Working With WMI Events

PowerShell V1 does not provide native support for WMI events. That doesn't mean that you can't use WMI events with PowerShell, it just means that you need to leverage the .NET classes to do so. This falls into the category of "to ship is to choose". Here is a function that you can use to work with WMI events. This function takes a WMI class name (and optionally a path to a namespace [it defaults to root\cimv2]) and gets the events until you enter ESCAPE or 'q' at the keyboard.

Function Get-WmiEvent ($class, $Path="root\cimv2")
{
$ESCkey = 27
$Qkey = 81

$query = New-Object System.Management.WQlEventQuery "Select * from $class"
$scope = New-Object System.Management.ManagementScope $Path
$watcher = New-Object System.Management.ManagementEventWatcher $scope,$query
$options = New-Object System.Management.EventWatcherOptions
$options.TimeOut = [timespan]"0.0:0:1"
$watcher.Options = $Options
$watcher.Start()
while ($true) {
trap [System.Management.ManagementException] {continue}
$watcher.WaitForNextEvent()
if ($host.ui.RawUi.KeyAvailable)
{ $key = $host.ui.RawUI.ReadKey("NoEcho,IncludeKeyUp")
if (($key.VirtualKeyCode -eq $ESCkey) -OR ($key.VirtualKeyCode -eq $Qkey))
{ $watcher.Stop()
break
}
}
}
}

Set-Alias gwe Get-WmiEvent

NOTE: This function is available as an attachement below.

From here you might ask yourself the question: OK but what are the WMI Events? You might think that Events follow the naming patter: WMI*EVENT. Sadly, you'd be wrong. Here is how you find all the WMI events in a particular namespace:

PS> Get-WmiObject -list -namespace root\cimv2 |
>> where {$_.__Derivation -contains "__EVENT"}
>>


