Alan's Blog

"Yeah. I wrote a script that will do that."

Get MAC Address from IP Address

Posted on March 18th, 2017

I got a call last week from a member of one the other teams where I work.  He asked, “Do you have a script which will resolve a list of IP Addresses to MAC Addresses?” My answer was, “not yet”.  I did a search and found some very convoluted Pinvoke code. I wanted something easier.

When I automate a task, I begin with the manual steps for the task. To get a MAC address from an IP address, I ping the address, then look at the ARP cache. Get-MACFromIP.ps1 does the same thing,  using the inline script method to make the process run in parallel for speed.  It does not require any administrative rights to run, and is an advanced function.  A use example follows, others are in the code help:

I the use WMI ping method to enable name resolution and the return codes.  The script outputs the IP address, DNS Name (if it can be resolved), MAC address, and the verbose level ping reply.  Capture of the output of the ARP table is based on this post, by Joe Keohan.  Version 1.1 added support for alternate MAC format of ‘0000.1111.2222’.

Script Text

Tags: , ,
Filed under Functions, PowerShell, Scripting, Windows Administration, WMI | No Comments »

CIM_DATETIME Conversion Functions

Posted on September 5th, 2016

Also known as WMI Time, or WBEM DateTime,  CIM_DATETime,, is that odd Windows DateTime format that shows values looking like “20160905103517.816236-240”  The COM Object that presents this is  WbemScripting.SWbemDateTime, and you frequently see code to convert to this format using it, or a tortuous series of string manipulations.  My rule of thumb is this:  If you can avoid using a COM object, you should.  Here are two  functions to handle these dates using .NET.

The second function converts from the CIM DateTime string back to an ordinary date object:

An example of the output:

Filed under PowerShell, Scripting, Scriptlets, WMI | No Comments »

WMI Repair — The Old Way is a Bad Way

Posted on June 26th, 2016

This was forwarded to me from one of our Microsoft guys.  I have been using a batch file to fix WMI with this line for years: WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”

Filed under SCCM, Windows Administration, WMI | No Comments »

Finding Rarely Used Computers On Your Network

Posted on February 13th, 2016

I support a number of hospitals.  Many of these have very large facilities, where the placement of computers was originally done by a space planner or others trying to make an educated guess about how and where people would be working.  Frequently we find that there are computers which are unused or only rarely used.  Efficient use of the machines requires that you identify these systems and reallocate them to be used where they are needed most.

There are a lot of ways to try to get at this information, for example, working with the information collected by SCCM, but you may not be collecting what is needed.  I wanted to create a multi-threaded script which collected the list of users from AD, pinged the list, then recorded the most recent logon which was not done by the local administrator account.

Get-UnusedComputers.ps1 uses Get-WMIObject to find the local path of each of the user profiles. Because the “lastwritten” attribute is updated when you log on, I sort the files by that date to determine the most recent logon. The results are exported to your desktop in a CSV file.

Script Text

Tags: ,
Filed under PowerShell, Scripting, Windows Administration, WMI | No Comments »

Get IE Zone Information

Posted on June 27th, 2015

Like most large enterprises, we use a group policies to manage Internet Explorer settings.  We manage the security settings, and we enforce which sites are in Trusted Sites and the other internet zones.  The user cannot change the list, or even view the list.  This creates a problem for troubleshooting when a  user has opened a ticket reporting that the website needs to be added to trusted sites.  IT staff wants to know whether the site is already in the proper zone, and whether the GPO applied properly.

Get-IEZones.ps1 is a PowerShell script which will let you view the IE zone information from the local or a remote computer.  The script uses the WMI accelerator instead of a registry cmdlet to read this data from the registry.   Out-GridView displays the results which can be copied to your clipboard.

Script Text

Filed under PowerShell, Windows Administration, WMI | No Comments »

Win32_ReliablityRecords, PowerShell and ScriptoMatic

Posted on January 3rd, 2014

I was reviewing my blog stats today and found a link from a site in UK to my version of ScriptoMatic.hta.  I have upgraded my home laptop to 8.1, and decided to see whether it still works (it does).  If you launch the “fixed” ScriptoMatic as an ordinary user, it takes a very long time to load.  But after it did, I found that it worked just fine.  I began reviewing the WMI classes listed, and found one that I had not noticed before, Win32_ReliablityRecords. This class, introduced in Windows 7,  gives you a list of failed installs, system hangs, and application crashes in an easy to read format.

Scriptomatic created a nice vbScript to enumerate the class.  I coded Get-ReliablityRecords.ps1 in PowerShell with one-third the lines including comments.  It has only basic parameters.  You may choose a remote computer and a limit on the records returned.

