Debugging (Tracing) WMI queries?

views:

442

answers:

+2 Q:

Debugging (Tracing) WMI queries?

I've got a third-party program that's making WMI queries to local WMI providers (so it's not using DCOM, so packet-sniffers are out). I'd like to find out what queries these are.

It's also on XP, so the new Vista WMI tracing infrastructure is out, as well, unfortunately.

Any pointers?

I believe that WMI uses DCOM for communication, you can use WireShark to do a packet capture of the DCOM packets. I believe that the dissector in WireShark for DCOM is usable though it still might help to reference this article (old, but should still be pertinent).

This will not work for WMI queries to localhost so you'll need to make sure it's querying a remote computer.

If you do want to log local queries take a look at this MSDN article on logging WMI queries.

joshperry 2008-12-19 15:11:15

Local, not remote; clarified question.

Roger Lipscombe 2008-12-19 15:17:10

Have you tried setting the WMI logging level to Verbose using wmimgmt.msc? (More info on the MSDN Logging WMI Activity page)

You should then see the queries logged to the %windir%\system32\wbem\logs\wbemcore.log file.

-dave

David Gardiner 2008-12-29 22:36:54

Yes, I have. There's not enough information in that log file. I want to specifically see which queries/methods are being executed, and in which namespace. Ideally, I want a complete dump of every call to the IWbemServices interface.

Roger Lipscombe 2008-12-30 11:37:06

It should be noted that you cannot enable logging, or configure the logging path, through **wmimgmt.msc** on Windows Vista.

Ian Boyd 2009-10-28 20:11:23

ansaurus

tags:

views:

answers:

Debugging (Tracing) WMI queries?

related questions