Verified steps

List all running processes with memory usage: Get-CimInstance -ClassName Win32_Process | Select-Object Name, ProcessId, WorkingSetSize
Filter using the -Filter parameter (WQL WHERE syntax, not PowerShell): Get-CimInstance -ClassName Win32_Service -Filter "State = 'Running' AND StartMode = 'Auto'"
Use a full WQL query string: Get-CimInstance -Query "SELECT * FROM Win32_Process WHERE WorkingSetSize > 104857600"
Query a remote machine: Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName <HOSTNAME>
Discover available WMI classes: Get-CimClass -Namespace root/cimv2 | Where-Object CimClassName -Like 'Win32_*' | Select-Object CimClassName

Known gotchas

Get-CimInstance uses DCOM/WinRM for remote queries; Get-WmiObject (PowerShell 5.1, deprecated in PowerShell 7) used DCOM only. Prefer Get-CimInstance for new scripts.
The -Filter parameter uses WQL syntax, not PowerShell syntax: string comparisons use single quotes (State = 'Running'), not double quotes.
Some Win32_ classes return different properties depending on the OS version; always validate property names against the live schema on the target OS.

osquery.io · 5 steps · unrated

Use PowerShell's CIM remoting to query hardware and OS inventory across multiple remote Windows machines in bulk

learn.microsoft.com · 5 steps · unrated

Query cloud identity entitlement (CIEM) risk findings via the Wiz GraphQL API

docs.wiz.io · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Query live system information on Windows using CIM cmdlets (Get-CimInstance) and WQL filters

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes