DTLsaysWhat — User Guide

A practical guide to running DTLsaysWhat and interpreting its output, illustrated with real examples from a Windows 11 machine.

version1.0 platformWindows only scriptDTLsaysWhat.py requiresPython 3 + wmi + pywin32 + psutil

Overview

DTLsaysWhat is a Windows system inventory tool written in Python. Inspired by the WHAT utility developed by Stanley Rabinowitz for DEC VAX/VMS systems in the 1980s, it collects detailed information about the local or a remote Windows machine, organized into up to 20 functional categories.

Every run automatically produces two output files saved to disk: a plain-text report (.txt) and a self-contained navigable HTML report (.html) with a fixed left sidebar.

Quick Start

Install dependencies

pip install wmi pywin32 psutil

Run a full inventory

python DTLsaysWhat.py all

This collects all 20 categories sequentially and writes two files in the current directory, named after the hostname and timestamp:

DTLsaysWhat_HOSTNAME_20260528_081930.txt
DTLsaysWhat_HOSTNAME_20260528_081930.html

Run a single category

python DTLsaysWhat.py system
python DTLsaysWhat.py security
python DTLsaysWhat.py perf

Specify an output path

python DTLsaysWhat.py all --output C:\Reports\inventory.txt

The HTML file is saved alongside as inventory.html.

Command Syntax

python DTLsaysWhat.py [CATEGORY] [--output FILE] [--computer NAME_OR_IP]

All arguments are optional. Without arguments, the tool defaults to the system category and targets the local machine.

ArgumentShort formDescription
CATEGORYCategory to collect (see list below). Defaults to system if omitted. Use all to run every category.
--output FILE-o FILEPath for the text output file. If omitted, auto-generated from hostname and timestamp.
--computer NAMETarget machine name (NetBIOS) or IP address. Defaults to local host.

Output Files

Each run always produces two files regardless of the category selected.

Text report (.txt): UTF-8 plain text, structured with section headers and subsection separators. Suitable for archiving, diffing, or sending to a colleague.

HTML report (.html): Self-contained HTML file with a dark terminal aesthetic (green on black, monospace font). Includes a fixed left sidebar with anchor links to each section, making it easy to navigate long reports. Both files share the same base name.

If --output is set to report.txt, the HTML file is saved as report.html. If the output path does not end in .txt, .html is appended to the full path.
Write errors: If the tool cannot write to the specified or auto-generated path (permission denied, invalid path), an error is printed to the console and that file is skipped. The other output file (text or HTML) is still attempted independently.

Permissions

Several categories require elevated privileges (Run as Administrator). Without elevation, these sections will return partial data or nothing at all — no error is raised, the subsection output simply stays empty or shows a "not available" message.

Categories that benefit from elevation: security (BitLocker, Hyper-V, TPM, Secure Boot, Firewall), tasks, users, virt.

Categories: Output Reference

The following sections document each category with a description of the data collected and a representative extract from a real run on a Windows 11 machine (Acer Predator PO3-600, i7-8700, 16 GB RAM).

system

Machine identity, OS details, uptime, and timezone. This is the default category when none is specified.
Data sources

Win32_ComputerSystem, Win32_ComputerSystemProduct, Win32_SystemEnclosure, Win32_OperatingSystem, Win32_TimeZone

Sample output
SYSTEM --- Identification --- Machine name : PREDATOR Domain / Workgroup : WORKGROUP (workgroup) Manufacturer : Acer Model : Predator PO3-600 Serial number : (classified) UUID : (classified) Chassis type : Desktop --- Operating system --- OS : Microsoft Windows 11 Professional Version / Build : 10.0.26200 (Build 26200) Architecture : 64-bit Windows directory : C:\WINDOWS Installation : 07-06-2025 15:59:55 Last boot : 28-05-2026 06:15:48 (uptime: 0d 2h 3m) --- Time zone --- Time zone : (UTC+01:00) Brussels, Copenhagen, Madrid, Paris

hardware

Processor details, motherboard, and BIOS/UEFI firmware information.
Data sources

Win32_Processor, Win32_BaseBoard, Win32_BIOS

Sample output
HARDWARE --- Processor(s) --- Name : Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz Manufacturer : GenuineIntel Physical cores : 6 Logical cores : 12 Base frequency : 3192 MHz Socket : U3E1 Architecture : x64 L2 cache : 1536 KB L3 cache : 12288 KB --- Motherboard --- Manufacturer : Acer Product : Predator PO3-600 Version : V:1.1 Serial number : (classified) --- BIOS / UEFI --- Manufacturer : American Megatrends Inc. Version : R01-C1 Date : 08-04-2020 00:00:00 SMBIOS version : 3.2

memory

Physical RAM totals, virtual memory, and per-DIMM slot details (capacity, speed, type, manufacturer).
Data sources

