How to get Antivirus information with WMI (VBScript)

Hi all, welcome back,

As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.

The following script shows how to get some information from those solutions:


strComputer = “.”

Set oWMI = GetObject( _
“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\SecurityCenter”)

Set colItems = oWMI.ExecQuery(“Select * from AntiVirusProduct”)

For Each objItem in colItems
With objItem
WScript.Echo .companyName
WScript.Echo .displayName
WScript.Echo .instanceGuid
WScript.Echo .onAccessScanningEnabled
WScript.Echo .pathToSignedProductExe
WScript.Echo .productHasNotifiedUser
WScript.Echo .productState
WScript.Echo .productUptoDate
WScript.Echo .productWantsWscNotifications
WScript.Echo .versionNumber
End With



Alex (Alejandro Campos Magencio)

Comments (37)

  1. thewiseWAN says:

    What about 64-bit systems… XP-64 2003-64 bit doesn’t seem to have this namespace. I’ve verified with the WMICodeCreator or ScriptoMatic…

  2. You are right, rootsecuritycenter namespace is not in x64 systems by default.

    An antivirus WMI provider must be installed for that namespace to exist in x64 systems.

    You should contact the Antivirus Vendor and ask for the WMI provider.



  3. Basant says:

    Is it possible to get Antivirus information with WMI (VBScript) in case of Windows Vista and Windows 2008. If yes then can you please guide…


  4. Hi,

    This namespace is no longer available on Windows Vista SP1/2008 Server. That namespace is the legacy store for ISV products to register and report the status of their AV/AS/FW products.

    We no longer support writing directly to the rootsecuritycenter WMI namespace, and instead vendors must use our API. This API is not published and is only made available for those vendors that meet the criteria. Contact info can be found here:

    Implementing the Teredo Security Model


    The API utilized to register a firewall with the WSC can be obtained by contacting Microsoft at A Non-Disclosure Agreement (NDA) is required for the disclosure of this API due to security concerns.


    I’ve only found this public info on the API:

    Windows Security Center



  5. LocTeam says:

    So I am reading your blog post entitled “How to get Antivirus information with WMI (VBScript)”, you state that this is no longer supported to Writing to the rootSecurityCenter in Vista SP1 and Windows 2008. However I’m unclear if this namespace is support for reading data going forward.

    Brief Background. I do a lot of work with ConfigMgr and During my reviews of some environments. I find lots of Workstations that are listed within ConfigMgr that are not listed with in AV management software (EPO for example). I want to create an ConfigMgr update that will read and collect all the RootSecurityCenter. This task should be easily done 1-2 days to update and test. Then we would compare the EPO results to the ConfigMgr results, comparing/fixing the differences between both products. However if this class is not being updated by the majority of AV vendors any more then is there another class that is being used now?

  6. John says:

    I would also like to know where to look for WMI antivirus status in Vista SP1+. I’ve checked rootsecuritycenter2 but all that’s listed there is one single entry for "displayName = Trend Micro Client/Server Security Agent Antivirus"

    Nothing there for AV status or if it’s up to date.

    How can you get antivirus information with wmi for Vista SP1 or SP2 (or windows 7 for that matter)?


  7. John says:

    I believe the solution to querying antivirus status on Vista SP1/SP2 is with the strange "productState" value. This seems to represent the entire AV status as a number.


    C:>WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

    displayName=Trend Micro Client/Server Security Agent Antivirus


    If you stop the AV services, the productState changes to 262144.

    productState=262144 = Up to Date Defs, On Access Scanning OFF

    productState=266240 = Up to Date Defs, ON Access Scanning ON

    It there any info from Microsoft regarding these productState values? Are they different for each AV version etc. etc..


  8. Victor says:

    Hi John,

    Did you get any further on the productstates?


  9. Victor says:

    To read the product state you have to use the WscGetSecurityProviderHealth in the wscapi.dll

    More information here:

    There is also an example in the Windows Software Development Kit (SDK) for Windows Server 2008 and .NET Framework 3.5

  10. Sohail Patel says:

    How to check on Windows 2003??

    is there any way to get the Av information

  11. Ryan says:

    I am also looking for more information about productstates.  Victor’s post doesn’t really explain the values given by WMI.

  12. Jeremiah says:

    Is it possible to save the scan results into a .txt file?

  13. John says:

    Sorry for the late reply Victor, just seeing this now.

    Anyway, we are successfully looking for these values:

    productState=266240: This means AV has up to Date Definitions with ON Access Scanning turned ON

    productState=262144 = This means the AV is up to Date Defs but On Access Scanning OFF

    There are other values but these are not necessary since in our case all we care about is productState=266240 otherwise we have an AV problem.

    I wrote a nagios monitoring plug-in to audit all machines on the network looking for productState=266240 (AV okay) and if not 266240 then there is some problem that needs to be investigated so flag an alert.

    That’s sufficient for our needs.



  14. Sohail Patel says:


    Could you please let us know is it possible to fetch the Av information installed on Server Operating System?

    As I checked and found that this script shows for desktops Only..

  15. Etna says:

    Can somebody provide value map for

    AntiVirusProduct.productState ?

    Developer "forgot" to put it propery qualifier in class definition.

    I getting productState = 397312 and like to know what it means.

  16. Seb says:


    Any answer for the previous post anyone? I have the same productState using Microsoft Security Essentials installed and up to date on a Windows 7 box.


  17. James says:

    I am also receiving 397312.

    I am using ForeFront Client Security, and it is up to date with real-time scanning and daily scams, so I am assuming that state just means it’s OK..

    What is the state of your anti virus with this code?

  18. Prado says:

    I’ve caught another value which meaning is:

    productState=266256 = NOT Up to Date Defs, On Access Scanning ON

    Can anybody confirm about the productState=397312 meaning everything fine (uptodate and scanning on)?