Tags: , ,
Filed under PowerShell, Scripting, Windows 7, Windows 8, Windows Administration, WMI | No Comments »

Customer Service Rants and Raves: Good Guys and Bad Guys

Posted on February 25th, 2013

I had a very nice experience today with PJ Technologies, the makers of the WMI Explorer, WMIX, (see  I had to reinstall, and had misplaced the license key.  They had it to me in minutes.

I had a very disappointing experience with LG’s support for my washing machine.  I have a WM2455HW with the printed labels wearing off.  If you do a web search,  you will find that this is not an uncommon experience. I used the web chat, and the guy told me that they had to replace the hardware (no decals), and that they were unwilling to do this beyond the warranty period.  I typed “I think this is a design defect, I want to escalate”, and the chat was disconnected.  The LG washer is a good machine, but if you have one or are considering one I suggest you put packing tape over all the writing.   I have a lot of LG products (including TV), and have decided to switch manufacturers because of this unpleasant experience. Very disappointing.  And I am spending some time on my bully pulpit to suggest you do the same.

Filed under Rants, WMI | No Comments »

ShareEnum Alternative

Posted on September 7th, 2012

The SysInternals ShareEnum.exe program relies on the NETBIOS browser list and chokes in very large domains.  I wanted a program which let me to audit share permissions with greater flexiblity.

ShareEnum.wsf is an alternative to ShareEnum.exe.  It relies on WMI to enumerate share permissions.  The WMI share security decoding was written by Chris Wolf and found in a 2006 article at

The script can read your list from Active Directory, and it can also process a list of files. It ignores admin shares, and optionally ingnores print$ shares.  I recommend that you run it with elevated rights from an administrator’s workstation with Excel installed.  If Excel is installed, it will write the report to an XLS file.  If Excel is not installed, it will write to a tab delimited text file. If you choose a single computer, the information will be written to an IE based display window.

The WSF file is an interesting format, as it permits you to have multiple “job” files.  I use it here to separate the front end from the working code.  Rename the file from ShareEnum_wsf.txt to ShareEnum.wsf.

Filed under Alan's Favorites, Security, Windows Administration, WMI | No Comments »

Who logs onto this computer?

Posted on February 3rd, 2012

One of the questions that is frequently asked in a large organization is, “Who uses computer XYZ123?”. Many tools will report the current user, but the current user may or may not be the the person who usually works on a given computer.  The current user for the computer you are logged on logged onto to fix is probably not the name you want.

In pre-Windows 7 days, I used to pull the user information from the registry location HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName.  I recently found out that this has been moved to HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser for Windows 7.

Unfortunately when I went looking in the new location, there was nothing there.  The missing LastLoggedOnUser was a weird problem.  After some Google search time I found that if you use a GPO entry to clear the last username then LastLoggedOnUser is not populated.

I then spent some time with WMI, and found some interesting information is available in Win32_NetworkLoginProfile.  I ended up writing two scripts:  LastUserLogon.vbs gets the last user for a computer, and TopComputerUsers.vbs (pulled, see below) which collects the top 5 interactive logons for a computer.  Both let you copy the data to the clipboard if Word is installed, otherwise the information can be output to notepad.

The TopComputerUsers script is interesting because WMI contains a count of user logons, and I use a disconnected recordset to sort the user information by number of logons.  The LastUserLogon gives you a subset of the information from TopComputerUsers, and can help you determine whether a given computer is underutilized.

Both will work on local or remote computers.  Both take a computer name as an argument.  And both scripts tell you who the current user is.

Filed under VbScript, Windows 7, Windows Administration, WMI | 1 Comment »

Uninstall All But the Most Recent Version of Java

Posted on January 10th, 2012

UninstallJava.vbs creates a list of programs with “Java” in the name.  It then uninstalls all but the most recent version.  You can run it locally or against a remote computer.  Update 1/18/14: This has been updated to manage post XP OS, where InstallDate2 from Win32_Product is empty.  If you look at the code, I now read the creation date of the local installation package when the install date is not in WMI.  I have also added filters to ensure that JavaScript and Java Auto Update are not installed, plus a variable you can set to test.  This script has not been written to run against a list of machines, but could be easily modified to do that or to run locally in a SCCM package.

Update:  There is a now webpage where you can do this:

Filed under Scripting, VbScript, Windows Administration, WMI | No Comments »

Please Note

All the scripts are saved as .txt files. Newer files have a "View Script" button which will let you save or open a script in notepad. For earlier posts, the easiest way to download with IE is to right click on the link and use "Save Target As". Rename file from Name_ext.txt to Name.ext.

To see a full post after searching, please click on the title.

PowerShell Scripts were written with Version 3 or 4.

https connections are supported.

All new users accounts must be approved, as are comments. Please be patient. It is pretty easy to figure out my email address from the scripts, and you are welcome to contact me that way.

Site Search



SQL Site

Bad Behavior has blocked 262 access attempts in the last 7 days.