WMI & CIM
The management instrumentation layer behind many admin tools and scripts.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
View all labsOfficial Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
WMI exposes live system state—processes, services, disks, events—to scripts and enterprise tools without bespoke APIs for everything.
Mental model
Providers publish classes and instances. Consumers query WMI/CIM (PowerShell Get-CimInstance, WMIC legacy) to read or subscribe.
How it works
- 1WMI infrastructure routes queries to in-process or kernel providers.
- 2Classes describe objects; instances represent live or static state.
- 3Event consumers can subscribe to provider notifications.
Key terms
- WMI provider
- Component that supplies WMI classes and answers queries.
- CIM
- Common Information Model; schema used by modern WMI access.
PowerShell querying Win32_Process
Get-CimInstance Win32_Process is WMI under the hood, useful for inventory and triage scripts.
Common misconception
WMI is not the Event Log. It can surface events via providers, but it is a broader management stack.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
ETW tracing
Real-time sessions, controllers, and consumers for higher-volume tracing.
Related topic
beginner
Services & background infrastructure
How Windows launches, groups, isolates, and supervises long-running background components.
Related topic
beginner
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
Related topic
Related topics
ETW tracing
Real-time sessions, controllers, and consumers for higher-volume tracing.
Services & background infrastructure
How Windows launches, groups, isolates, and supervises long-running background components.
Processes & threads
How Windows represents work, isolates applications, and schedules execution.