeted queries will sometimes noticeably increase the speed with which data is returned. (It is obviously much faster to return only those events in the Application event log that have EventCode 0 than to return all the events in all the event logs.) Targeted queries also make it easier to work with the returned data. For example, suppose you want only events from the Application event log with EventCode 0. Using a targeted query will return only those items. By contrast, InstancesOf would return all the events, and you would have to individually examine each one and determine whether it 1) came from the Application event log and 2) has EventCode 0. Although this can be done, it is less efficient and requires additional coding on your part.

Targeted queries can also cut down on the amount of data that is returned, an important consideration for scripts that run over the network. Table 6.9 shows some relative figures for different query types. (These different types are explained in subsequent sections of this chapter.) As you can see, there can be a considerable difference in the amount of data returned by the various query types.

Table 6.9 Comparing WMI Data Queries


Bytes Returned



objSWbemServices.ExecQuery("SELECT * FROM Win32_Service")


objSWbemServices.ExecQuery("SELECT Name FROM Win32_Service")


objSWbemServices.ExecQuery("SELECT StartMode FROM Win32_Service")


objSWbemServices.ExecQuery _

("SELECT StartMode FROM Win32_Service WHERE State=Running")


objSWbemServices.ExecQuery _

("SELECT StartMode, State FROM Win32_Service WHERE State=Running")


objSWbemServices.ExecQuery _

("SELECT * FROM Win32_Service WHERE Name=WinMgmt")





  • This does not necessarily mean that the queries that return the least amount of data represent the best approach. These queries return smaller amounts of data because they either do not return all the properties of the services or they do not return the properties of all of the services (or both). If you need all of the properties of all of the services, most of these queries will not serve your needs. The point is that you can create faster and more efficient queries if you do not need all of the properties of all of the instances of a given class.