Search code examples
windowswmiinternals

How (and how often) are the database entries updated in WMI?

We have a requirement to design a monitoring application for our Windows client machines and I'm chasing up some information on the the WMI architecture. Our current plan is to use fairly simple VBScript scripts to periodically query the database, writing relevant information to flat files for later transfer to a central server (where all the heavy lifting of analysis and reporting already exists for our non-Windows machines.

I've tried looking for an answer to this question on MSDN and the net at large, but all the articles seem particularly "fluffy" - lots of "how to use it" but little on "how it works internally".

Take for example a VBScript segment like:

set wmi = getObject("winmgmts:\\.\root\cimv2")
set itemCpu = wmi.get("Win32_PerfRawData_PerfOS_Processor.Name='_Total'")
n = itemCpu.PercentProcessorTime

or:

set wmi = getObject("winmgmts:\\.\root\cimv2")
set colMem = wmi.execQuery(
    "select AvailableKBytes from Win32_PerfRawData_PerfOS_Memory",,48)

Now, I understand that these goes out to the CIM database and retrieve the relevant entries, and I think there's a disconnect between the collecting of information into that database and the extraction of it.

In other words, statistics are collected and written to the database by Windows regardless of whether anyone is requesting information from said database. My understanding can best be summed up as:

+------------+    req/       ======== 
| Monitoring |     resp     /        \     stats    +------------+
|  Processes |  <------->  < Database >  <--------  | Collectors |
|            |              \        /              +------------+
+------------+               ======== 

\_____________________________/    \_____________________________/
         On-demand                        Always happening

But I'm interested in the process whereby the database is populated, in more depth. Things like:

  • How can we tell how often, and under what circumstances, information is added to the database by the Windows "collectors"?
  • Does the Windows kernel write process information on every task switch?
  • Does it write memory information every second?
  • Does it only update the database on demand (when a monitoring application requests information)?

That's the sort of stuff I'm trying to find out.

Does anyone have that sort of information, or links to technically-minded articles or whitepapers on the subject?

Solution

  • In short, the WMI metabase is updated in real time. For example, view systems timezone class:

    wmic timezone get /all /format:list

    Then change the systems regional zone setting and re-check the timezone class again.

    The UAC (from Win VISTA onwards) plays a greater part in WMI infrastructure: http://msdn.microsoft.com/en-us/library/windows/desktop/aa826699(v=VS.85).aspx

    This turorial article (pretty good) describes the CIM architecture: http://www.wbemsolutions.com/tutorials/CIM/index.html

    This MSDN article describes MOF: http://msdn.microsoft.com/en-us/library/windows/desktop/aa823192(v=vs.85).aspx

    So in summary, there is no hard and fast rule for when the CIM database is re-populated, it depends on what the system is doing at the time and/or what a user does.