WMI_POLICY

This check queries the Windows WMI database for values specified within the namespace/class/attribute.

Either key values may be extracted or attribute names may be enumerated depending on the syntax used.

Usage

<custom_item>

type: WMI_POLICY

description: "Test for WMI Value"

value_type: [value_type]

value_data: [value]

(optional) check_type: [value]

wmi_namespace: ["namespace"]

wmi_request: ["request select statement"]

wmi_attribute: ["attribute"]

wmi_key: ["key"]

</custom_item>

The allowed types are:

wmi_namespace: "namespace"

wmi_request: "WMI Query"

wmi_attribute: "Name"

wmi_key: "Name"

wmi_option: option

wmi_exclude_result: "result"

only_show_query_output: YES

check_type: CHECK_NOT_REGEX

If you choose from a service configuration with duplicate values on the system (e.g., “MSFTPSVC/83207416” and “MSFTPSVC/2”) the request will extract the chosen attribute from both. If one of them does not match the policy value, the wmi_key will be added to the report to indicate which one has failed. The wmi_enum field allows you to enumerate configuration names within a namespace for comparison or policy value checking.

By default, if a WMI query returns no output, the check reports an error. This behavior can be changed and the check can be forced to report a PASS if wmi_option is set to CAN_BE_NULL. By setting only_show_query_output to YES, the output of the WMI query is now included in the Nessus report. Using the check_type tag, you can have a PASS result as long as a certain string does not exist in the output. See the examples below.

Other Considerations:

  • WMI attributes need to be explicitly specified. For example, select * from foo will not work.
  • Attributes that have no value set will not be reported.
  • The case of the attributes should be exactly as it appears in Microsoft documentation. For example, the attribute HandleCount cannot be Handlecount or handlecount.
  • Values of array type are not included in the result.

Examples

<custom_item>

type: WMI_POLICY

description: "IIS test"

value_type: POLICY_DWORD

value_data: 0

wmi_namespace: "root/MicrosoftIISv2"

wmi_request: "SELECT Name, UserIsolationMode FROM IIsFtpServerSetting"

wmi_attribute: "UserIsolationMode"

wmi_key: "Name"

</custom_item>

If there are two FTP service configurations on your system (“MSFTPSVC/83207416” and “MSFTPSVC/2”) the request will extract the “UserIsolationMode” attribute from both. If one of them does not match the policy value (0) the wmi_key (in this case) will be added to the report, indicating which one has failed.

<custom_item>

type: WMI_POLICY

description: "IIS test2"

value_type: POLICY_MULTI_TEXT

value_data: "MSFTPSVC/83207416" && "MSFTPSVC/2"

wmi_namespace: "root/MicrosoftIISv2"

wmi_request: "SELECT Name FROM IIsFtpServerSetting"

wmi_attribute: "Name"

wmi_key: "Name"

wmi_option: WMI_ENUM

</custom_item>

This example checks that there are two valid configuration names as specified in value_data.

<custom_item>

type: WMI_POLICY

description: "List All Windows Processes - except svchost.exe and iPodService.exe"

value_type: POLICY_TEXT

value_data: ""

wmi_namespace: "root/cimv2"

wmi_exclude_result: "svchost.exe,iPodService.exe"

wmi_request: "select Caption,HandleCount,ThreadCount from Win32_Process"

only_show_query_output: YES

</custom_item>

This example will list all Windows processes, but remove instances of svchost.exe and iPodService.exe.