DTLsaysWhat — Reference Manual
Overview
DTLsaysWhat is a Windows system inventory tool written in Python, inspired by the What internal use only Utility written by Stanley Rabinowitz for the DEC VAX/VMS systems in the 80s. It collects detailed information about the local or a remote Windows machine across up to 20 functional categories, and produces both a plain-text report and a navigable HTML report, automatically saved to disk at the end of each run.
Requirements
Python dependencies
The following third-party packages must be installed before use:
pip install wmi pywin32 psutilThe standard library modules used (argparse, ctypes, datetime, io, os, socket, subprocess, sys, winreg) require no additional installation.
Privileges
Some categories (Security, BitLocker, Hyper-V, TPM, Secure Boot, Scheduled Tasks, Firewall) may require the script to be run with elevated privileges (Run as Administrator). Without elevation, those sections may return partial or no data.
Encoding
On French-language Windows systems, cmd.exe defaults to OEM code page 850. The tool detects and handles this automatically. To guarantee correct display of accented characters, it is recommended to either:
- invoke the script with
python -X utf8 DTLsaysWhat.py, or - set the environment variable
PYTHONUTF8=1before running.
Command syntax
python DTLsaysWhat.py [CATEGORY] [--output FILE] [--computer NAME_OR_IP]All arguments are optional. When called with no arguments, the tool defaults to the system category and targets the local machine.
Arguments
Positional argument: CATEGORY
Specifies which inventory category to collect. If omitted, defaults to system.
| Category | Description |
|---|---|
| all | Runs all categories sequentially |
| system | OS identification, version, architecture, uptime, timezone |
| hardware | CPU, motherboard, BIOS/UEFI |
| memory | RAM totals, virtual memory, physical DIMM slots |
| disk | Physical drives and logical volumes |
| gpu | Graphics adapters, VRAM, current resolution, driver version |
| network | Network interfaces, IP addresses, routing table, DNS, active TCP connections, SMB shares, mapped drives, proxy settings |
| software | Installed applications (from registry), AppX/Store packages |
| services | Running services, stopped services with automatic start mode |
| processes | All currently running processes with PID, RAM usage, CPU time |
| startup | Startup entries from WMI and from HKLM/HKCU registry Run keys |
| security | Windows Defender status, firewall profiles, BitLocker, Secure Boot, TPM |
| updates | Installed Windows hotfixes and updates (KB numbers) |
| drivers | Signed PnP drivers with version and manufacturer |
| users | Local accounts, user profiles, current session user and admin status |
| tasks | Active (non-disabled) scheduled tasks outside the Microsoft namespace |
| shares | Local SMB shares and mapped network drives |
| events | Last 20 errors and warnings from System and Application event logs |
| perf | Instantaneous CPU load per core, memory usage, disk usage per volume |
| virt | VM detection (VMware, VirtualBox, Hyper-V, QEMU, KVM, Xen), Hyper-V role status, hosted VMs, WSL distributions |
Option: --output FILE short form: -o FILE
Specifies the path and filename for the text report output. If this option is omitted, the tool automatically generates a filename using the format:
DTLsaysWhat_<HOSTNAME>_<YYYYMMDD_HHMMSS>.txtThe file is written to the current working directory.
Option: --computer NAME_OR_IP
Specifies the target machine for data collection. Accepts either a NetBIOS name or an IP address. Defaults to the local machine's hostname. Remote collection relies on WMI and requires appropriate network access and permissions on the target machine.
Output files
Each run produces two files automatically:
Text report (.txt): Plain UTF-8 text file containing the full console output, structured with section headers and subsection separators.
HTML report (.html): A self-contained HTML file with a dark terminal aesthetic (green-on-black, monospace font). It includes a fixed left-side navigation sidebar linking to each major section, allowing quick navigation across large reports. Both files share the same base name, differing only in extension.
--output is specified as report.txt, the HTML file is saved as report.html. If the output path does not end in .txt, .html is appended to the full path.Data sources
The tool collects data through five complementary mechanisms:
WMI (Windows Management Instrumentation): Used for the majority of hardware, OS, software, service, driver, update, and user data. WMI queries can target a remote machine when --computer is specified.
PowerShell cmdlets: Used for categories that have no direct WMI equivalent or where PowerShell provides richer output. Affected categories include: security, users, tasks, software (AppX packages), events, virt. PowerShell is invoked with UTF-8 output encoding enforced.
Windows native commands: Used selectively within the network category: ipconfig /all for gateway and DNS information, route print for the routing table, net share and net use for SMB shares and mapped drives.
Windows Registry: Used for proxy settings (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings) and startup entries (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run), and for OEM code page detection.
psutil: Used for real-time process enumeration, network interface statistics, active TCP connections, and instantaneous performance metrics (CPU per core, memory, disk usage).
Categories: data collected
system
Win32_ComputerSystem, Win32_ComputerSystemProduct, Win32_SystemEnclosure, Win32_OperatingSystem, Win32_TimeZone
Machine name, domain or workgroup membership, manufacturer, model, serial number, UUID, chassis type, OS caption, version and build number, architecture, Windows directory, installation date, last boot time, computed uptime, timezone.
hardware
Win32_Processor, Win32_BaseBoard, Win32_BIOS
CPU name, manufacturer, physical and logical core count, base frequency, socket designation, architecture, L2 and L3 cache sizes; motherboard manufacturer, product name, version, serial number; BIOS/UEFI manufacturer, SMBIOS version, release date.
memory
Win32_OperatingSystem, Win32_PhysicalMemory
Total and available physical RAM, total and free virtual memory; per-DIMM slot: bank label, capacity, speed (MHz), memory type (DDR generation), manufacturer, serial number; total DIMM count.
disk
Win32_DiskDrive, Win32_LogicalDisk
Per physical disk: index, model, size, interface type, partition count, serial number, status; per logical volume: drive letter, type (removable/fixed/network/CD/RAM), filesystem, total size, free space, volume label.
gpu
Win32_VideoController
Adapter name, manufacturer, VRAM, current horizontal and vertical resolution, refresh rate, driver version and date, status.
network
psutil (net_if_addrs, net_if_stats, net_connections), ipconfig /all, route print, net share, net use, Windows Registry
Per interface: name, up/down status, link speed, IPv4/IPv6/MAC addresses; default gateways; configured DNS servers; full routing table; established TCP connections (local and remote address/port); local SMB shares; mapped network drives; proxy configuration (enabled/disabled, server address).
software
Windows Registry (HKLM and HKCU Uninstall keys, including Wow6432Node for 32-bit applications), PowerShell Get-AppxPackage
Installed applications sorted alphabetically (name, version, publisher); total application count; AppX/Store package list (name, version).
services
Win32_Service
All currently running services (display name, start mode); all stopped services with start mode set to Automatic (display name, current state).
processes
psutil process_iter
Per process: name, PID, RSS memory usage, total CPU time (user + system, in seconds). Sorted alphabetically by process name.
startup
WMI Win32_StartupCommand, Windows Registry Run keys
WMI startup entries (name, associated user, command line); HKLM Run entries (value name, command); HKCU Run entries (value name, command).
security
PowerShell Get-MpComputerStatus, Get-NetFirewallProfile, Get-BitLockerVolume, Confirm-SecureBootUEFI, Get-Tpm
Windows Defender status (enabled, signature version, signature date, real-time protection, antispyware); per firewall profile (domain/private/public): enabled state, default inbound and outbound actions; BitLocker status per volume (mount point, volume status, protection status); Secure Boot state; TPM properties.
updates
Win32_QuickFixEngineering
Per hotfix: KB identifier, installation date, installing account, description. Sorted by installation date, most recent first.
drivers
Win32_PnPSignedDriver
Per driver: device name, driver version, manufacturer. Sorted alphabetically by device name. Only entries with a non-empty device name are included.
users
PowerShell Get-LocalUser, WMI Win32_UserProfile, environment variables (USERNAME, USERDOMAIN), Windows API IsUserAnAdmin
Local accounts (name, enabled state, last logon); user profiles (local path, loaded state), excluding special system profiles; current session user (domain and account name, administrator status).
tasks
PowerShell Get-ScheduledTask
Non-disabled scheduled tasks outside the \Microsoft\* namespace (task path, task name, state). Sorted by task path.
events
PowerShell Get-EventLog
Last 20 errors and warnings from the System event log, then from the Application event log. Per entry: timestamp, entry type (Error/Warning), event ID, message text.
perf
psutil (cpu_percent, virtual_memory, swap_memory, disk_partitions, disk_usage)
CPU usage percentage per logical core (1-second sample); global CPU load; total, used, and available physical memory with percentage; swap total and used; per mounted volume: used and total space with percentage and filesystem type. Volumes with permission errors are noted.
virt
WMI Win32_ComputerSystem, Win32_BIOS; PowerShell Get-WindowsOptionalFeature, Get-VM; wsl --list --verbose
VM detection result based on model, manufacturer, and BIOS version strings (checked against VMware, VirtualBox, Hyper-V, VBOX, QEMU, KVM, Xen, Microsoft Corporation); Hyper-V Windows feature state; list of hosted VMs if Hyper-V role is active (name, state, assigned memory, generation); WSL distribution list.
Exit behavior
The tool always writes output files before exiting, regardless of category. If writing to the specified or auto-generated path fails (permission error, invalid path), an error message is printed to the console and the corresponding file is skipped. The other output file (text or HTML) is still attempted independently.
Known limitations
- The tool is strictly Windows-only. It imports
wmi,winreg, and calls Windows-specific APIs; it will not run on Linux or macOS. - Remote WMI access (
--computer) does not extend to PowerShell-based subsections (security,users,tasks,softwareAppX,events,virt), which always query the local machine. - Some sections require administrative privileges. Running without elevation produces no error for those sections; the relevant subsection output will simply be empty or contain a "not available" message.
- The
perfcategory provides an instantaneous snapshot only. CPU percentages are sampled over a 1-second interval per call; there is no continuous monitoring mode. - The
eventscategory retrieves the 20 most recent errors and warnings regardless of age; the "24 dernières heures" label in the section header is descriptive intent, not a filter applied to the query.