April 8, 2016 · pentesting privesc

WMIC OS GET

WMIC OS GET provides a wealth of information about the installed Windows operating system. As I listed several of these in my previous post on Windows privilege escalation, I thought that I would expand and provide a list of all commands I find to be relevant. Information taken from the MSDN

Format is: WMIC OS GET boldcommand

  • BootDevice = Name of the disk drive from which the Windows operating system starts.

  • BuildNumber = Build number of an operating system. It can be used for more precise version information than product release version numbers.

  • BuildType = Type of build used for an operating system.

  • Caption = Short description of the object—a one-line string. The string includes the operating system version. For example, "Microsoft Windows 7 Enterprise ". This property can be localized.

  • CountryCode = Code for the country/region that an operating system uses. Values are based on international phone dialing prefixes—also referred to as IBM country/region codes. This property can use a maximum of six characters to define the country/region code value.

  • CSDVersion = NULL-terminated string that indicates the latest service pack installed on a computer. If no service pack is installed, the string is NULL.

  • CSName = Name of the scoping computer system.

  • CurrentTimeZone = Number, in minutes, an operating system is offset from Greenwich mean time (GMT). The number is positive, negative, or zero.

  • DataExecutionPrevention_32BitApplications = When the data execution prevention hardware feature is available, this property indicates that the feature is set to work for 32-bit applications if True. On 64-bit computers, the data execution prevention feature is configured in the Boot Configuration Data (BCD) store and the properties in Win32-OperatingSystem are set accordingly

  • DataExecutionPrevention__Available = Data execution prevention is a hardware feature to prevent buffer overrun attacks by stopping the execution of code on data-type memory pages. If True, then this feature is available. On 64-bit computers, the data execution prevention feature is configured in the BCD store and the properties in Win32-OperatingSystem are set accordingly.

  • DataExecutionPrevention_Drivers = When the data execution prevention hardware feature is available, this property indicates that the feature is set to work for drivers if True. On 64-bit computers, the data execution prevention feature is configured in the BCD store and the properties in Win32-OperatingSystem are set accordingly.

  • Debug = Operating system is a checked (debug) build. If True, the debugging version is installed. Checked builds provide error checking, argument verification, and system debugging code. Additional code in a checked binary generates a kernel debugger error message and breaks into the debugger. This helps immediately determine the cause and location of the error. Performance may be affected in a checked build due to the additional code that is executed.

  • Description = Description of the Windows operating system. Some user interfaces for example, those that allow editing of this description, limit its length to 48 characters.

  • Distributed = If True, the operating system is distributed across several computer system nodes. If so, these nodes should be grouped as a cluster.

  • EncryptionLevel = Encryption level for secure transactions: 40-bit, 128-bit, or n-bit.

    • 40-bit (0)
    • 128-bit (1)
    • n-bit (2)
  • FreePhysicalMemory = Number, in kilobytes, of physical memory currently unused and available.

  • FreeSpaceInPagingFiles = Number, in kilobytes, that can be mapped into the operating system paging files without causing any other pages to be swapped out.

  • FreeVirtualMemory = Number, in kilobytes, of virtual memory currently unused and available.

  • InstallDate = Date object was installed. This property does not require a value to indicate that the object is installed.

  • LastBootUpTime = Date and time the operating system was last restarted.

  • LocalDateTime = Operating system version of the local date and time-of-day.

  • Locale = Language identifier used by the operating system. A language identifier is a standard international numeric abbreviation for a country/region. Each language has a unique language identifier (LANGID), a 16-bit value that consists of a primary language identifier and a secondary language identifier.

  • Manufacturer = Name of the operating system manufacturer. For Windows-based systems, this value is "Microsoft Corporation".

  • MUILanguages = Multilingual User Interface Pack (MUI Pack ) languages installed on the computer. For example, "en-us". MUI Pack languages are resource files that can be installed on the English version of the operating system. When an MUI Pack is installed, you can can change the user interface language to one of 33 supported languages.

  • Name = Operating system instance within a computer system.

  • NumberOfLicensedUsers = Number of user licenses for the operating system. If unlimited, enter 0 (zero). If unknown, enter -1.

  • NumberOfProcesses = Number of process contexts currently loaded or running on the operating system.

  • NumberOfUsers = Number of user sessions for which the operating system is storing state information currently.

  • OperatingSystemSKU = Stock Keeping Unit (SKU) number for the operating system. These values are the same as the PRODUCT_* constants defined in WinNT.h that are used with the GetProductInfo function.

  • Organization = Company name for the registered user of the operating system.

  • OSArchitecture = Architecture of the operating system, as opposed to the processor. This property can be localized.

  • PortableOperatingSystem = Specifies whether the operating system booted from an external USB device. If true, the operating system has detected it is booting on a supported locally connected storage device.

    • This property is not supported before Windows 8 and Windows Server 2012.
  • Primary = Specifies whether this is the primary operating system.

  • ProductType = Additional system information.

  • RegisteredUser = Name of the registered user of the operating system.

  • SerialNumber = Operating system product serial identification number.

  • ServicePackMajorVersion = Major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

  • ServicePackMinorVersion = Minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

  • Status = Current status of the object. Various operational and nonoperational statuses can be defined. Operational statuses include: "OK", "Degraded", and "Pred Fail" (an element, such as a SMART-enabled hard disk drive may function properly, but predicts a failure in the near future). Nonoperational statuses include: "Error", "Starting", "Stopping", and "Service". The Service status applies to administrative work, such as mirror-resilvering of a disk, reload of a user permissions list, or other administrative work. Not all such work is online, but the managed element is neither "OK" nor in one of the other states.

    • "OK"
    • "Error"
    • "Degraded"
    • "Unknown"
    • "Pred Fail"
    • "Starting"
    • "Stopping"
    • "Service"
  • SystemDevice = Physical disk partition on which the operating system is installed.

  • SystemDirectory = System directory of the operating system.

  • Version = Version number of the operating system.