Win32_OperatingSystem, Win32_PhysicalMemory

Sample output
MEMORY Total RAM : 15.92 GB Available RAM : 8.92 GB Virtual memory : 18.29 GB total / 8.80 GB free --- Physical sticks --- Slot 1 : BANK 3 8.00 GB 2400 MHz Type: Unknown Manufacturer: Kingston SN: (classified) Slot 2 : BANK 2 8.00 GB 2400 MHz Type: Unknown Manufacturer: 0000 SN: (classified) Stick count : 2
Note: The memory type may show as "Unknown" when the WMI class does not return a recognized DDR generation value. This is a WMI limitation, not a tool error.

disk

Physical drives (model, size, interface, partitions, serial, status) and logical volumes (drive letter, type, filesystem, total/free space, label).
Data sources

Win32_DiskDrive, Win32_LogicalDisk

Sample output
DISKS AND VOLUMES --- Physical disks --- Disk 0 : HFS128G39TND-N210A Size : 119.24 GB Interface : SCSI Partitions : 4 SN : (classified) Status : OK Disk 1 : TOSHIBA DT01ACA100 Size : 931.51 GB Interface : SCSI Partitions : 1 SN : (classified) Status : OK Disk 2 : WD My Passport 259F USB Device Size : 931.48 GB Interface : USB Partitions : 1 SN : (classified) Status : OK --- Logical volumes --- C: [Fixed] NTFS 117.90 GB total / 4.76 GB free Label: N/A D: [Fixed] NTFS 931.51 GB total / 132.43 GB free Label: Autres E: [CD/DVD] N/A N/A total / N/A free Label: N/A F: [Fixed] NTFS 931.48 GB total / 295.27 GB free Label: Backup_2 G: [Fixed] exFAT 931.45 GB total / 110.56 GB free Label: Backup_1

gpu

Graphics adapter name, manufacturer, VRAM, current resolution and refresh rate, driver version and date.
Data sources

Win32_VideoController

Sample output
GPU Name : NVIDIA GeForce GTX 1060 6GB Manufacturer : NVIDIA VRAM : -1048576 B Current resolution : 1920 x 1080 @ 60 Hz Driver : 32.0.15.7270 dated 03-03-2025 00:00:00 Status : OK
Note: VRAM may show a negative value (e.g. -1048576 B) for some cards. This is a known WMI reporting quirk for certain NVIDIA configurations and does not indicate a hardware problem.

network

Network interfaces with IPv4/IPv6/MAC addresses, default gateways, DNS servers, routing table, active TCP connections, SMB local shares, mapped network drives, and proxy configuration.
Data sources

psutil (net_if_addrs, net_if_stats, net_connections), ipconfig /all, route print, net share, net use, Windows Registry

Sample output
NETWORK --- Network interfaces and IP addresses --- [output classified on this machine] --- Mapped network drives --- New connections will be remembered. The list is empty. --- Proxy (current user) --- Proxy : not configured

software

Installed applications (name, version, publisher), pulled from the Windows Registry including 32-bit entries, sorted alphabetically. Also lists AppX/Store packages.
Data sources

Registry (HKLM and HKCU Uninstall keys, including Wow6432Node), PowerShell Get-AppxPackage

Sample output
INSTALLED SOFTWARE 4K Video Downloader+ 26.0.8.0295 InterPromo GMBH 7-Zip 24.08 (x64 edition) 24.08.00.0 Igor Pavlov Adobe Acrobat (64-bit) 26.001.21563 Adobe Everything 1.4.1.1030 (x64) 1.4.1.1030 voidtools FileZilla 3.69.6 3.69.6 Tim Kosse GIMP 3.0.2-1 3.0.2.1 The GIMP Team Git 2.54.0 The Git Development Community Google Chrome 148.0.7778.179 Google LLC Logi Options+ 2.3.879545 Logitech Microsoft Edge 148.0.3967.83 Microsoft Corporation Mozilla Firefox (x64 en-US) 138.0.4 Mozilla Python 3.13.3 (64-bit) 3.13.3150.0 Python Software Foundation VLC media player 3.0.21 VideoLAN ... [full list continues alphabetically]
Tip: Chrome progressive web apps (PWAs) installed per-profile appear as individual entries named "Gmail", "Google Drive", "Docs", etc. — this is expected and reflects the registry state accurately.

services

Two subsections: all currently running services (name, startup mode), and all stopped services with Automatic startup mode (name, current state). The latter is particularly useful for spotting services that should be running but are not.
Data sources

Win32_Service

Sample output
SERVICES --- Running services --- Antivirus Microsoft Defender [Auto] Application Frame Host [Auto] Broker Infrastructure [Auto] Microsoft Defender Antivirus Service [Auto] WLAN AutoConfig [Auto] Cryptographic Services [Auto] Print Spooler [Auto] SysMain [Auto] Windows Search [Auto] XTUOCDriverService [Auto] ... [full list continues] --- Stopped services (automatic startup) --- Group Policy Client Status: Stopped Downloaded Maps Manager Status: Stopped Intel(R) TPM Provisioning Service Status: Stopped Microsoft Edge Update Service (edgeupdate) Status: Stopped Software Protection Status: Stopped Google Update Service (gupdate) Status: Stopped

processes

All currently running processes, sorted alphabetically by name. For each process: name, PID, RSS memory usage, and total CPU time (user + system, in seconds).
Data sources

psutil process_iter

Sample output
RUNNING PROCESSES AdobeCollabSync.exe PID: 10324 RAM: 29.17 MB CPU: 25.9s chrome.exe PID: 15560 RAM: 222.62 MB CPU: 238.8s chrome.exe PID: 16068 RAM: 262.63 MB CPU: 179.8s chrome.exe PID: 16580 RAM: 270.04 MB CPU: 48.3s chrome.exe PID: 20748 RAM: 324.83 MB CPU: 59.3s dwm.exe PID: 1704 RAM: 92.30 MB CPU: 410.0s explorer.exe PID: 9968 RAM: 344.11 MB CPU: 87.2s logioptionsplus_agent.exe PID: 10580 RAM: 122.94 MB CPU: 130.4s MemCompression PID: 668 RAM: 363.42 MB CPU: 4.6s MsMpEng.exe PID: 4760 RAM: 313.55 MB CPU: 290.2s python.exe PID: 1460 RAM: 42.56 MB CPU: 6.2s System PID: 4 RAM: 164.00 KB CPU: 480.4s System Idle Process PID: 0 RAM: 8.00 KB CPU: 83884.6s thunderbird.exe PID: 3996 RAM: 216.71 MB CPU: 26.5s ... [full list continues]
Note: CPU time is cumulative since process start, not a current utilization percentage. The perf category provides instantaneous CPU load per core.

startup

Programs configured to run at startup, from three sources: WMI startup commands, HKLM Run registry key, and HKCU Run registry key. Useful for auditing persistence and auto-launch entries.
Data sources

WMI Win32_StartupCommand, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Sample output
STARTUP PROGRAMS --- WMI Win32_StartupCommand entries --- Adobe Acrobat Synchronizer User: PREDATOR\user Command: "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" Everything User: Public Command: "C:\Program Files\Everything\Everything.exe" -startup Open-Shell Start Menu User: Public Command: "C:\Program Files\Open-Shell\StartMenu.exe" -autorun RtkAudUService User: Public Command: "C:\WINDOWS\System32\RtkAudUService64.exe" -background SecurityHealth User: Public Command: %windir%\system32\SecurityHealthSystray.exe --- Registry (HKLM\...\Run) --- Everything "C:\Program Files\Everything\Everything.exe" -startup Open-Shell Start Menu "C:\Program Files\Open-Shell\StartMenu.exe" -autorun RtkAudUService "C:\WINDOWS\System32\RtkAudUService64.exe" -background SecurityHealth %windir%\system32\SecurityHealthSystray.exe --- Registry (HKCU\...\Run) --- Adobe Acrobat Synchronizer "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe"

security

Security posture snapshot: Windows Defender status and signature freshness, firewall profiles (domain/private/public), BitLocker volume encryption state, Secure Boot, and TPM properties.
Data sources

PowerShell: Get-MpComputerStatus, Get-NetFirewallProfile, Get-BitLockerVolume, Confirm-SecureBootUEFI, Get-Tpm

Sample output
SECURITY --- Windows Defender --- AntivirusEnabled : True AntivirusSignatureVersion : 1.451.138.0 AntivirusSignatureLastUpdated : 28/05/2026 00:51:41 RealTimeProtectionEnabled : True AntispywareEnabled : True --- Firewall --- Name Enabled DefaultInboundAction DefaultOutboundAction ---- ------- -------------------- --------------------- Domain True NotConfigured NotConfigured Private True NotConfigured NotConfigured Public True NotConfigured NotConfigured --- BitLocker --- MountPoint VolumeStatus ProtectionStatus ---------- ------------ ---------------- C: FullyDecrypted Off D: FullyDecrypted Off --- Secure Boot --- Secure Boot : Enabled --- TPM --- TpmPresent : True TpmReady : True TpmEnabled : True TpmActivated : True ManufacturerIdTxt : INTC ManufacturerVersion : 403.1.0.0
Requires elevation: BitLocker, firewall, TPM, and Secure Boot data require Administrator privileges. Without elevation, these subsections will be empty.

updates

Installed Windows updates and hotfixes (KB articles), sorted by installation date with the most recent first.
Data sources

Win32_QuickFixEngineering

Sample output
INSTALLED UPDATES KB5092762 5/12/2026 NT AUTHORITY\System Security Update KB5092734 5/27/2026 NT AUTHORITY\System Update KB5089573 5/27/2026 NT AUTHORITY\System Update KB5092427 5/27/2026 NT AUTHORITY\System Update KB5054156 9/30/2025 NT AUTHORITY\System Update
Note: Win32_QuickFixEngineering only lists hotfixes deployed via the Windows Update legacy path. Feature updates and major Windows upgrades are not enumerated here.

drivers

All installed signed PnP drivers with device name, driver version, and manufacturer. Sorted alphabetically by device name. Entries with an empty device name are excluded.
Data sources

Win32_PnPSignedDriver

Sample output
INSTALLED DRIVERS ACPI Fan 10.0.26100.1150 (Standard system devices) Acer System Firmware R01-C1 5.35.12.10 Acer Inc. Brother HL-4150CDN series 1.7.0.0 Brother Disk drive 10.0.26100.8521 (Standard disk drives) HID Keyboard Device 10.0.26100.8521 (Standard keyboards) Intel(R) Wireless-AC 9462 22.10.0.7 Intel Corporation Intel(R) Wireless Bluetooth(R) 23.120.0.4 Intel Corporation NVIDIA GeForce GTX 1060 6GB 32.0.15.7270 NVIDIA Realtek Audio 6.0.1.8627 Microsoft Realtek Audio Universal Service 1.0.0.151 Realtek Trusted Platform Module 2.0 10.0.26100.8521 (Standard) USB Root Hub (USB 3.0) 10.0.26100.8521 (Standard USB HUBs) ... [full list continues]

users

Local user accounts (name, enabled state, last logon), loaded user profiles (local path, loaded status), and the current session user with administrator status.
Data sources

PowerShell Get-LocalUser, WMI Win32_UserProfile, environment variables (USERNAME, USERDOMAIN), Windows API IsUserAnAdmin

Sample output
USERS --- Local accounts --- Name Enabled LastLogon ---- ------- --------- Administrateur False 13/10/2024 16:31:13 client True 28/05/2026 06:21:29 DefaultAccount False Invité False WDAGUtilityAccount False --- User profiles --- C:\WINDOWS\ServiceProfiles\MariaDB Loaded: False C:\Users\user Loaded: True --- Current user --- Account : PREDATOR\user Administrator : True

tasks

Scheduled tasks that are not disabled and fall outside the \Microsoft\* namespace, sorted by task path. This focuses on third-party and user-created tasks.
Data sources

PowerShell Get-ScheduledTask

Sample output
SCHEDULED TASKS TaskPath TaskName State -------- -------- ----- \ Adobe Acrobat Update Task Ready \ BACKUP 2026 Ready \ BACKUP 2 2026 Ready \ MicrosoftEdgeUpdateTaskMachineCore Ready \ MicrosoftEdgeUpdateTaskMachineUA Ready \ npcapwatchdog Ready \ NVIDIA App SelfUpdate_... Ready \ PredatorSense Ready \GoogleSystem\GoogleUpdater\ GoogleUpdaterTaskSystem149.0.7814.0{...} Ready \Mozilla\ Firefox Default Browser Agent 308046B0AF4A39CB Ready \Mozilla\ Firefox Background Update 308046B0AF4A39CB Ready

shares

Local SMB shares (name, path, description) and mapped network drives (local drive letter, remote UNC path, connection state).
Data sources

