Microsoft has officially announced the upcoming removal of the Windows Management Instrumentation Command-line (WMIC) tool, effective with the upgrade to Windows 11 25H2 and subsequent versions. This legacy command-line utility has long served as a means for users to engage with the Windows Management Instrumentation (WMI) system through text-based commands.
Transitioning to PowerShell
In a recent update shared via the Microsoft 365 message center, the company is urging IT administrators to transition to Windows PowerShell for WMI-related tasks, scripts, and other functionalities. With WMIC being phased out in future Windows releases, Microsoft emphasizes the importance of adapting to modern tools.
“Microsoft recommends using PowerShell and other contemporary tools for any tasks previously performed with WMIC. Consider programmatic alternatives such as WMI’s COM API, .NET libraries, or various scripting languages. Once you determine your path forward, please ensure that your internal IT documentation and processes are updated accordingly,” the company stated.
It is important to note that while WMIC is being deprecated, the Windows Management Instrumentation (WMI) itself will remain intact and operational. For those who have relied on WMIC for administrative functions, additional guidance has been made available in a separate support document released by Microsoft.
WMIC has been on a gradual decline since its deprecation in Windows Server 2012 and Windows 10 21H1. The tool was converted into a Feature on Demand (FoD) starting with Windows 11 22H2, and Microsoft announced in January 2024 that it would be completely removed after being disabled by default.
“We have made significant investments in PowerShell over the past few years. The new tools offer a more efficient method for querying WMI. Eliminating a deprecated component simplifies the system while enhancing security and productivity,” Microsoft noted in its January announcement.
The removal of WMIC is poised to enhance overall security by mitigating a variety of malware and attack strategies that have historically exploited this tool. WMIC has been classified as a LOLBIN (living-off-the-land binary), a Microsoft-signed executable frequently leveraged by threat actors for malicious purposes.
For example, ransomware operators often utilize the WMIC command to erase Shadow Volume Copies, preventing victims from recovering their encrypted data. Additionally, some attackers have employed WMIC to identify installed antivirus software and subsequently uninstall it. There have also been instances where malware has used WMIC to create exclusions in Microsoft Defender, allowing it to evade detection during execution.
