Overview
This node executes WMI (Windows Management Instrumentation) queries using various engines and methods. It allows users to query system information, manage Windows services, processes, or other WMI-exposed resources either locally or remotely.
Common scenarios include:
- Retrieving detailed system information such as OS version, installed software, running processes.
- Managing Windows services by starting or stopping them via WMIC calls.
- Querying remote Windows hosts for monitoring or automation purposes.
- Using different execution engines depending on the environment (Windows host, Linux with Samba, or Python with Impacket).
Practical examples:
- Querying all running processes on a remote Windows machine.
- Listing all installed software with their versions.
- Starting or stopping a service remotely using WMIC call operation.
- Running custom WQL queries to filter specific system events or configurations.
Properties
| Name | Meaning |
|---|---|
| Engine | Execution engine to use: - Node WMI (node-wmi library, works also outside Windows) - WMIC (local wmic command, only on Windows host) - Impacket (Python DCOM script, requires python3 + impacket) - WMIC CLI (Linux Samba binary for remote WQL queries) |
| Preflight Check | (Only for Impacket engine) Whether to verify before execution that Python interpreter is available and the impacket module can be imported (fail-fast check). |
| Operation | Type of WMI/WMIC operation to perform: - Query (WQL): Execute free or constructed WQL query - Get (Alias): WMIC get on alias (only WMIC engine) - Call (Action): WMIC call on alias with action (only WMIC engine) - List Alias: List available WMIC aliases (only WMIC engine) |
| Query | Full WQL query string. If empty, it will be constructed from Class, Properties, and Where. Used only for Query operation. |
| Class | WMI class name to query (used if Query is empty). For example, Win32_Process. Used only for Query operation. |
| Properties | Comma-separated list of properties to select in the query. If empty, selects all (*). Used only for Query operation. |
| Where | Optional WHERE condition without the keyword WHERE. Used only for Query operation. |
| Alias | WMIC alias name (e.g., os, process, service). Required for Get and Call operations. |
| Fields | Fields to retrieve for the alias in Get operation. |
| Action | Action to execute on alias in Call operation (e.g., startservice, stopservice). |
| Format | Output format (currently only JSON supported). Used for Get, Call, and List Alias operations. |
| Timeout (Ms) | Maximum wait time in milliseconds for each item before aborting. Minimum 1000 ms. Default 60000 ms. |
| Verbose Logging | Enable detailed debug logging (never prints passwords). |
Output
The node outputs an array of items where each item corresponds to an input item processed.
Each output item has a json field containing:
data: The result of the WMI query or operation, typically an array of objects representing WMI instances or results.- In case of error (if continueOnFail is enabled),
json.errorcontains the error message.
If the node performs a query, the data is the parsed JSON result of the WQL query.
Binary data output is not used by this node.
Dependencies
- Requires credentials with host, user, password, and optionally domain and namespace for WMI access.
- Depending on the selected engine:
- Node WMI: Requires the
node-wminpm package. - WMIC: Requires n8n to run on Windows with the
wmiccommand available. - Impacket: Requires Python 3 and the
impacketPython module installed on the host. Optionally setPYTHON_BINenvironment variable to specify Python interpreter path. - WMIC CLI: Requires the
wmicbinary from the Samba package on Linux.
- Node WMI: Requires the
Troubleshooting
- Missing dependencies: Errors like "Impossible to load node-wmi library" or "vendor wmi-query not found" indicate missing required packages or binaries.
- Platform incompatibility: Using WMIC engine on non-Windows platforms or WMIC CLI on Windows will throw errors.
- Timeouts: Queries taking longer than the configured timeout will abort with a timeout error.
- Credential issues: Missing or incorrect host/user/password/domain fields cause authentication failures.
- Impacket preflight failure: If the Python interpreter or impacket module is not found or importable, the node throws an error.
- Invalid WQL query: Syntax errors or invalid classes/properties in the WQL query may cause internal errors.
- Error message "Cannot convert undefined or null to object" usually indicates invalid credentials or malformed query.
To resolve:
- Ensure all dependencies and environment requirements are met.
- Verify credentials and connection details.
- Use verbose logging to get detailed debug info.
- Validate WQL syntax and parameters.
- Increase timeout if queries take longer.