    John, can you tell us where can we see the other values and the meanings? I think that would be very usefull for everybody.

    Anynone knows about the Firewall productstate values, cause till now, I couldn’t get any value, even with a 3rd party FW installed. For now, I’m just assuming that if FW.productstate=266240 everything is fine..but it’s just an assumption, nothing more..



  19. SQ says:

    Does anybody know which is the closest property I can get for "FW.enabled" on VISTA?

    How can we list out all the properties supported by the FW object?

    JP, The productstate is different for me . I ran it to two two differnt computers and it gave me different values. I dont think that can be used with reliability.

  20. scorpionqueen says:

    Sorry , I was wrong there. The FW.productstate does stay static. Every product has two productstate values.

    One when everything is fine and two, when something changes.I tried toggling between firewall on/off, uninstalled the firewall product and it gave me consistent FW.productstae values

  21. Alex says:

    If you convert it in HEX you have :

    Byte 1 : I think it’s Type of Antivirus (see :

    Byte 2 : Active/Unactive status (10 :active, 00 : unactive)

    Byte 3 : No idea…

    For exemple :

    397312  => 0x061000

    06 : 0x04 & 0x02 : Antivirus with AutoUpdate

    10 : Active

    00 : ??

    That’s what I think, but I can’t find anything to confirm it…

  22. michu says:

    posted about the securitycenter2 and client antivirus states on my blog, based on comments on this site!

  23. Kastu says:

    Can you help me. I want to get AntivirsuProduct (displayName, companyName) on Window 2008 Server, but have not SecurityCenter server. To get these information, I base on which path (Ex:root/securitycenter) on server OS, or an other mothod for this problem, please tell me.

    My EMail:

    Thanks a lot.

  24. CodedFreak says:


    These are bit fields, you don't check to see if it equals a particular number

    (from the right) 19th bit == Anti Virus is on

    (from the right) 13th bit == On Access Scanning

    397312 for example

    00000000 00000110 00010000 00000000

    19th bit (yes) = Av on

    13th bit (yes) = On Access Scanning

    I'm not entirely sure what that other bit means.

    In vbscript

    if (262,144 = (productState and 262,144)) then

    wscript.echo "Av is On"


    wscript.echo "Av Is Off"

    end if

    if (4096 = (productScan and 4096)) then

    wscript.echo "On Access Scanning enabled"


    wscript.echo "On Access Scanning Disabled"

    end if

    —- That will always work if i have my scripting right —- [As opposed to hit and miss]

  25. CodedFreak says:

    To correct my post

    the 19th bit means it's up to date!

  26. CodedFreak says:

    Sigh of frustration

    OK Correction again. This time I've checked carefully,

    19th bit = not so sure but, Av is turned on ( I wouldn't be sure it's enabled)

    13th bit = On Access Scanning (Memory Resident Scanning) is on, this tells you that the product is scanning every file that you open as opposed to just scanning at regular intervals.

    5th Bit = if this is true (==1) the virus scanner is out of date

  27. Mike says:

    Hi there!

    I think you should check out there are 2 or 3 products that may be a match. I think that OESIS Framework at…/oesis-framework provides a single interface to many antivirus packages. Another option is, I think, Metascan at…/metascan which is more for ISV. I also found that many antivirus engines certified by OPSWAT at

    I hope this helps.


  28. balaji says:

    when i run this script it says exit code 0..waht does it mean?

  29. Akshay says:

    Will this wmi work for window server 2003 for small business server sp 2. If no is there any other way.

  30. you may also want to check OPSWAT OESIS Framework says:

    If you are looking for additional data related to the pre-installed security application such as the threat the antivirus found or the authenticity of the security application you may want to check out OPSWAT OESIS Framework , please note – it is a commercial application  

  31. OESIS Framework says:

    Hey Guys,

    another alterative to WMI is OPSWAT OESIS framework althogh it ides not come free with Microsoft is supports MAC OS , IOS , Andorid and other featreus in antivirus managability such as

    get threat logs , the status of the hard disk enctyption and other features WMI does not report

    the API are pure C / C++ or COM

  32. Amir Moghaddam says:

    What does WMI report for features in antivirus products like back-up or disk encryption?

  33. Kamran Chehrazi says:

    Don’t think WMI supports this.  There is an SDK called OPSWAT that uses WMI that includes back-up and encryption data that can be called via VB.

  34. Graham says:

    Thanks for the Script.  A few lines had to be removed as the classes weren't available.


  35. James says:

    Here are the productState values I have found from 34 different AV products across over 10000 endpoints:

    ( Decimal, Hex, Bit Set )

    262144, 40000, 1000000000000000000

    262160, 40010, 1000000000000010000

    266240, 41000, 1000001000000000000

    270336, 42000, 1000010000000000000

    327680, 50000, 1010000000000000000

    327696, 50010, 1010000000000010000

    331776, 51000, 1010001000000000000

    344064, 54000, 1010100000000000000

    393216, 60000, 1100000000000000000

    393232, 60010, 1100000000000010000

    393472, 60100, 1100000000100000000

    393488, 60110, 1100000000100010000

    397312, 61000, 1100001000000000000

    397328, 61010, 1100001000000010000

    397568, 61100, 1100001000100000000

    397584, 61110, 1100001000100010000

    458752, 70000, 1110000000000000000

    458768, 70010, 1110000000000010000

    462848, 71000, 1110001000000000000

    462864, 71010, 1110001000000010000

  36. Ajay Vishwakarma says:

    Hi ! Is it possible to get the antivirus license info using wmi ???

  37. WrkTrechTru says:

    Is it possible to get the detailed description of the product state values whether they are up to date or not