Win32_Share, Win32_NetworkConnection

Sample output
NETWORK SHARES --- Local SMB shares --- [output classified on this machine] --- Mapped network drives --- [none configured on this machine]

events

The 20 most recent errors and warnings from the System event log, followed by the 20 most recent from the Application event log. Each entry includes timestamp, type, Event ID, and message text.
Data sources

PowerShell Get-EventLog

Sample output
RECENT EVENTS --- Log: System --- TimeGenerated : 28/05/2026 06:36:29 EntryType : Warning EventID : 10016 Message : The description for Event ID '10016' from source 'DCOM' cannot be found... TimeGenerated : 28/05/2026 06:21:17 EntryType : Error EventID : 1801 Message : Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware... --- Log: Application --- TimeGenerated : 27/05/2026 08:53:45 EntryType : Error EventID : 8193 Message : Volume Shadow Copy Service error: Error calling CoCreateInstance routine. hr = 0x8007045b, A system shutdown is in progress. TimeGenerated : 27/05/2026 07:02:18 EntryType : Error EventID : 1000 Message : Faulting application name: MicrosoftEdgeSH.exe, version: 11.0.26100.8115 Exception code: 0xc0000409 ...
Note: The section header mentions "last 24 hours" as an indication of intent, but the query actually retrieves the 20 most recent entries without a date filter. On a quiet machine, these entries may span several days.

perf

Instantaneous performance snapshot: CPU load per logical core (1-second sample), overall CPU load, physical memory usage, swap usage, and disk usage per mounted volume.
Data sources

psutil: cpu_percent, virtual_memory, swap_memory, disk_partitions, disk_usage

Sample output
PERFORMANCE (snapshot) --- CPU --- Core 0 : 6.2% Core 1 : 1.6% Core 2 : 1.6% Core 3 : 4.7% Core 4 : 7.8% Core 5 : 1.6% Core 6 : 1.6% Core 7 : 6.2% Core 8 : 4.7% Core 9 : 0.0% Core 10 : 1.6% Core 11 : 0.0% Global load : 10.4% --- Memory --- Total : 15.92 GB Used : 7.11 GB (44.6%) Free : 8.81 GB Swap total : 2.38 GB Swap used : 98.00 MB (4.0%) --- Disks --- C:\ 113.14 GB / 117.90 GB used (96.0%) [NTFS] D:\ 799.08 GB / 931.51 GB used (85.8%) [NTFS] E:\ access denied F:\ 636.21 GB / 931.48 GB used (68.3%) [NTFS] G:\ 820.89 GB / 931.45 GB used (88.1%) [exFAT]
Tip: A volume showing "access denied" means the tool could not read its usage data, typically a CD/DVD drive with no media or a volume with restricted permissions. The entry is still reported rather than silently skipped.

virt

Virtualization detection: whether this machine appears to be a VM (checked against VMware, VirtualBox, Hyper-V, QEMU, KVM, Xen, Microsoft Corporation strings). Also reports Hyper-V feature state, hosted VMs if the role is active, and WSL distributions.
Data sources

WMI Win32_ComputerSystem, Win32_BIOS; PowerShell Get-WindowsOptionalFeature, Get-VM; wsl --list --verbose

Sample output
VIRTUALIZATION --- Detection: is this machine a VM? --- VM detected : no (probably physical) --- Hyper-V --- FeatureName : Microsoft-Hyper-V State : Disabled --- Hyper-V virtual machines (if role is active) --- [Hyper-V role disabled — no VMs listed] --- WSL --- WSL : not installed or not accessible

Remote Collection

Use --computer to target a remote Windows machine:

python DTLsaysWhat.py hardware --computer 192.168.1.42
python DTLsaysWhat.py all --computer WORKSTATION01

Remote collection relies on WMI over the network and requires appropriate permissions on the target machine. The following categories always run locally regardless of --computer: security, users, tasks, software (AppX packages), events, virt.

Encoding

On French Windows systems, cmd.exe defaults to OEM code page 850. The tool detects and handles this automatically. To guarantee correct display of accented characters, either:

Known Limitations