The WMI allow you to get the installed Antivirus, AntiSpyware and Firewall (third party) software using the root\SecurityCenter or the root\SecurityCenter2 namespaces and the AntiVirusProduct , AntiSpywareProduct, FirewallProduct classes.
First you must know which these classes and namespaces are not documented by Microsoft and only are supported in Windows Desktops editions (Windows XP, Windows Vista and Windows 7).
Now depending of the Windows version the properties retrieved by the the same class can change. this is a summary of the classes and properties availables depending of the windows version
Windows XP
Namespace : SecurityCenter
Classes availables: AntiVirusProduct, FirewallProduct
AntiVirusProduct-Properties
- companyName
- displayName
- enableOnAccessUIMd5Hash
- enableOnAccessUIParameters
- instanceGuid
- onAccessScanningEnabled
- pathToEnableOnAccessUI
- pathToUpdateUI
- productUptoDate
- updateUIMd5Hash
- updateUIParameters
- versionNumber
FirewallProduct-Properties
- companyName
- displayName
- enabled
- enableUIMd5Hash
- enableUIParameters
- instanceGuid
- pathToEnableUI
- versionNumber
Windows Vista and Windows 7
Namespace : SecurityCenter2
Classes availables : AntiVirusProduct, AntiSpywareProduct, FirewallProduct
AntiVirusProduct, AntiSpywareProduct, FirewallProduct – Properties
- displayName
- instanceGuid
- pathToSignedProductExe
- pathToSignedReportingExe
- productState
This is a sample project which determine the Antivirus, AntiSpyware and Firewall software installed in the system.
program GetSecurityCenterInfo;
{$APPTYPE CONSOLE}
uses
SysUtils,
Windows,
ActiveX,
ComObj,
Variants;
type
TSecurityCenterProduct = (AntiVirusProduct,AntiSpywareProduct,FirewallProduct);
const
WmiRoot='root';
WmiClassSCProduct : array [TSecurityCenterProduct] of string = ('AntiVirusProduct','AntiSpywareProduct','FirewallProduct');
WmiNamespaceSCProduct : array [Boolean] of string = ('SecurityCenter','SecurityCenter2');
function VerSetConditionMask(dwlConditionMask: int64;dwTypeBitMask: DWORD; dwConditionMask: Byte): int64; stdcall; external kernel32;
{$IFDEF UNICODE}
function VerifyVersionInfo(var LPOSVERSIONINFOEX : OSVERSIONINFOEX;dwTypeMask: DWORD;dwlConditionMask: int64): BOOL; stdcall; external kernel32 name 'VerifyVersionInfoW';
{$ELSE}
function VerifyVersionInfo(var LPOSVERSIONINFOEX : OSVERSIONINFOEX;dwTypeMask: DWORD;dwlConditionMask: int64): BOOL; stdcall; external kernel32 name 'VerifyVersionInfoA';
{$ENDIF}
//verifies that the application is running on Windows 2000 Server or a later server, such as Windows Server 2003 or Windows Server 2008.
function Is_Win_Server : Boolean;
const
VER_NT_SERVER = $0000003;
VER_EQUAL = 1;
VER_GREATER_EQUAL = 3;
var
osvi : OSVERSIONINFOEX;
dwlConditionMask : DWORDLONG;
op : Integer;
begin
dwlConditionMask := 0;
op:=VER_GREATER_EQUAL;
ZeroMemory(@osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize := sizeof(OSVERSIONINFOEX);
osvi.dwMajorVersion := 5;
osvi.dwMinorVersion := 0;
osvi.wServicePackMajor := 0;
osvi.wServicePackMinor := 0;
osvi.wProductType := VER_NT_SERVER;
dwlConditionMask:=VerSetConditionMask( dwlConditionMask, VER_MAJORVERSION, op );
dwlConditionMask:=VerSetConditionMask( dwlConditionMask, VER_MINORVERSION, op );
dwlConditionMask:=VerSetConditionMask( dwlConditionMask, VER_SERVICEPACKMAJOR, op );
dwlConditionMask:=VerSetConditionMask( dwlConditionMask, VER_SERVICEPACKMINOR, op );
dwlConditionMask:=VerSetConditionMask( dwlConditionMask, VER_PRODUCT_TYPE, VER_EQUAL );
Result:=VerifyVersionInfo(osvi,VER_MAJORVERSION OR VER_MINORVERSION OR
VER_SERVICEPACKMAJOR OR VER_SERVICEPACKMINOR OR VER_PRODUCT_TYPE, dwlConditionMask);
end;
procedure GetSCProductInfo(SCProduct:TSecurityCenterProduct);
var
FSWbemLocator : OLEVariant;
