Remote Windows System Monitoring from Linux Using WMI and winexe

System administrators often need to manage and monitor Windows machines from Linux environments. This guide demonstrates how to effectively use tools like winexe and wmic to remotely execute commands and gather system information from Windows machines without installing agents.

Open Table of Contents

Prerequisites
Using winexe
Using wmic
WQL Queries with go-msrpc
Enabling Remote WMI Access
Security Considerations
Troubleshooting Common Issues
Conclusion

Prerequisites

Before you begin, ensure you have:

A Linux system with winexe and wmic installed
Administrative credentials for the target Windows system
Network connectivity between the Linux and Windows machines
Basic understanding of Windows Management Instrumentation (WMI)

Using winexe

winexe is a powerful tool that allows you to execute commands on Windows systems from a Linux machine. Here are some practical examples:

Operating System & System Information

winexe -U 'Administrator%Password123' //192.168.1.100 "systeminfo"

This command returns detailed OS information including version, build number, installed hotfixes, memory, and more.

List Running Processes

winexe -U 'Administrator%Password123' //192.168.1.100 "tasklist"

This lists all active processes on the Windows system.

Network Configuration

winexe -U 'Administrator%Password123' //192.168.1.100 "ipconfig /all"

Displays IP configuration details for all network interfaces.

Environment Variables

winexe -U 'Administrator%Password123' //192.168.1.100 "set"

Lists all environment variables, helping reveal system paths and configuration.

Using wmic

While winexe executes standard Windows commands, wmic provides more structured output through Windows Management Instrumentation queries. Note that Remote UAC filtering may need to be properly disabled for these commands to work.

Get OS Details

wmic -U 'DOMAIN/Administrator%Password123' //192.168.1.100 "get Caption, Version, BuildNumber /value"

This command outputs properties such as the OS name (Caption), version, and build number.

List Processes (Brief)

wmic -U 'DOMAIN/Administrator%Password123' //192.168.1.100 "process list brief"

Lists running processes with key details like ProcessId and Name.

Query CPU Information

wmic -U 'DOMAIN/Administrator%Password123' //192.168.1.100 "cpu get Name, NumberOfCores, NumberOfLogicalProcessors /value"

Retrieves detailed CPU specifications.

Get Memory Information

wmic -U 'DOMAIN/Administrator%Password123' //192.168.1.100 "OS get FreePhysicalMemory,TotalVisibleMemorySize /value"

Provides information about memory usage and capacity.

List Logical Disks

wmic -U 'DOMAIN/Administrator%Password123' //192.168.1.100 "logicaldisk get Caption,FileSystem,FreeSpace,Size /value"

Shows disk drives with their file systems, free space, and total size.

WQL Queries with go-msrpc

For more complex queries, especially when working with the go-msrpc tool, you should use WQL (WMI Query Language), which has an SQL-like syntax. Here are some examples:

Operating System Details

go run examples/samples_with_config/wmic.go \
  --username=Administrator \
  --domain=WORKGROUP \
  --password=Password123 \
  --auth-level=privacy \
  --auth-spnego \
  --auth-type=ntlm \
  --server=192.168.1.100 \
  --query "SELECT Caption, Version, BuildNumber FROM Win32_OperatingSystem"

List Processes

go run examples/samples_with_config/wmic.go \
  --username=Administrator \
  --domain=WORKGROUP \
  --password=Password123 \
  --auth-level=privacy \
  --auth-spnego \
  --auth-type=ntlm \
  --server=192.168.1.100 \
  --query "SELECT ProcessId, Name, ExecutablePath FROM Win32_Process"

CPU Information

go run examples/samples_with_config/wmic.go \
  --username=Administrator \
  --domain=WORKGROUP \
  --password=Password123 \
  --auth-level=privacy \
  --auth-spnego \
  --auth-type=ntlm \
  --server=192.168.1.100 \
  --query "SELECT Name, NumberOfCores, NumberOfLogicalProcessors FROM Win32_Processor"

Memory Information

go run examples/samples_with_config/wmic.go \
  --username=Administrator \
  --domain=WORKGROUP \
  --password=Password123 \
  --auth-level=privacy \
  --auth-spnego \
  --auth-type=ntlm \
  --server=192.168.1.100 \
  --query "SELECT FreePhysicalMemory, TotalVisibleMemorySize FROM Win32_OperatingSystem"

Logical Disks

go run examples/samples_with_config/wmic.go \
  --username=Administrator \
  --domain=WORKGROUP \
  --password=Password123 \
  --auth-level=privacy \
  --auth-spnego \
  --auth-type=ntlm \
  --server=192.168.1.100 \
  --query "SELECT Caption, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk"

Enabling Remote WMI Access

If you encounter “Access Denied” errors, you may need to configure the Windows system to allow remote WMI access. You can use winexe to apply these changes remotely:

Enable WMI through Windows Firewall

winexe -U 'Administrator%Password123' //192.168.1.100 'cmd.exe /c netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes'

Set WMI DCOM permissions through registry

winexe -U 'Administrator%Password123' //192.168.1.100 'powershell -Command "Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Ole\" -Name \"EnableDCOM\" -Value \"Y\""'

Modify registry for LocalAccountTokenFilterPolicy

This is crucial for bypassing Remote UAC filtering:

winexe -U 'Administrator%Password123' //192.168.1.100 'reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f'

Enable SMB1 protocol support (if needed)

winexe -U 'Administrator%Password123' //192.168.1.100 'powershell -Command "Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol"'

Restart the WMI service

winexe -U 'Administrator%Password123' //192.168.1.100 'cmd.exe /c net stop winmgmt && net start winmgmt'

Note: After making these changes, a reboot of the Windows system is often required for them to take effect.

Security Considerations

When using remote management tools, keep these security aspects in mind:

Use Secure Credentials: Avoid embedding credentials in scripts; use credential storage when possible.
Least Privilege: Create dedicated administrative accounts with only the necessary permissions.
Network Security: Restrict WMI and SMB access to trusted networks using firewalls.
Audit Changes: Log and monitor all remote management operations.
Alternative Methods: Consider modern alternatives like Windows Remote Management (WinRM) with PowerShell where appropriate.

Troubleshooting Common Issues

Access Denied Errors

If you receive “NT_STATUS_ACCESS_DENIED” or similar errors:

Verify credentials (username, password, domain)
Ensure the LocalAccountTokenFilterPolicy registry key is set correctly
Check that the remote user has administrative privileges
Verify that WMI services are running on the target machine

WMI Query Errors

For “StatusInvalidQuery” errors:

Ensure you’re using proper WQL syntax (SELECT statements) rather than wmic-style “get” commands
Check your query for typographical errors
Verify that the WMI classes and properties exist on the target Windows version

Network Connectivity Issues

If you cannot connect to the remote system:

Verify network connectivity with ping or traceroute
Check that necessary ports (135, 445, etc.) are open
Ensure Windows Firewall or other security software is not blocking the connection

Conclusion

Remote monitoring and management of Windows systems from Linux provides powerful capabilities for cross-platform system administration. By mastering tools like winexe and wmic, and understanding WQL queries, you can effectively gather information and execute commands without needing to install agents or accessing the Windows system directly.

Remember that these techniques should be used responsibly and securely, with proper attention to authentication, authorization, and auditing. For modern environments, you might also consider exploring API-based monitoring solutions that provide more secure and standardized interfaces for remote management.