WMI Query Language (WQL) – An introduction

These posts in the form of an ebook are available.

WMI Query Language via PowerShell 43270 downloads

Here are the links to all articles in this series of posts on WQL.

I have been using WMI a lot these days and got to play with WQL as well. In this series of posts, I want to write about how WMI Query Language (WQL) can be used to retrieve management data exposed by WMI. Yes, this has nothing to do with PowerShell but as a PowerShell lover (and a MVP now), I will use PowerShell for all my examples.

Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF). We can write WMI scripts to automate several tasks on local or remote computer(s).

PowerShell has a few cmdlets to retrieve the management data exposed by WMI. You can see these cmdlets by running

#Use Get-Command and mention WMI* as the Noun
Get-Command -Noun WMI*

One of the cmdlets to retrieve WMI information is Get-WMIObject. In it’s basic usage, this cmdlet, gets the instance of a specified WMI class. So, for example, if you need to list out all drives of type 4 (network drives) in a system,

Get-WmiObject -Class Win32_LogicalDisk | Where-Object {
    $_.DriveType -eq 4
}

In the above method, we retrieve all instances of Win32_LogicalDisk and then pass it  to Where-Object to filter out what we need. Depending on how many instances are there, this can take a while. You can use an alternative approach by specifying the -Query parameter instead of -Class.

#This example uses -Query parameter and specifies the query using WQL
Get-WmiObject -Query "Select * from Win32_LogicalDisk WHERE DriveType=4"

The above example uses WMI Query Language to get the same information as the earlier example but a bit more faster. You can, of course, verify that using Measure-Command cmdlet. You can see the clear difference here.

Difference in execution time

Difference in execution time

The above example is very basic and may not really explain the usefulness of WQL — the speed of execution is just one benifit. When using WQL, there are quite a few advanced querying techniques that can be used to retrieve WMI information in an efficient manner. And, sometimes – such as working with WMI events, WQL becomes a necessity. So, this series of posts will explain each of those scenarios and with some appropriate examples.

With that background, let us now look at WMI Query Language.

The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL)—with minor semantic changes. Similar to SQL, WQL has a set of keywords and operators. WQL supports three types of queries

Data Queries

This type is the most simplet form of querying for WMI data. The earlier example, where we queried for all instances of Win32_LogicalDisk where the driveType is 4, is a data query. Data queries are used to retrieve class instances and data associations. The WQL keywords such as SELECT, ASSOCIATORS OF, REFERENCES OF, and ISA are used in data queries.

Schema Queries

Schema queries are used to retrieve class definitions (rather than class instances) and schema associations. In layman’s terms, these queries are used to get information about WMI and its structure. Schema queries return a result set of class definition objects rather than actual instances of classes. The WQL keywords such as SELECT, ASSOCIATORS OF, REFERENCES OF, and ISA are used in schema queries and of course, in a slightly different way than how data queries use these keywords.

Event Queries

The event queries are used to create WMI event subscriptions. For example, using these queries, you can create an event subscription to notify whenever a USB drive gets attached to the system. The WQL keywords such as GROUP, HAVING, and WITHIN are used (and are specific to) when creating event queries. The event queries are critical when you want use PowerShell cmdlets such as Register-WMIEvent, etc.

And, finally, a couple of items you should know

  • WQL does not support cross-namespace queries or associations. You cannot query for all instances of a specified class residing in all of the namespaces on the target computer.
  • WQL queries are read-only. There are no keywords such as INSERT or UPDATE. Using WQL, we cannot modify the WMI objects.

This brings us to the end of this post on WQL introduction. In the subsequent posts, we will look at each of the WQL keywords and each WQL query type. I am also learning as I write this series. So, I welcome your feedback.