I got a question on Twitter about an older function I has posted to get antivirus information via WMI. The function continues to work fine with Windows 10, although there's always room for improvement. However, the question was that the function did not seem to work when querying a server running Windows Server 2016 or later. And that does appear to be the case. From what I can tell the WMI namespace my function is querying does not exist on Windows Server 2016 and later. I figured I needed to search to see if there were antivirus products anywhere else. So I wrote a function this morning to search all WMI namespaces for a class name.
ManageEngine ADManager Plus - Download Free Trial
Exclusive offer on ADManager Plus for US and UK regions. Claim now!
My function, Find-CimClass, uses the CIM cmdlets to recursively search all namespaces on a computer (the default is the localhost) for a given class name. You can use wild cards for the class name. I also included an option for an Exclude pattern which can be a regular expression pattern. For example, I may search for a class name but want to exclude any of the Win32_Perf* classes. The function can be found as a gist on my GitHub repository.
https://gist.github.com/jdhitsolutions/66722c63fbd244904e0a3b09cd9909bd
Because I'm making repeated queries, I create a temporary CIMSession. I don't really need it when querying the local machine and could have added code to only create the CIMSession if the computername is remote. But for the sake of simplicity I create a temporary CIMSession regardless. The other scripting element you'll see in the function is the use of Write-Progress. The function will take a little bit of time to complete and I wanted to provide feedback.
As you look through the code I hope you'll realize that using Write-Progress is not that difficult. I think more scripters need to take advantage of this command.
With this tool in hand, I searched for anything antivirus related on a Windows Server 2016 box but with no results. I'll be honest that I have not researched this issue in great deal, but is my searches thus far into WMI it appears Microsoft has removed any related namespaces and classes or changed them to something that I haven't thought of or discovered.
Regardless, I now have another tool in my toolbox to easily discover things in WMI. I hope you'll let me know what you think.
Update:
Shortly after publishing the original article and function, I realized the logic I was using to enumerate namespaces was incomplete. I was only getting the first 2 levels of namespaces. I ended up adding an internal function to recursively list all namespaces. Where I was search 57 before on my Windows 10 box, now I am searching 150. Unfortunately, this didn't affect the search results for an antivirus class on Windows Server 2016.
Update #2:
After searching for anything I could think of I stumbled across the ProtectionTechnologyStatus class in the Root\Microsoft\SecurityClient namespace on Windows Server 2016. This appears to have all of the relevant information.
Does this article have the code for Find-CimClass?
The code is embedded as a gist on GitHub.