Microsoft Windows Management Instrumentation: Background and Overview

 

Microsoft Corporation

September 1998

Summary: This paper provides an introduction to Web-Based Enterprise Management (WBEM), and describes how the Microsoft® implementation of WBEM-compatible technologies—Windows Management Instrumentation (WMI)—and the latest enhancements to the Component Object Model (COM) work together to simplify systems management while providing a better-managed environment.

Contents

Introduction WBEM Overview The Microsoft WBEM Implementation—WMI Summary/Conclusion For More Information

Introduction

Total cost of ownership (TCO), the real cost of maintaining a distributed personal computer network—extends far beyond the initial purchase of hardware and software. TCO includes the deployment and configuration expense, costs associated with deploying hardware and software updates, training and retraining, day-to-day maintenance and administration, and telephone and on-site technical support. With these escalating costs in mind, Microsoft and others are working together on several initiatives designed to lower the total cost of ownership of personal computers in the enterprise.

Key among these efforts is Web-Based Enterprise Management (WBEM), an industry initiative that establishes management infrastructure standards and provides a way to combine information from various hardware and software management systems. WBEM specifies standards for a unifying architecture that allows access to data from a variety of underlying technologies and platforms and presents that data in a consistent fashion. Management applications can then use this information to create solutions that reduce the maintenance and life cycle costs of managing an enterprise network. WBEM is based on the Common Information Model (CIM) schema, which is an industry standard driven by the Desktop Management Task Force (DMTF).

Microsoft Windows® Management Instrumentation (WMI) is WBEM-compliant, and provides a consistent and richly descriptive model of the configuration, status and operational aspects of Microsoft Windows NT®. Used in conjunction with other management services provided in Windows NT, WMI can simplify the task of developing well-integrated management applications, allowing vendors to provide Windows NT customers with scalable, effective enterprise management solutions.

This paper provides an overview of WBEM, including a discussion of its history. It then briefly describes the WBEM standard components and the WBEM-compatible Windows management architecture and provides descriptive examples of how WMI will function in concert with other Windows management technologies and enhancements.

WBEM Overview

Web-Based Enterprise Management (WBEM) is an industry initiative to develop a standardized, nonproprietary means for accessing and sharing management information in an enterprise network. WBEM will result in technology that will enable customers to collect, associate, and aggregate management data from diverse sources, thus creating richer and more accurate views of their enterprise environments. The WBEM initiative is intended to solve the problem of collecting end-to-end management and diagnostic data in enterprise networks that may include hardware from multiple vendors, numerous protocols and operating systems, and a legion of distributed applications.

Figure 1. Enterprise management protocols and interfaces

Typically, enterprise management has been tied to different protocols and interfaces for different disciplines—for example, Simple Network Management Protocol (SNMP) has been used for network management, and the Desktop Management Interface (DMI) has been used for desktop systems management. WBEM assumes that enterprise network management problems require tools that work together to provide a single shared model for the collection of management information. WBEM provides this common model and data source, and can be extended to work with existing network components, tools, and protocols.

Figure 2. WBEM common model for network management

In summary, WBEM is not browser-based, nor is it a user interface (UI) tool, a data repository, a network management protocol, a component model, or a registry, directory, or file system replacement. WBEM is an initiative that proposes a set of standards for managing the enterprise network. These standards:

  • Define the structures and conventions necessary to access information about the managed objects.
  • Support centralization of information so that different clients and management tools can provide, retrieve, and analyze data.
  • Support authorized access to managed objects from anywhere in the network so that these objects can be analyzed and manipulated.

WBEM History

The WBEM proposal was originally envisioned in 1996 by a collection of companies headed by Microsoft, Compaq, BMC, Cisco, and Intel. The vision was to define an open environment for management, where all managing systems and application could access, control, and share management information with each other and with any managing agent on a managed device, using existing technology and standards as much as possible. In many respects, the goal reflected the recent technological breakthroughs of the World Wide Web, where, for the first time, devices on the Internet could act as sources and consumers of information without any knowledge of the specific environments in which each component operated. With this similarity of vision, together with the future possibility of using Web-based technologies in addition to more conventional management tools to create the open management environment, the name for the initiative became Web-Based Enterprise Management (WBEM).

Together, the founding companies, working in concert with the Desktop Management Task Force (or DMTF), developed the prototype set of environment-independent specifications for how to describe and access any type of management instrumentation, including standards such as SNMP and DMI. The core component of this specification was a data description mechanism that would later become the DMTF standard known as the Common Information Model (CIM).

