Windows Management Instrumentation: Background and Overview
Summary: This article provides an introduction to Web-Based Enterprise Management (WBEM), and describes how the Microsoft implementation of WBEM-compatible technologies—Windows Management Instrumentation (WMI)—and the latest enhancements to the Component Object Model (COM) work together to simplify systems management while providing a better-managed environment. (10 printed pages)
Standard WBEM Components
Microsoft WBEM Implementation: WMI
CIM Object Manager
WMI Query Language
For More Information
Total cost of ownership (or TCO)—the real cost of maintaining a distributed personal computer network—extends far beyond the initial purchase of hardware and software. TCO includes the deployment and configuration expense, costs associated with deploying hardware and software updates, training and retraining, day-to-day maintenance and administration, and telephone and on-site technical support. With these escalating costs in mind, Microsoft® and others are working together on several initiatives designed to lower the total cost of ownership of personal computers in the enterprise.
Key among these efforts is Web-Based Enterprise Management (WBEM), an industry initiative that establishes management infrastructure standards and provides a way to combine information from various hardware and software management systems. WBEM specifies standards for a unifying architecture that allows access to data from a variety of underlying technologies and platforms, and presents that data in a consistent fashion. Management applications can then use this information to create solutions that reduce the maintenance and life cycle costs of managing an enterprise network. WBEM is based on the Common Information Model (CIM) schema, which is an industry standard driven by the Distributed Management Task Force (DMTF).
Microsoft Windows Management Instrumentation (or WMI) is WBEM-compliant, and provides a consistent and richly descriptive model of the configuration, status, and operational aspects of the Microsoft Windows® 2000 operating system. Used in conjunction with other management services provided in Windows 2000, WMI can simplify the task of developing well-integrated management applications, allowing vendors to provide Windows 2000 customers with scalable, effective enterprise management solutions.
This article provides an overview of WBEM, including a discussion of its history. It then briefly describes the WBEM standard components and the WBEM-compatible Windows management architecture, and provides descriptive examples of how WMI functions in concert with other Windows management technologies.
Web-Based Enterprise Management (WBEM) is an industry initiative to develop a standardized, non-proprietary means for accessing and sharing management information in an enterprise network. WBEM will result in technology that enables customers to collect, associate, and aggregate management data from diverse sources, thus creating richer and more accurate views of their enterprise environments. The WBEM initiative is intended to solve the problem of collecting end-to-end management and diagnostic data in enterprise networks that may include hardware from multiple vendors, numerous protocols and operating systems, and a legion of distributed applications, as illustrated in Figure 1.
Figure 1. Protocols and interfaces in an enterprise network
Typically, enterprise management has been tied to different protocols and interfaces for different disciplines; for example, Simple Network Management Protocol (SNMP) has been used for network management, and the Desktop Management Interface (DMI) has been used for desktop systems management. WBEM assumes that enterprise network management requires tools that work together to provide a single, shared model for the collection of management information. WBEM provides this common model and data source, and can be extended to work with existing network components, tools, and protocols.
Figure 2. WBEM standards-based initiative for enterprise network management
In summary, WBEM is not browser-based, nor is it a user interface (UI) tool, a data repository, a network management protocol, a component model, or a registry, directory, or file system replacement. WBEM is an initiative that proposes a set of standards for managing the enterprise network, as illustrated in Figure 2. These management standards:
- Define the structures and conventions necessary to access information about the managed objects.
- Support centralization of information so that different clients and management tools can provide, retrieve, and analyze data.
- Support authorized access to managed objects from anywhere in the network so that these objects can be analyzed and manipulated.
The WBEM proposal was originally envisioned in 1996 by a collection of companies headed by Microsoft, Compaq Computer, BMC Software, Cisco Systems, and Intel. The vision was to define an open environment for management, where all managing systems and application could access, control, and share management information with each other and with any managing agent on a managed device, using existing technology and standards as much as possible. In many respects, the goal reflected the technological breakthroughs of the World Wide Web, where, for the first time, devices on the Internet could act as sources and consumers of information without any knowledge of the specific environments in which each component operated. Because of this shared vision, together with the possibility of using Web-based technologies in addition to more conventional management tools to create an open management environment, the name for the initiative became Web-Based Enterprise Management (WBEM).
The founding companies, working together with the Distributed Management Task Force (or DMTF), developed the prototype set of environment-independent specifications for how to describe and access any type of management instrumentation, including standards such as SNMP and DMI. The core component of this specification is a data description mechanism that later became the DMTF standard known as the Common Information Model (CIM).
Originally known as the HyperMedia Management Schema (HMMS) project, the CIM Specification describes the modeling language, naming, and mapping techniques used to collect and transfer information from data providers and other management models. The CIM Schema provides the actual model descriptions and information framework. It defines a set of classes with properties and associations, making it possible to organize information about the managed environment.
The DMTF owns both the CIM Specification and CIM Schema, and has positioned them as industry-wide standards for accessing and sharing network management data. (For more information about individual components as implemented for Windows environments, please refer to the WMI Architecture section, below.)
From 1996 through 1998, Microsoft worked to develop a Windows-based implementation of WBEM technology. This work included the development of a WBEM Software Development Kit (SDK) and various CIM components and CIM-compliant data provider technologies.
In June 1998, The Distributed Management Task Force (DMTF) announced that it was accepting a transfer of the WBEM initiative from the founding corporations. The DMTF is now the focal point for WBEM initiative efforts, providing an organizational framework for broader industry participation in the development of WBEM-compatible technologies and standards. Specific implementations of WBEM-based standards, such as the Microsoft Windows Management Instrumentation SDK (formerly called the WBEM SDK), remain the responsibility of the vendors who developed them. In taking on the WBEM initiative, the DMTF agreed that it would use current WBEM technologies, such as the Microsoft implementation of CIM, as reference examples. The DMTF further agreed to maintain the WBEM promise of environment neutrality, and would therefore refrain from specifying any implementation dependencies (such as use of a particular programming language) in any requirements.
Currently, there are two key parts to WBEM (however, more standards are expected—for example, the use of XML for platform-neutral sharing of CIM objects):
- The CIM Specification, which defines the requirements of the WBEM implementation.
- The CIM Schema, which describes the contents of the data repository.
Fundamentally, WBEM is an initiative that proposes the implementation of the Common Information Model, or CIM. CIM is an object-oriented schema of managed objects. These managed objects are representations of system resources, and the schema provides a single data description mechanism for any data that they may provide. WBEM provides an information standard that defines how data is represented and a process standard that defines how components interact.
The CIM Schema consists of a Core model, which applies to all management domains, and a number of Common models, which describe information that is common to specific types of management domains—systems, network, database, application, and devices.
The schema itself is extensible—extension schemas represent technology-specific additions to the Common schema; for example, you may see an extension schema that is specific to a certain operating system.
Microsoft Windows Management Instrumentation (WMI), which is WBEM-compliant, supports uniform system and applications management based on the Common Information Model adopted by the Distributed Management Task Force. WMI is a key component of Microsoft Windows management services. Windows management services also include the location and policy service of the Active Directory™ directory service, the presentation services of the Microsoft Management Console (MMC), and the automation capabilities of Windows Script Host (WSH).
As the core of the Microsoft management infrastructure, WMI helps to reduce the maintenance and cost of managing components in a Windows 2000-based enterprise network. WMI provides:
- A rich and consistent model of Windows 98 and Windows 2000 operation, configuration, and status. (Note that WMI downloadable core components are also available for the Windows NT 4.0 and the Windows 95 operating systems.)
- A COM API that supplies a single point of access to all management information.
- Interoperability with other Windows 2000 management services, which will simplify vendors' efforts to create well-integrated management applications.
- A flexible architecture that allows vendors to extend the information model to cover new devices, applications, and other enhancements by writing code modules (WMI providers).
- A powerful event architecture that allows changes in management information to be identified, aggregated, compared to, and associated with other management information, and forwarded to local or remote management applications.
- A rich query language that enables detailed queries of the information model.
- A scriptable API, which enables management application developers to use Microsoft Visual Basic® or Windows Script Host (WSH).
For example, local and remote eventing combined with a rich query language to the information model provides the means to create solutions to complex management problems. The ability to easily script these solutions in Visual Basic or using WSH adds an often-requested dimension to Windows NT-based management.
The next few sections describe the Microsoft WBEM implementation in greater detail.
WBEM provides a three-tiered approach for collecting and distributing management data. In Microsoft WMI, this approach consists of a standard mechanism for storing object definitions (a CIM-compliant object repository), a standard protocol for obtaining and disseminating management data (COM/DCOM; other protocols are also possible), and one or more Win32® dynamic-link libraries (DLLs) that function as WMI data providers. A WMI provider supplies instrumentation data for parts of the CIM schema.
Figure 3. WMI architecture
The executable process that provides all of the WMI functionality is WinMgmt.exe. This executable supports the CIM object repository, the CIM Object Manager, and the APIs that together deliver WMI.
The CIM Object Manager is a key component of the Microsoft implementation of WBEM technology. A central goal of WBEM is uniform representation of data, and this data is encapsulated in object-oriented fashion in the CIM object repository. The CIM Object Manager provides a collection and manipulation point for managed objects stored in the repository—it facilitates gathering and manipulating information about these managed objects.
Note that the CIM Object Manager does not access management information directly. WMI providers gather information from a resource (a managed object), and then make it available to management applications through the WMI API. In short, the CIM Object Manager provides the CIM functionality in WMI.
WMI providers act as intermediaries between the CIM Object Manager and one or more managed objects. When the CIM Object Manager receives a request from a management application for information that is not available from the CIM repository or for notification of events that it doesn’t support, it forwards the request to the provider. The provider then supplies the information or event notification requested.
WMI includes the following providers:
- Win32 Provider
- WDM Provider
- Event Log Provider
- Registry Provider
- Performance Counter Provider
- Active Directory Provider
- Windows Installer Provider
- SNMP Provider
- View Provider
Third-party vendors can use the WMI SDK to create custom providers to interact with managed objects that are specific to their own environments.
Note that the Microsoft WMI technologies do not attempt to replace existing management standards such as SNMP, DMI, or CMIP, or to preclude proprietary or platform-specific frameworks such as NDS. In fact, WMI complements these technologies by providing an integration point through which data from all such sources can be accessed. This integration point makes any management application independent of specific APIs or standards used to instrument managed entities, allowing system administrators to correlate data and events from multiple sources on either a local or enterprise basis.
WMI security uses Windows 2000 security to validate a user’s logon information both for the local computer and for remote access. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) schema. WMI enforces security for system resources at the level of individual namespaces, such as cimv2. WMI also allows control of global permissions on schema operations, such as limiting the access of some users to read-only operations.
Security checks are performed only when a user logs on to WinMgmt. Therefore, any changes made to a user’s access rights while that user is connected to WinMgmt will not take effect until the next time the user logs on. This includes situations where a user's access is revoked.
Details of the security implementation are provided in the WMI SDK.
Event notification is a key feature of WMI, allowing components to detect hardware or software events and/or errors. An event can then be passed through the WMI architecture to the appropriate management component for corrective action.
In WMI, an event is an occurrence that either corresponds to specific, previously defined conditions that arise in the real world (extrinsic event) or to changes in the CIM repository (intrinsic event). After an event occurs, an event provider notifies the CIM Object Manager, and then the CIM Object Manager delivers this notification to one or more registered recipients, known as event consumers. Event consumers can register with the CIM Object Manager to receive particular types of notifications, and event providers can register to supply particular types of notifications. To enable event consumers to operate independently from event providers, the CIM Object Manager acts as the intermediary, matching registered consumers with responsible providers and forwarding appropriate events.
Event consumers register to receive notifications without knowing how the events and notifications are provided. To register, these consumers specify a filter. The filter is created using the WMI Query Language (WQL). It describes the conditions under which the consumer wants to receive event notification.
The WMI Query Language (WQL) is a dialect of structured query language (SQL), with extensions to support event notification and other WBEM-compatible features. When consumers register to receive event notifications, they specify a query that defines the type of event and the conditions under which it is delivered to them. You can use WQL to construct specific event notification filters for components in your enterprise network. WQL is defined in the WMI SDK.
You can use the scripting interfaces for WMI to develop script and Visual Basic applications that can interact with the CIM Object Manager. WMI provides scripting support for the following languages:
- Microsoft Visual Basic
- Visual Basic for Applications
- Visual Basic, Scripting Edition (VBScript)
- Microsoft JScript®
The scripting interfaces differ from the COM interfaces for the CIM Object Manager in that they are adapted for Visual Basic, Visual Basic for Applications, Visual Basic Scripting Edition (VBScript), and other scripting languages.
Scripting languages and the ability to write scripts for batch processes, automating event handling, and so forth, have been around for many years. However, the Microsoft WBEM-compatible scripting provides the following scripting advantages:
- It uses a data-driven approach—CIM. CIM provides one model for manipulating disparate information, and the scripting API isolates applications from the complexity of various data sources.
- It provides expansive coverage of system, network, and application information. The Microsoft implementation provides Win32, SNMP, registry, Windows Driver Model (WDM), Performance Monitor, Event Log, and ADSI providers. Other vendors, including Intel, Compaq Computer, Hewlett-Packard, and BMC Software, will be distributing providers to enable vendor-specific instrumentation, as will Microsoft Systems Management Server. Other providers from Microsoft are in development.
- Provider instrumentation is simple to extend. Tools, samples, and the extensible provider architecture are defined fully in the Microsoft WMI SDK. Moreover, there is wide industry support for provider development.
- New scripts are simple to write. The Microsoft WBEM-compatible API is simple to use, and the schema is browseable and extensible to allow script coverage and innovation.
In the Windows 2000 timeframe, Microsoft intends to provide a comprehensive set of systems administration scripts. These scripts will provide local and remote system administration capabilities from the command line, and will provide support for the Windows 95, Windows 98, Windows NT 4.0, and Windows 2000 family of operating systems. Script versions will be provided in VBScript, Perl, and JScript, and these scripts will be easy to extend and customize for specific networks. Moreover, the WSH object model will be extended to interact with the CIM Schema.
The following section uses the WDM provider to demonstrate how Microsoft WBEM-compatible WMI architecture functions.
Microsoft developed the WDM provider for kernel component instrumentation. The WDM instrumentation component is part of the Windows Driver Model (WDM) architecture; however, it has broad utility and can be used with other types of drivers as well (such as SCSI and NDIS). The WDM provider interfaces with a kernel mode component that provides services to allow WDM-enabled drivers to implement WMI, and also acts as an interface to the WDM provider. WMI uses the WDM provider to publish information, configure device settings, and supply event notification from device drivers.
The WDM portions of WMI distribute the following data:
- Published data—A standard set of data will be built into the Windows 2000-supplied port/class drivers.
- Custom data—Provided through OEM/IHV driver extensions.
- Secure data—Provided through Windows 2000 security descriptors for a designated usage.
- Expensive data (optional)—Some data collection activity can significantly affect the performance of the driver; this data should only be collected when the management application specifically requests it. By default, a driver will not collect the expensive data. However, when a WMI-enabled management application requests that expensive data, WMI signals the driver to start it. Then, when the last application that was interested in that data terminates, WMI signals the driver to stop collecting it. Note that the driver writer, not WMI, decides what data is expensive to collect, and the mechanism for identifying expensive data is extremely simple.
- Event Notifications—Event notification is a key feature of WMI, allowing drivers to detect hardware events and/or errors. Hardware event notification is handled by event filters and the CIM Object Manager, as explained previously.
WMI also allows a management application to configure a device. A management application may need to reconfigure a device based upon a driver-raised event or because of the data collected by the management application.
The following illustration (Figure 4) provides an overview of the WDM provider and kernel mode instrumentation within the WMI architecture and process flow.
Figure 4. WDM provider and kernel mode instrumentation
The purpose of the DMTF WBEM initiative is to define a non-proprietary set of environment-independent specifications to allow management information to be logically organized and shared between management applications operating in similar and dissimilar operating system environments. This helps reduce TCO in the enterprise, allowing system problems to be diagnosed and resolved from a central location, thus making networks much easier to manage.
Windows Management Instrumentation (WMI) can be summarized as follows:
- WMI is a key component of Microsoft Windows management services. Windows management services also include the location and policy service of Active Directory, the presentation services of the Microsoft Management Console (MMC), and the automation capabilities of Windows Script Host (WSH).
- The executable process that provides WMI functionality is WinMgmt.exe. This executable supports the CIM object repository, the CIM Object Manager, and the APIs that together deliver WMI.
- WMI is a Windows-based implementation of the DMTF Web-Based Enterprise Management (WBEM) initiative, and is fully compliant with the DMTF CIM version 2.0 management schema definitions.
The Microsoft WBEM-compatible management architecture provides fully integrated operating system support for uniform system and applications management based on CIM. Management applications can use the WMI technologies to provide a consistent approach that will reduce the maintenance and life cycle costs associated with managing Windows 2000.
WMI can use information originating from diverse sources to monitor the health of an application, service, or an entire Windows 2000-based network. Thresholds and aggregate views of data can reconcile disparate information and events to diagnose problems and provide an accurate, detailed picture of the network—including potential for serious problems. When used in combination with scripting capabilities, WMI-supplied data can be used for load balancing and event-triggered alarm, backup, or system shutdown decisions. And, when combined with the other Windows management technologies, WMI can help to simplify the task of developing well-integrated management applications that provide end-to-end network and systems management.
For the latest information about Windows 2000 Server management infrastructure, see the Windows 2000 Home Page and the Windows 2000 Server Forum on the Microsoft Network (GO WORD: MSNTS).
For more information about Windows Management Instrumentation (WMI), see the Microsoft Windows Management Instrumentation (WMI) SDK.
For more information about the WBEM initiative and the DMTF, see http://www.dmtf.org/.