FWMIService : OLEVariant;
FWbemObjectSet: OLEVariant;
FWbemObject : OLEVariant;
oEnum : IEnumvariant;
iValue : LongWord;
osVerInfo : TOSVersionInfo;
begin
osVerInfo.dwOSVersionInfoSize:=SizeOf(TOSVersionInfo);
GetVersionEx(osVerInfo);
if (SCProduct=AntiSpywareProduct) and (osVerInfo.dwMajorVersion<6) then exit; FSWbemLocator := CreateOleObject('WbemScripting.SWbemLocator'); FWMIService := FSWbemLocator.ConnectServer('localhost',Format('%s\%s',[WmiRoot,WmiNamespaceSCProduct[osVerInfo.dwMajorVersion>=6]]), '', '');
FWbemObjectSet:= FWMIService.ExecQuery(Format('SELECT * FROM %s',[WmiClassSCProduct[SCProduct]]),'WQL',0);
oEnum := IUnknown(FWbemObjectSet._NewEnum) as IEnumVariant;
while oEnum.Next(1, FWbemObject, iValue) = 0 do
begin
if osVerInfo.dwMajorVersion>=6 then //windows vista or newer
begin
Writeln(Format('displayName %s',[FWbemObject.displayName]));// String
Writeln(Format('instanceGuid %s',[FWbemObject.instanceGuid]));// String
Writeln(Format('pathToSignedProductExe %s',[FWbemObject.pathToSignedProductExe]));// String
Writeln(Format('pathToSignedReportingExe %s',[FWbemObject.pathToSignedReportingExe]));// String
Writeln(Format('productState %s',[FWbemObject.productState]));// Uint32
end
else
begin
case SCProduct of
AntiVirusProduct :
begin
Writeln(Format('companyName %s',[FWbemObject.companyName]));// String
Writeln(Format('displayName %s',[FWbemObject.displayName]));// String
Writeln(Format('enableOnAccessUIMd5Hash %s',[FWbemObject.enableOnAccessUIMd5Hash]));// Uint8
Writeln(Format('enableOnAccessUIParameters %s',[FWbemObject.enableOnAccessUIParameters]));// String
Writeln(Format('instanceGuid %s',[FWbemObject.instanceGuid]));// String
Writeln(Format('onAccessScanningEnabled %s',[FWbemObject.onAccessScanningEnabled]));// Boolean
Writeln(Format('pathToEnableOnAccessUI %s',[FWbemObject.pathToEnableOnAccessUI]));// String
Writeln(Format('pathToUpdateUI %s',[FWbemObject.pathToUpdateUI]));// String
Writeln(Format('productUptoDate %s',[FWbemObject.productUptoDate]));// Boolean
Writeln(Format('updateUIMd5Hash %s',[FWbemObject.updateUIMd5Hash]));// Uint8
Writeln(Format('updateUIParameters %s',[FWbemObject.updateUIParameters]));// String
Writeln(Format('versionNumber %s',[FWbemObject.versionNumber]));// String
end;
FirewallProduct :
begin
Writeln(Format('companyName %s',[FWbemObject.companyName]));// String
Writeln(Format('displayName %s',[FWbemObject.displayName]));// String
Writeln(Format('enabled %s',[FWbemObject.enabled]));// Boolean
Writeln(Format('enableUIMd5Hash %s',[FWbemObject.enableUIMd5Hash]));// Uint8
Writeln(Format('enableUIParameters %s',[FWbemObject.enableUIParameters]));// String
Writeln(Format('instanceGuid %s',[FWbemObject.instanceGuid]));// String
Writeln(Format('pathToEnableUI %s',[FWbemObject.pathToEnableUI]));// String
Writeln(Format('versionNumber %s',[FWbemObject.versionNumber]));// String
end;
end;
end;
Writeln('');
FWbemObject:=Unassigned;
end;
end;
begin
try
if Is_Win_Server then
begin
Writeln('Sorry this app only can run in desktop operating systems.');
Halt;
end;
CoInitialize(nil);
try
Writeln('AntiVirus Info');
Writeln('--------------');
GetSCProductInfo(AntiVirusProduct);
Writeln('AntiSpyware Info');
Writeln('----------------');
GetSCProductInfo(AntiSpywareProduct);
Writeln('Firewall Info');
Writeln('-------------');
GetSCProductInfo(FirewallProduct);
Readln;
finally
CoUninitialize;
end;
except
on E:Exception do
begin
Writeln(E.Classname, ':', E.Message);
Readln;
end;
end;
end.
And here is the result of the app.
The Road to Delphi 
Pingback: Getting the installed Antivirus, AntiSpyware and Firewall software using Delphi and the WMI
February 20, 2011 at 12:53 am
very good to have Delphi coming back to scene with this beatiful code. Simply delicious.
