wmi-objects-data
Parses a WMI (Windows Management Instrumentation) OBJECTS.DATA file to retrieve CIM (Common Information Model) objects. Converts WMI repository records such as class definitions, instance objects, and registration information into structured fields for output.
Command properties
| Property | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file that contains the OBJECTS.DATA file. Use this when querying an OBJECTS.DATA file directly inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries (default:
utf-8).
Target
FILE_PATH- Path to the OBJECTS.DATA file to query. You can use a wildcard (
*) to specify multiple files. This file is located atC:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA.
Output fields
Output fields vary by record type.
Common fields
| Field | Type | Description |
|---|---|---|
_file | string | OBJECTS.DATA file name |
record_type | string | Record type. One of: CLASS_DEFINITION, INSTANCE_OBJECT, REGISTRATION |
CLASS_DEFINITION type
| Field | Type | Description |
|---|---|---|
_time | timestamp | Class definition time |
name | string | Name |
class_name | string | Class name (e.g., Win32_PageFileSetting) |
super_class_name | string | Superclass name (e.g., __SystemClass, __Provider) |
properties | map | Property list |
qualifiers | map | Qualifier list |
INSTANCE_OBJECT type
| Field | Type | Description |
|---|---|---|
hash | string | Instance hash value |
date1 | timestamp | First timestamp |
date2 | timestamp | Second timestamp |
strings | array | List of strings extracted from the instance block |
REGISTRATION type
| Field | Type | Description |
|---|---|---|
name | string | Name |
class | string | Class name |
instance_name | string | Instance name (e.g., Connection, provider) |
index_key | string | Index key |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing action |
|---|---|---|---|
| - | cannot read wmi objects file {file path} | The OBJECTS.DATA file cannot be read | Stops query execution |
Description
The wmi-objects-data command parses the specified OBJECTS.DATA file in binary format to extract CIM objects from the WMI repository. The OBJECTS.DATA file is a CIM repository file managed by the Windows WMI service, and it contains class definitions, instance objects, and registration information.
The file is organized in 8,192-byte data pages, and each page contains multiple object records. The record type is automatically determined based on the data structure.
To detect persistence mechanisms through WMI subscriptions (MITRE ATT&CK T1546.003), you can search for strings related to __EventFilter, __EventConsumer, and __FilterToConsumerBinding.
To query an OBJECTS.DATA file inside a ZIP archive, specify the ZIP file path in the zippath option and the OBJECTS.DATA file path within the ZIP as the target.
Examples
-
Query an OBJECTS.DATA file
wmi-objects-data /opt/logpresso/evidence/OBJECTS.DATARetrieves all CIM objects from the OBJECTS.DATA file at the specified path.
-
Query an OBJECTS.DATA file inside a ZIP archive
wmi-objects-data zippath=/opt/logpresso/evidence/artifacts.zip OBJECTS.DATARetrieves CIM objects from the
OBJECTS.DATAfile inside the ZIP archive. -
Detect execution via WMI subscriptions
wmi-objects-data /opt/logpresso/evidence/OBJECTS.DATA | eval strings = strjoin("\n", strings) | search in(strings, "*__EventFilter*", "*__EventConsumer*", "*__FilterToConsumerBinding*")Searches for objects related to WMI event subscriptions to detect persistence mechanisms.
-
Filter for class definitions only
wmi-objects-data /opt/logpresso/evidence/OBJECTS.DATA | search record_type == "CLASS_DEFINITION"Filters for records of type CLASS_DEFINITION only.