Originally known as the HyperMedia Management Schema (HMMS) project, the CIM Specification describes the modeling language, naming, and mapping techniques used to collect and transfer information from data providers and other management models. The CIM Schema provides the actual model descriptions and information framework. It defines a set of classes with properties and associations, making it possible to organize information about the managed environment.

The DMTF owns both the CIM Specification and CIM Schema, and has positioned them as industry-wide standards for accessing and sharing network management data. (For more information about individual components as implemented for Windows environments, please refer to the WMI Architecture section, below.)

From 1996 through 1998, Microsoft worked to develop a Windows-based implementation of WBEM technology. This work included the development of a WBEM Software Development Kit (SDK) and various CIM components and CIM-compliant data provider technologies.

In June 1998, the Desktop Management Task Force (DMTF) announced that it was accepting a transfer of the WBEM initiative from the founding corporations. The DMTF is now the focal point for WBEM initiative efforts, providing an organizational framework for broader industry participation in the development of WBEM-compatible technologies and standards. Specific implementations of WBEM-based standards, such as the Microsoft Windows Management Instrumentation SDK (formerly called the WBEM SDK), remain the responsibility of the vendors who developed them. In taking on the WBEM initiative, the DMTF agreed that it would use current WBEM technologies, such as the Microsoft implementation of CIM, as reference examples. The DMTF further agreed to maintain the WBEM promise of environment neutrality, and would therefore refrain from specifying any implementation dependencies (such as use of a particular programming language) in any requirements.

Standard WBEM Components

Currently, there are two key parts to WBEM (however, more standards are expected—for example, the use of XML for platform-neutral sharing of CIM objects):

  • The CIM Specification, which defines the requirements of the WBEM implementation
  • The CIM Schema, which describes the contents of the data repository

Fundamentally, WBEM is an initiative that proposes the implementation of the Common Information Model, or CIM. CIM is an object-oriented schema of managed objects. These managed objects are representations of system resources, and the schema provides a single data description mechanism for any data that they may provide. WBEM provides an information standard that defines how data is represented and a process standard that defines how components interact.

The CIM Schema consists of a Core model, which applies to all management domains, and a number of Common models, which describe information that is common to specific types of management domains—systems, network, database, application, and devices.

The schema itself is extensible—extension schemas represent technology-specific additions to the Common schema; for example, you may see an extension schema that is specific to a certain operating system.

The Microsoft WBEM Implementation—WMI

Microsoft Windows Management Instrumentation (WMI), which is WBEM-compliant, supports uniform system and applications management based on the Common Information Model adopted by the Desktop Management Task Force. WMI is a key component of Microsoft Windows management services. Windows management services also include the location and policy service of the Active Directory, the presentation services of the Microsoft Management Console (MMC), and the automation capabilities of Windows Script Host (WSH).

As the core of Microsoft's management infrastructure, WMI helps to reduce the maintenance and cost of managing components in a Windows NT enterprise network. WMI provides:

  • A rich and consistent model of Windows 98 and Windows 2000 operation, configuration, and status.

    Note WMI downloadable core components are also available for Windows NT 4.0 SP 4 and for Windows 95.

  • A COM API that supplies a single point of access to all management information.

  • Interoperability with other Windows 2000 management services, which will simplify vendors' efforts to create well-integrated management applications.

  • A flexible architecture that allows vendors to extend the information model to cover new devices, applications, and other enhancements by writing code modules (WMI providers).

  • A powerful event architecture that allows changes in management information to be identified, aggregated, compared to and associated with other management information, and forwarded to local or remote management applications.

  • A rich query language that enables detailed queries of the information model.

  • A scriptable API, which enables management application developers to use Visual Basic® or Windows Script Host (WSH).

For example, local and remote eventing combined with a rich query language to the information model provides the means to create solutions to complex management problems. The ability to easily script these solutions in Visual Basic or using WSH adds an often-requested dimension to Windows NT management.

The next few sections describe the Microsoft WBEM implementation in greater detail.

WMI Architecture

WBEM provides a three-tiered approach for collecting and distributing management data. In Microsoft WMI, this approach consists of a standard mechanism for storing object definitions (a CIM-compliant object repository), a standard protocol for obtaining and disseminating management data (COM/DCOM; other protocols are also possible), and one or more Win32® dynamic link libraries (DLLs) that function as WMI data providers. A WMI provider supplies instrumentation data for parts of the CIM schema.

Figure 3. WMI architecture

The executable process that provides all of the WMI functionality is WinMgmt.exe. This executable supports the CIM object repository, the CIM Object Manager, and the APIs that, together, deliver WMI.