February 21, 2011 at 4:04 am
Hi Rodrigo,
As usual, very good examples and great stuff on your blog. I’ve run the code provided (I work on Delphi 7) , and there were some variable and consts that were missing:
on type section
OSVERSIONINFOEX = packed record
dwOSVersionInfoSize: DWORD;
dwMajorVersion: DWORD;
dwMinorVersion: DWORD;
dwBuildNumber: DWORD;
dwPlatformId: DWORD;
szCSDVersion: array[0..127] of Char;
wServicePackMajor: WORD;
wServicePackMinor: WORD;
wSuiteMask: WORD;
wProductType: BYTE;
wReserved: BYTE;
end;
DWORDLONG = UInt64;
and the consts:
VER_MINORVERSION = $0000001;
VER_MAJORVERSION = $0000002;
VER_SERVICEPACKMINOR = $0000010;
VER_SERVICEPACKMAJOR = $0000020;
VER_PRODUCT_TYPE = $0000080;
in rest the example works like a charm.
Best regards,
Radu
February 23, 2011 at 8:51 pm
Radu, thanks for your comments. the code provided was tested in delphi 2007 and XE, thanks for include the missing records and consts in delphi 7.
March 4, 2011 at 11:09 am
Hola Rodrigo:
Fantastico, pero falta la seccion de detección de antispyware
case SCProduct of
:AntiSpywareProduct …
en mi xp en el espacio de nombres de SecurityCenter no aparece
ninguna clase que utilizar, por lo demas como decia esta fantastico.
Felicitaciones
Alfredo
March 4, 2011 at 11:31 am
vale, me respondo a mi mismo, como dices AntiSpywareProduct solo esta disponible
para vista y windows 7 bajo SecurityCenter2
me imagino que el codigo que falta sería algo asi:
AntiSpywareProduct :
begin
//Writeln(Format(‘Fabricante %s’,[FWbemObject.companyName]));
Writeln(Format(‘Nombre del Producto %s’,[FWbemObject.displayName]));
Writeln(Format(‘version %s’,[FWbemObject.versionNumber]));
//Writeln(Format(‘Activo %s’,[FWbemObject.enabled]));
Writeln(Format(‘Instancia Guid %s’,[FWbemObject.instanceGuid]));
Writeln(Format(‘Path Exe Firmado %s’,[FWbemObject.pathToSignedProductExe]));
Writeln(Format(‘Path Exe firmado para reportes %s’,[FWbemObject.pathToSignedReportingExe]));
end;
gracias de nuevo
March 4, 2011 at 1:14 pm
Asi es la clase AntiSpywareProduct no esta disponible en Windows XP.
December 14, 2011 at 9:58 am
hola
gracias por el articulo!!!
no me detecta el firewall propio de windows 7
que significa “product state” 393472? como se si esta activo o no y puede interferir en mi instalador?
Gracias! DAniel
December 14, 2011 at 10:12 am
Hola Daniel, a que te refieres con que no te detecta el firewall de windows 7? a que no te aparece informacion sobre el? Sobre tu consulta acerca de la propiedad productState, lamentablemente no existe mucha documentacion, Sin embargo puedes leer este link para hacerte una idea sobre esta propiedad http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
October 19, 2017 at 10:34 am
Hola Daniel, it’s the state about the antivirus, look this post -> https://social.msdn.microsoft.com/Forums/pt-BR/6501b87e-dda4-4838-93c3-244daa355d7c/wmisecuritycenter2-productstate?forum=vblanguage
April 15, 2013 at 8:48 am
Hi, I can not see anything for firewallinfo on my Windows7 computer. The built-in windows firewall enabled. Does any trick exists that I am missing? Best regards.
April 17, 2013 at 10:26 am
Are you using the exact same code of the article or your modified the code?
April 17, 2013 at 12:05 pm
Yes and also I tried with a fresh code generated via wmi code creator. Via the netfirewall com interface I can get the firewall status.
May 17, 2013 at 3:44 am
Hi guys,
I’ve developed a Delphi web server that allows the users to upload files; in order to keep the server free of viruses, I’d like to check every single file the users load. Is there a way to call the “file scan process” of the default antivirus by using WMI ¿?
thanks very much in advance,
May 17, 2013 at 11:34 am
There is not a WMI class to launch the installed antivirus, for this you must use the IAttachmentExecute.Execute (http://msdn.microsoft.com/en-us/library/bb776297%28v=VS.85%29.aspx) method this can run the virus scanners or others trust services to validate the file before executing it. Note that this method can delete or alter the file.
Pingback: Spyware And Firewalls - Remove Spyware, Malware and Viruses
January 7, 2015 at 3:41 pm
Why this can only run in desktop operating systems?
January 7, 2015 at 4:28 pm
Hi Cesar, Because these WMI classes are only present in the desktop editions of Windows.
January 7, 2015 at 4:31 pm
Hi Rodrigo, Thank you.
Do you know if there is a way to retrieve antivirus information in windows server?
January 7, 2015 at 5:05 pm
I’m sorry but I’m not aware of any API to retrieve the antivirus info in the Windows Server.
May 12, 2018 at 2:55 am
this is nice post