__NamespaceOperationEvent __NamespaceModificationEvent
__NamespaceDeletionEvent __NamespaceCreationEvent
__ClassOperationEvent __ClassDeletionEvent
__ClassModificationEvent __ClassCreationEvent
__InstanceOperationEvent __InstanceCreationEvent
__MethodInvocationEvent __InstanceModificationEvent
__InstanceDeletionEvent __TimerEvent
__ExtrinsicEvent __SystemEvent
__EventDroppedEvent __EventQueueOverflowEvent
__QOSFailureEvent __ConsumerFailureEvent
MSFT_SCMEvent MSFT_SCMEventLogEvent
MSFT_NetSevereServiceFailed MSFT_NetTransactInvalid
MSFT_NetServiceNotInteractive MSFT_NetTakeOwnership
MSFT_NetServiceConfigBackoutFailed MSFT_NetServiceShutdownFailed
MSFT_NetServiceStartHung MSFT_NetServiceStopControlSuccess
MSFT_NetServiceSlowStartup MSFT_NetCallToFunctionFailed
MSFT_NetBadAccount MSFT_NetBadServiceState
MSFT_NetConnectionTimeout MSFT_NetCircularDependencyAuto
MSFT_NetServiceStartTypeChanged MSFT_NetServiceLogonTypeNotGranted
MSFT_NetServiceStartFailedGroup MSFT_NetDependOnLaterService
MSFT_NetFirstLogonFailedII MSFT_NetServiceDifferentPIDConnected
MSFT_NetServiceCrashNoAction MSFT_NetCircularDependencyDemand
MSFT_NetServiceExitFailed MSFT_NetServiceStartFailedII
MSFT_NetServiceExitFailedSpecific MSFT_NetBootSystemDriversFailed
MSFT_NetInvalidDriverDependency MSFT_NetServiceCrash
MSFT_NetServiceRecoveryFailed MSFT_NetServiceStatusSuccess
MSFT_NetTransactTimeout MSFT_NetFirstLogonFailed
MSFT_NetServiceControlSuccess MSFT_NetServiceStartFailed
MSFT_NetServiceStartFailedNone MSFT_NetReadfileTimeout
MSFT_NetRevertedToLastKnownGood MSFT_NetCallToFunctionFailedII
MSFT_NetDependOnLaterGroup MSFT_WmiSelfEvent
MSFT_WmiEssEvent MSFT_WmiThreadPoolEvent
MSFT_WmiThreadPoolThreadCreated MSFT_WmiThreadPoolThreadDeleted
MSFT_WmiRegisterNotificationSink MSFT_WmiFilterEvent
MSFT_WmiFilterDeactivated MSFT_WmiFilterActivated
MSFT_WmiCancelNotificationSink MSFT_WmiProviderEvent
MSFT_WmiConsumerProviderEvent MSFT_WmiConsumerProviderSinkLoaded
MSFT_WmiConsumerProviderSinkUnloaded MSFT_WmiConsumerProviderUnloaded
MSFT_WmiConsumerProviderLoaded Msft_WmiProvider_OperationEvent
Msft_WmiProvider_ComServerLoadOper... Msft_WmiProvider_OperationEvent_Post
Msft_WmiProvider_PutInstanceAsyncE... Msft_WmiProvider_CreateInstanceEnu...
Msft_WmiProvider_DeleteInstanceAsy... Msft_WmiProvider_CancelQuery_Post
Msft_WmiProvider_NewQuery_Post Msft_WmiProvider_ProvideEvents_Post
Msft_WmiProvider_ExecQueryAsyncEve... Msft_WmiProvider_AccessCheck_Post
Msft_WmiProvider_CreateClassEnumAs... Msft_WmiProvider_DeleteClassAsyncE...
Msft_WmiProvider_ExecMethodAsyncEv... Msft_WmiProvider_GetObjectAsyncEve...
Msft_WmiProvider_PutClassAsyncEven... Msft_WmiProvider_InitializationOpe...
Msft_WmiProvider_InitializationOpe... Msft_WmiProvider_LoadOperationFail...
Msft_WmiProvider_ComServerLoadOper... Msft_WmiProvider_UnLoadOperationEvent
Msft_WmiProvider_LoadOperationEvent Msft_WmiProvider_OperationEvent_Pre
Msft_WmiProvider_DeleteInstanceAsy... Msft_WmiProvider_AccessCheck_Pre
Msft_WmiProvider_ExecQueryAsyncEve... Msft_WmiProvider_DeleteClassAsyncE...
Msft_WmiProvider_NewQuery_Pre Msft_WmiProvider_PutInstanceAsyncE...
Msft_WmiProvider_CreateClassEnumAs... Msft_WmiProvider_ExecMethodAsyncEv...
Msft_WmiProvider_ProvideEvents_Pre Msft_WmiProvider_CancelQuery_Pre
Msft_WmiProvider_PutClassAsyncEven... Msft_WmiProvider_GetObjectAsyncEve...
Msft_WmiProvider_CreateInstanceEnu... MSFT_WMI_GenericNonCOMEvent
Win32_ComputerSystemEvent Win32_ComputerShutdownEvent
Win32_IP4RouteTableEvent MSFT_NCProvEvent
MSFT_NCProvCancelQuery MSFT_NCProvClientConnected
MSFT_NCProvNewQuery MSFT_NCProvAccessCheck
RegistryEvent RegistryKeyChangeEvent
RegistryTreeChangeEvent RegistryValueChangeEvent
Win32_SystemTrace Win32_ProcessTrace
Win32_ProcessStartTrace Win32_ProcessStopTrace
Win32_ModuleTrace Win32_ModuleLoadTrace
Win32_ThreadTrace Win32_ThreadStartTrace
Win32_ThreadStopTrace Win32_PowerManagementEvent
Win32_DeviceChangeEvent Win32_SystemConfigurationChangeEvent
Win32_VolumeChangeEvent


PS>

Here is an example of it working (I run this for a while and then type ESC):

PS> gwe Win32_ProcessStopTrace |ft ProcessName,Processid -auto

ProcessName Processid
----------- ---------
HOSTNAME.EXE 4788
ipconfig.exe 4664
notepad.exe 3980
calc.exe 3816

I hope you find this useful.

Cheers!

Jeffrey Snover [MSFT]
Windows PowerShell/MMC Architect
Visit the Windows PowerShell Team blog at: http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at: http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx