CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.

Minimum PowerShell version


Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name CimSweep -RequiredVersion

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More


Matthew Graeber


BSD 3-Clause



security DFIR defense


Get-CSRegistryKey Get-CSRegistryValue Get-CSMountedVolumeDriveLetter Get-CSDirectoryListing Get-CSEventLog Get-CSEventLogEntry Get-CSService Get-CSProcess Get-CSEnvironmentVariable Get-CSRegistryAutoStart Get-CSScheduledTaskFile Get-CSTempFile Get-CSLowILPathFile Get-CSShellFolderPath Get-CSStartMenuEntry Get-CSTypedURL Get-CSWmiPersistence Get-CSWmiNamespace Get-CSVulnerableServicePermission Get-CSAVInfo Get-CSProxyConfig


This module has no dependencies.

Release Notes

* Added Get-CSAVInfo (written by @xorrior)
* Added Get-CSProxyConfig (written by @xorrior)
* Added module-wide Pester tests to ensure consistency across functions.

* Removed the -Path parameter from Get-CSRegistryKey and Get-CSRegistryValue. -Hive should be used.

* Added Get-CSWmiNamespace
* Added Get-CSVulnerableServicePermission
* -IncludeACL added to Get-CSRegistryKey, Get-CSDirectoryListing, Get-CSService, and Get-CSWmiNamespace.
* -IncludeFileInfo added to Get-CSService. The file info returned also includes the file ACL.
* Functions that accept exact datetimes now mask off milliseconds to enable more flexible time-based sweeps with second granularity.
* Added optional -UserModeServices and -Drivers switches to Get-CSService. This is helpful if you only want drivers or only want user-mode services.

* Dropped -Drivers and -Services from Get-CSRegistryAutoStart. Get-CSService is the ideal means of obtaining service and driver information.

* Bigfix: Forgot to rename Set-DefaultDisplayProperty in Get-CSRegistryAutoStart.
* Enhancement: Addressed PSScriptAnalyzer warnings

* Compatible PS Editions: Desktop, Core (i.e. Nano Server and Win 10 IoT)
* -IncludeAcl switch added to Get-CSRegistryKey and Get-CSDirectoryListing. Appending this argument will add an ACL parameter to each object returned.
* The output types of all functions are now fully and properly documented.

Version History

Version Downloads Last updated 1,549 5/13/2017 (current version) 194 10/8/2016 132 5/28/2016 24 5/16/2016 14 5/16/2016