New Question
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Download >>


What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more


Top Tags

View all Tags

Which WQL queries are used by PRTG's WMI sensors?



Your Vote:



I'd like to verify an WMI error/value PRTG is reporting with the WMI Tester. Which fields and classes are used by PRTG for the various sensors?

prtg troubleshooting wmi wql

Created on Sep 13, 2010 10:13:28 AM by  Volker Uffelmann [Paessler Support]

Last change on Apr 29, 2015 7:43:38 AM by  Martina Wittmann [Paessler Support]

1 Reply

Accepted Answer



Your Vote:



This article applies to PRTG Network Monitor 16 or later

Monitoring via WMI: WQL Queries

This article provides WQL queries for the following WMI sensors, including Windows sensors which use the hybrid approach with WMI as fallback.

Note: WHERE parameters in chevrons are to be replaced with your specific data, e.g. instead of WHERE name ='<servicename>' you'll have to use WHERE name = 'PRTG Server' if you want to inspect the Server service of PRTG.

Note: If not stated otherwise the namespace used is root\CIMV2

Note: If you compare strings containing backslashes, you need to double those. Example Select * FROM Win32_Volume WHERE DeviceID LIKE '\\\\?\\Volume{bfffffff-4d8d-11e5-9bc2-806e6ffffffff}\\'

CPU Load

Standard query

SELECT Name,Timestamp_Sys100NS, PercentProcessorTime FROM Win32_PerfRawData_PerfOS_Processor WHERE Name <> '_Total'

Alternative query

SELECT Name, PercentProcessorTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name <> '_Total'

Event Log


SELECT Name, LogFilename, Filename, NumberOfRecords FROM Win32_NTEventlogFile

Monitoring Query

Note: The WMI Event Log sensor has a rather complex WHERE statement that is assembled according to the various filter inputs. For clarity we leave out this WHERE statement here. But be aware that querying the eventlog class unfiltered can take up considerable amounts of time! SELECT TimeGenerated,Message FROM Win32_NTLogEvent

Exchange Server


SELECT MessagesDeliveredPersec,MessagesSentPersec,MessagesSubmittedPersec, MessagesQueuedForSubmission, AverageDeliveryTime FROM Win32_PerfRawData_MSExchangeIS_MSExchangeISMailbox SELECT RPCRequests,RPCAveragedLatency,RPCOperationsPersec,RPCNumofSlowPackets FROM Win32_PerfRawData_MSExchangeIS_MSExchangeIS SELECT DatabasePageFaultsPersec,LogRecordStallsPersec,LogThreadsWaiting, DatabaseCacheSizeMB, DatabaseCachePercentHit FROM Win32_PerfRawData_ESE_MSExchangeDatabase SELECT RPCLatencyaveragemsec,RPCRequestsoutstanding,ROPRequestsoutstanding, RPCRequestsfailed, RPCRequestssentPersec,RPCSlowrequests,RPCSlowrequestslatencyaveragemsec FROM Win32_PerfRawData_MSExchangeStoreInterface_MSExchangeStoreInterface


SELECT Lastmodified,Filesize FROM CIM_LogicalFile WHERE Drive ='<driveletter>:' AND Path='<path>' AND Filename = '<filename>' AND Extension = '<ext>'

Free Disk Space (Multi Drive)

All drives

SELECT DriveType,DeviceID,FreeSpace,Size,VolumeName FROM Win32_LogicalDisk WHERE DriveType=3

Specific drive

SELECT DriveType,DeviceID,FreeSpace,Size,VolumeName FROM Win32_LogicalDisk WHERE DeviceID='<driveletter>:'

HDD Health (S.M.A.R.T.)


namespace = 'root\WMI' SELECT InstanceName, VendorSpecific FROM MSStorageDriver_ATAPISmartData

namespace = 'root\cimV2' SELECT Size, PNPDeviceID, SerialNumber, Name FROM Win32_DiskDrive SELECT Size, PNPDeviceID, Name FROM Win32_DiskDrive

Monitoring Query

NameSpace = 'root\WMI'; SELECT InstanceName, VendorSpecific FROM MSStorageDriver_ATAPISmartData

Hyper-V Virtual Storage Sensor

"Add Sensor" Pre-Queries

SELECT Name FROM Win32_PerfRawData_IdePerfProvider_HyperVVirtualIDEControllerEmulated SELECT Name FROM Win32_PerfRawData_StorageStats_HyperVVirtualStorageDevice SELECT Name,ElementName,Description FROM Msvm_ComputerSystem WHERE ProcessID<>NULL

Alternative: SELECT Name FROM Win32_PerfRawData_Counters_HyperVVirtualStorageDevice

Monitoring Query

SELECT ReadBytesPersec, WriteBytesPersec, ErrorCount FROM Win32_PerfRawData_StorageStats_HyperVVirtualStorageDevice

Hyper-V Virtual Network Adapter


SELECT Name FROM Win32_PerfRawData_IdePerfProvider_HyperVVirtualIDEControllerEmulated SELECT Name FROM Win32_PerfRawData_NvspNicStats_HyperVVirtualNetworkAdapter

IIS Application


SELECT Name FROM Win32_PerfFormattedData_W3SVC_WebService

Monitoring Query

SELECT TotalBytesReceived, TotalBytesSent, TotalGetRequests, TotalPostRequests, TotalNotFoundErrors, TotalCGIRequests, TotalAnonymousUsers, TotalNonAnonymousUsers, TotalFilesReceived, TotalFilesSent FROM Win32_PerfFormattedData_W3SVC_WebService WHERE Name='<instancename>'