CIM Object Manager

The CIM Object Manager is a key component of the Microsoft implementation of WBEM technology. A central goal of WBEM is uniform representation of data, and this data is encapsulated in object-oriented fashion in the CIM object repository. The CIM Object Manager provides a collection and manipulation point for managed objects stored in the repository—it facilitates gathering and manipulating information about these managed objects.

Note   The CIM Object Manager does not access management information directly. WMI providers gather information from a resource (a managed object), then make it available to management applications through the WMI API. In short, the CIM Object Manager provides the CIM functionality in WMI.

WMI Providers

WMI providers act as intermediaries between the CIM Object Manager and one or more managed objects. When the CIM Object Manager receives a request from a management application for information that is not available from the CIM repository or for notification of events that it doesn’t support, it forwards the request to the provider. The provider then supplies the information or event notification requested.

The Microsoft WMI SDK includes the following providers:

  • Registry Provider
  • Windows NT Event Log Provider
  • Win32 Provider
  • SNMP Providers
  • WDM Provider

Third-party vendors can use the SDK to create custom providers to interact with managed objects that are specific to their own environments.

Note   The Microsoft WMI technologies do not attempt to replace existing management standards, such as SNMP, DMI, or CMIP, or to preclude proprietary or platform-specific frameworks such as NDS. In fact, WMI complements these technologies by providing an integration point through which data from all such sources can be accessed. This integration point makes any management application independent of specific APIs or standards used to instrument managed entities, allowing system administrators to correlate data and events from multiple sources on either a local or enterprise basis.

WMI security

WMI supports a limited form of security for the Windows and Windows NT platforms. WMI security validates a user's logon information both for the local machine and for remote access. A validated user is granted some form of controlled access to the entire Common Information Model (CIM) schema. In the current release, WMI does not provide security for system resources, such as individual classes, instances, and namespaces. However, WMI does allow control of global permissions on schema operations, such as limiting the access of some users to read-only operations. (WMI includes a User Manager application that systems administrators can use to set permissions for WMI users. It is similar to the User Manager application supplied with the Windows NT operating system.)

Security checks are performed only when a user logs on to WinMgmt. Therefore, any changes made to a user’s access rights while that user is connected to WinMgmt will not take effect until the next time the user logs on. This includes situations where a user's access is revoked.

Details of the security implementation are provided in the WMI SDK.

Event handling

Event notification is a key feature of WMI, allowing components to detect hardware or software events and/or errors. An event can then be passed through the WMI architecture to the appropriate management component for corrective action.

In WMI, an event is an occurrence that either corresponds to specific, previously defined conditions that arise in the real world (extrinsic event) or to changes in the CIM repository (intrinsic event). After an event occurs, an event provider notifies the CIM Object Manager, then the CIM Object Manager delivers this notification to one or more registered recipients, known as event consumers. Event consumers can register with the CIM Object Manager to receive particular types of notifications and event providers can register to supply particular types of notifications. To enable event consumers to operate independently from event providers, the CIM Object Manager acts as the intermediary, matching registered consumers with responsible providers and forwarding appropriate events.

Event consumers register to receive notifications without knowing how the events and notifications are provided. To register, these consumers specify a filter. The filter is created using the WMI Query Language (WQL). It describes the conditions under which the consumer wants to receive event notification.

WMI Query Language

The WMI Query Language (WQL) is a dialect of structured query language (SQL), with extensions to support event notification and other WBEM-compatible features. When consumers register to receive event notifications, they specify a query that defines the type of event and the conditions under which it is delivered to them. You can use WQL to construct specific event notification filters for components in your enterprise network. WQL is defined in the WMI SDK.

WBEM-compatible scripting

You can use the scripting interfaces for WMI to develop script and Visual Basic applications that can interact with the CIM Object Manager. WMI provides scripting support for the following languages:

  • Visual Basic
  • Visual Basic for Applications
  • Visual Basic, Scripting Edition
  • JScript®
  • Perl

The scripting interfaces differ from the COM interfaces for the CIM Object Manager in that they are adapted for Visual Basic, Visual Basic for Applications, Visual Basic Scripting Edition (VBScript), and other scripting languages.

Scripting languages and the ability to write scripts for batch processes, automating event handling, and so forth, have been around for many years. However, Microsoft’s WBEM-compatible scripting provides the following scripting advantages:

  • It uses a data-driven approach—CIM. CIM provides one model for manipulating disparate information, and the scripting API isolates applications from the complexity of various data sources.
  • It provides expansive coverage of system, network, and application information. The Microsoft implementation provides Win32, SNMP, registry, WDM, Performance Monitor, Windows NT Event Log, and ADSI providers. Other vendors, including Intel, Compaq, Hewlett-Packard, and BMC Software, will be distributing providers to enable vendor-specific instrumentation, as will Microsoft Systems Management Server. Other providers from Microsoft are in development.
  • Provider instrumentation is simple to extend. Tools, samples, and the extensible provider architecture are defined fully in the Microsoft WMI SDK. Moreover, there is wide industry support for provider development.
  • New scripts are simple to write. The Microsoft WBEM-compatible API is simple to use, and the schema is browseable and extensible to allow script coverage and innovation.

