Microsoft To Remove WMIC After Windows 11 25H2 Upgrade

The Windows Management Instrumentation Command-line (WMIC) tool will no longer be available after Windows 11 25H2 and later, according to Microsoft.

Using text commands, users can communicate with the Windows Management Instrumentation (WMI) system through WMIC, a classic built-in Windows command-line tool.

Since WMIC will no longer be included by default in later Windows editions, Microsoft now recommends IT managers to utilise Windows PowerShell for WMI, scripts, and other utilities in a Microsoft 365 message centre update.

“For any operations that were previously completed using WMIC, Microsoft advises adopting PowerShell and other contemporary technologies. Alternatives that are programmatic include scripting languages,.NET libraries, and WMI’s COM API. Please update your internal IT documentation and procedures once you’ve made up your mind,” the business stated.

However, the Windows Management Instrumentation (WMI) itself is unaffected; this modification solely affects the out-of-date WMIC component.

Microsoft released this support page on Friday separately with additional instructions for people who use WMIC for administrative activities.

WMIC was deprecated by Microsoft in Windows 10 21H1 (2021) and Windows Server 2012 (2016). Beginning with Windows 11 22H2 (in 2022), Redmond changed it to a Feature on Demand (FoD). After initially turning it off by default, they declared in January 2024 that it will be completely eliminated.

“Over the last few years, we have made significant investments in PowerShell. The new tools offer a more effective method of WMI querying. In January 2024, Microsoft stated, “Removing a deprecated component helps reduce complexity while keeping you secure and productive.”

By preventing a variety of malware and attack techniques from working properly, WMIC’s elimination will help improve overall security.

The program has long been regarded as a LOLBIN (living-off-the-land binary), an executable signed by Microsoft that threat actors use to carry out a variety of nefarious tasks during attacks.

For example, the WMIC command is frequently used by ransomware encryptors to remove Shadow Volume Copies, making it impossible for victims to use them to recover encrypted data. WMIC has been exploited by other threat actors to find and remove installed antivirus software.

Additionally, malware has been seen to add exclusions to Microsoft Defender using WMIC in order to avoid detection when it is launched.