wmic
WMI command-line interface. Used for system information gathering, remote execution, process creation, and persistence.
Binary Paths
C:\Windows\System32\wbem\wmic.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where wmi?.exe') do %i process call create cmd.exe
|
Wildcard replaces 'c' |
for /f %i in ('where wmi*c.exe') do %i
|
Star intentionally matches nothing (or variant chars); more specific than w*c.exe to avoid ambiguity with windmc.exe |
for /f %i in ('dir /b C:\Windows\System32\wbem\wmi?.exe') do %i
|
Full path dir glob |
for /f %i in ('where wmic*') do %i
|
Trailing star matches '.exe' |
for %i in (C:\Windows\System32\wbem\wmi?.exe) do @%i process call create cmd.exe
|
Native CMD for loop with filesystem glob — wmi? uniquely matches wmic.exe in the wbem subdirectory |
for /f %i in ('where /r C:\Windows\System32\wbem wmi?.exe') do %i process call create cmd.exe
|
Recursive where search scoped to wbem directory — wmic.exe lives in System32\wbem, not directly in System32 |
forfiles /p C:\Windows\System32\wbem /m wmi?.exe /c "@file process call create cmd.exe"
|
forfiles ? mask scoped to the wbem subdirectory where wmic.exe resides — @file expands to matched filename |
cmd /c for /f %i in ('where wmi?.exe') do %i process call create cmd.exe
|
cmd /c wrapper adds an extra process layer — glob resolves via where; parent process becomes cmd.exe not the caller |
Pattern Tester
$
Try typing wmic or a full path like C:\Windows\System32\wbem\wmic.exe
YARA Rule
Auto-generated detection rule for wmic