GPO WMI Filtering – Timing

Note: Don’t use Win32_Product. It’s not a good idea, and even Microsoft warn against using it.

WMI filtering on Group Policy Objects is an incredibly useful and powerful feature within Active Directory, but going nuts with your queries could affect your end users.

One thing to be mindful of is the WMI query execution time, keeping in mind that filters are evaluated every group policy refresh interval. By default, this is every 90 minutes with an added random offset of 0-30 minutes.

An example of this was a query I was testing this week; It’s common to search the Win32_Product WMI class to see if a particular piece of software is installed. This technique is even listed in the sample code in the TechNet article on WMI Filtering. This method often takes quite a while to return a result, so I decided to use an alternative method.

The alternative is simply to test if the application’s executable file exists. This can also be extended to test for a specific file version if necessary. Below are the results of the testing:

Method 1: Find software by searching Win32_Product

PS C:> Measure-Command { gwmi win32_product -Filter "name like '%shoretel%'" }

Days              : 0
Hours             : 0
Minutes           : 2
Seconds           : 54
Milliseconds      : 706
Ticks             : 1747066394
TotalDays         : 0.00202206758564815
TotalHours        : 0.0485296220555556
TotalMinutes      : 2.91177732333333
TotalSeconds      : 174.7066394
TotalMilliseconds : 174706.6394

Method 2: Check for existence of executable file

PS C:> Measure-Command { gwmi cim_datafile -Filter "name = 'C:\Program Files (x86)\Shoreline Communications\ShoreWare Client\ShoreTel.exe'" }

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 666
Ticks             : 6668044
TotalDays         : 7.71764351851852E-06
TotalHours        : 0.000185223444444444
TotalMinutes      : 0.0111134066666667
TotalSeconds      : 0.6668044
TotalMilliseconds : 666.8044


As shown above, the Win32_Product method took almost 3 minutes to return a result, where the second method merely took 666 milliseconds.

The resulting WMI filter for the GPO would look something like this:

SELECT Name FROM CIM_DataFile WHERE Name = "C:\Program Files (x86)\Shoreline Communications\ShoreWare Client\ShoreTel.exe"


Make sure you escape your backslash characters in the WMI query as shown above. If you’re testing for the presence of a folder, you’ll want to use the Win32_Directory WMI class  instead.

PowerShell is a great way to test your WMI queries. Simply use the Get-WmiObject cmdlet. Another great tool to use is WMI Explorer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s