Logical Disk I/O


SELECT Name FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk


Standard query

SELECT FreePhysicalMemory,TotalVisibleMemorySize FROM Win32_OperatingSystem

Alternative query

SELECT AvailableKBytes FROM Win32_PerfFormattedData_PerfOS_Memory and Select TotalPhysicalMemory FROM Win32_LogicalMemoryConfiguration

Microsoft SQL Server 2008, 2012, 2014


SELECT ServiceName,DisplayName FROM SQLService WHERE SQLServiceType = 1

Network Card

"Add Sensor" pre-query for the names of the adapters

SELECT Name, BytesTotalPerSec FROM Win32_PerfRawData_Tcpip_NetworkAdapter SELECT Name, BytesTotalPerSec FROM Win32_PerfRawData_Tcpip_NetworkInterface

"Add Sensor" pre-query for IPs/MACs of the adapters

SELECT Description, IPAddress, MACAddress FROM Win32_NetworkAdapterConfiguration WHERE Description LIKE '<adaptername>' AND IPEnabled=true AND MACAddress is not NULL with <adaptername> being replaced with the name of one of the entries that were found with the name-query.

Monitoring Query (Windows 2012 or later)

SELECT BytesReceivedPersec,BytesSentPerSec,PacketsPerSec FROM Win32_PerfRawData_Tcpip_NetworkAdapter WHERE Name = '<adaptername>'

Monitoring Query (previous to Windows 2012)

SELECT BytesReceivedPersec,BytesSentPerSec,PacketsPerSec FROM Win32_PerfRawData_Tcpip_NetworkInterface WHERE Name = '<adaptername>' with <adaptername> being replaced with the name of one of the entries that were found with the name-query.


SELECT percentusage FROM Win32_PerfFormattedData_PerfOS_PagingFile WHERE Name='_Total'

Physical Disk I/O

SELECT Name FROM Win32_PerfRawData_PerfDisk_PhysicalDisk


SELECT ThreadCount,HandleCount,PrivateBytes, WorkingSet,PercentProcessorTime, PageFaultsPerSec,Timestamp_Sys100NS,IDProcess FROM Win32_PerfRawData_PerfProc_Process WHERE Name ='<executablename>' OR Name LIKE '<executablename>'

Remote Ping

SELECT PrimaryAddressResolutionStatus, Statuscode, Responsetime FROM Win32_PingStatus WHERE Address='<targetaddress>' AND BufferSize='<buffersize>' AND Timeout='<timeout+000>'

Security Center


namespace = 'root\SecurityCenter2' SELECT DisplayName, instanceGUID, PathToSignedProductExe FROM AntivirusProduct

SELECT DisplayName, instanceGUID, PathToSignedProductExe FROM AntiSpywareProduct

SELECT DisplayName, instanceGUID, PathToSignedProductExe FROM FirewallProduct

namespace ='root\SecurityCenter' SELECT DisplayName FROM AntivirusProduct

Monitoring Queries

SELECT productState FROM '<antivirtype>' Product WHERE DisplayName = '<displayname>'


SELECT OnAccessScanningEnabled, ProductUpToDate FROM '<antivirtype>' Product WHERE DisplayName = '<displayname>'


"Add Sensor" pre-query

SELECT Name,Caption,Description FROM Win32_Service

Monitoring query

SELECT Started,State,Status FROM Win32_Service WHERE Name='<servicename>'


"Add Sensor" Pre-Query

SELECT Name,Description,Type FROM Win32_Share

Monitoring query

SELECT Status FROM Win32_Share WHERE Name = '<sharename>'

Sharepoint Process


SELECT Name FROM Win32_PerfFormattedData_MicrosoftWindowsSharePointMicrosoftSharePointFoundation4_SharePointFoundation SELECT Name FROM Win32_PerfFormattedData_W3SVC_WebService

Monitoring Queries

SELECT ActiveThreads,CurrentPageRequests,ExecutingSqlQueries,GlobalHeapSize, ObjectCacheAlwaysLiveSize,TemplateCacheSize,ProcessID FROM Win32_PerfFormattedData_MicrosoftWindowsSharePointMicrosoftSharePointFoundation4_SharePointFoundation WHERE Name='<processname>'

All Process IDs (Total)

SELECT ProcessID FROM Win32_PerfFormattedData_MicrosoftWindowsSharePointMicrosoftSharePointFoundation4_SharePointFoundation WHERE ProcessID<>0

All Needed Processes (Total)

SELECT IDProcess,PercentProcessorTime FROM Win32_PerfRawData_PerfProc_Process WHERE Name='_Total'

Single Process

SELECT PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process WHERE IDProcess ='<processid>'


SELECT LastBootUpTime,LocalDateTime FROM Win32_OperatingSystem

UTC Time

SELECT Day,Month,Year,Hour, Minute, Second FROM Win32_UTCTime

Volume (previous versions: Free Disk Space (Single Disk))

"Add Sensor" pre-query

SELECT DeviceID, DriveLetter, Name, Label, DriveType, FileSystem FROM Win32_Volume

Monitoring Query

SELECT DeviceID, FreeSpace,Capacity FROM Win32_Volume WHERE DeviceID LIKE '<deviceid>'

Alternative Query

SELECT Driveletter, FreeSpace,Capacity FROM Win32_Volume WHERE Driveletter LIKE '<driveletter>'

More about WQL

Find more information on the WMI Query Language (WQL) in Microsoft's Developer Network.

Created on Sep 13, 2010 10:31:47 AM by  Volker Uffelmann [Paessler Support]

Last change on Sep 15, 2016 12:39:42 PM by  Volker Uffelmann [Paessler Support]

Please log in or register to enter your reply.

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.