> For the complete documentation index, see [llms.txt](https://dudisamarel.gitbook.io/oscp-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dudisamarel.gitbook.io/oscp-notes/windows/lateral-movement/wmi-and-winrm.md). # WMI and WinRM ## WMI [Windows Management Instrumentation](https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page) (WMI), is an object-oriented feature for task automation.\ It communicates through RPC over port 135 and capable of creating processes. WMI is capable of creating processes via the *Create* method from the *Win32\_Process* class. ### Remote process To create a process on the remote target using WM it is **required member of the Administrators local group**. Create a process using `wmic`: {% code overflow="wrap" %} ```batch wmic /node: /user: /password: process call create "" ``` {% endcode %} Create a process using PowerShell: ```powershell $username = ''; $password = ''; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $options = New-CimSessionOption -Protocol DCOM $session = New-Cimsession -ComputerName -Credential $credential -SessionOption $Options $command = ''; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; ``` ## WinRM [Windows Remote Management](https://learn.microsoft.com/en-us/windows/win32/winrm/portal) is Microsoft's implementation of the [WS-Management](https://en.wikipedia.org/wiki/WS-Management) protocol, used for remote host management. It exchanges XML-based messages over HTTP and HTTPS for secure communication. ### WinRS **Windows Remote Shell** is a command-line tool used for executing commands remotely on a Windows machine using the WinRM protocol. It allows **administrators** to manage remote systems securely, similar to SSH in Linux. #### Usage: ```bash winrs -r: -u: -p: ``` ## PS-Remoting **PowerShell Remoting** allows for the remote execution of PowerShell commands and scripts on other Windows machines using the WinRM protocol. It supports interactive sessions. The following requirements must be met to use PS-Remoting: * PS-Remoting must be **enabled** on the target machine. * The user must belong to either the **Administrators** group or the **Remote Management Users** group. #### Usage: ```powershell $username = ''; $password = ''; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; PSSession -ComputerName -Credential $credential ``` ## References {% embed url="" %} WS-Management protocol {% endembed %} {% embed url="" %} WinRM {% endembed %} {% embed url="" %} winrs {% endembed %} {% embed url="" %} WMI {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dudisamarel.gitbook.io/oscp-notes/windows/lateral-movement/wmi-and-winrm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.