In the Windows 2000 timeframe, Microsoft will provide a comprehensive set of systems administration scripts. These scripts will provide local and remote system administration capabilities from the command line, and will provide support for Windows 95, Windows 98, Windows NT 4.0 and Windows 2000 platforms. Script versions will be provided in VBScript, Perl, and JScript, and these scripts will be easy to extend and customize for specific networks. Moreover, the WSH object model will be extended to interact with the CIM Schema.

The following section uses the WDM provider to demonstrate how Microsoft’s WBEM-compatible WMI architecture functions.

WDM Provider

Microsoft developed the WDM provider for kernel component instrumentation. The WDM instrumentation component is part of the Win32 Driver Model (WDM) architecture; however, it has broad utility and can be used with other types of drivers as well (such as SCSI and NDIS). The WDM provider interfaces with a kernel mode component that provides services to allow WDM-enabled drivers to implement WMI, and also acts as an interface to the WDM provider. WMI uses the WDM provider to publish information, configure device settings, and supply event notification from device drivers.

The WDM portions of WMI distribute the following data:

  • Published data—A standard set of data will be built into the Windows 2000-supplied port/class drivers.
  • Custom data—Provided through OEM/IHV driver extensions.
  • Secure data—Provided through Windows NT security descriptors for a designated usage.
  • Expensive data (optional)—Some data collection activity can significantly affect the performance of the driver; this data should only be collected when the management application specifically requests it. By default, a driver will not collect the expensive data. However, when a WMI-enabled management application requests that expensive data, WMI signals the driver to start it. Then, when the last application that was interested in that data terminates, WMI signals the driver to stop collecting it. Note that the driver writer, not WMI, decides what data is expensive to collect, and the mechanism for identifying expensive data is extremely simple.
  • Event Notifications—Event notification is a key feature of WMI, allowing drivers to detect hardware events and/or errors. Hardware event notification is handled by event filters and the CIM Object Manager, as explained previously.

WMI also allows a management application to configure a device. A management application may need to reconfigure a device based upon some driver-raised event or because of the data collected by the management application.

The following illustration provides an overview of the WDM provider and kernel mode instrumentation within the WMI architecture and process flow.

Figure 4. WDM provider and kernel mode instrumentation

Summary/Conclusion

The purpose of the DMTF WBEM initiative is to define a nonproprietary set of environment-independent specifications to allow management information to be logically organized and shared between management applications operating in similar and dissimilar operating system environments. This will help reduce TCO in the enterprise, allowing system problems to be diagnosed and resolved from a central location, thus making networks much easier to manage.

Windows Management Instrumentation (WMI) can be summarized as follows:

  • WMI is a key component of Microsoft Windows management services. Windows management services also include the location and policy service of the Active Directory, the presentation services of the Microsoft Management Console (MMC), and the automation capabilities of Windows Script Host (WSH).
  • The executable process that provides WMI functionality is WinMgmt.exe. This executable supports the CIM object repository, the CIM Object Manager, and the APIs that together deliver WMI.
  • WMI is a Windows-based implementation of the DMTF Web-Based Enterprise Management (WBEM) initiative and is fully compliant with the DMTF CIM version 2.0 management schema definitions.

The Microsoft WBEM-compatible management architecture provides fully integrated operating system support for uniform system and applications management based on CIM. Management applications can use the WMI technologies to provide a consistent approach that will reduce the maintenance and life cycle costs associated with managing Windows NT.

WMI can use information from diverse sources of information to monitor the health of an application, service, or entire Windows NT network. Thresholds and aggregate views of data can reconcile disparate information and events to diagnose problems and provide an accurate, detailed picture of the network—including potential for serious problems. When used in combination with scripting capabilities, WMI-supplied data can be used for load balancing and event-triggered alarm, backup, or system shutdown decisions. When combined with the other Windows management, WMI can help to simplify the task of developing well-integrated management applications that provide end-to-end network and systems management.

For More Information

For the latest information on Windows NT Server, check out our World Wide Web site at www.microsoft.com/ntserver/nts/ and the Windows NT Server Forum on the Microsoft Network (GO WORD: MSNTS).

For more information on the WBEM initiative and for information about the efforts of the DMTF, see www.dmtf.org/.

-------------------------------------------------------------------------------------------------

© 1998 Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.