Automating the world one-liner at a time…
This post builds on Jeffrey's post on wmi events - http://blogs.msdn.com/powershell/archive/2007/01/28/working-with-wmi-events.aspx
Powershell V1 does not give a cmdlet to support WMI events, I have written a simple powershell script to help users who want to write monitoring with powershell for V1(Please see attached.) (A brief intro of WMI events at the end of the post for the uninitiated)
Get-WMIEvent (or "gwe" alias) -
It takes these arguments –
$class – Event class$Path – Namespace path. Defaults to root\cimv2$query – Notification query$Timeout – Timeout for the query$Credential – Credentials for remote connection$ComputerName – Remote machine name
$watch = Get-WmiEvent -Class "Win32_ProcessStartTrace" -ComputerName "wmix86testlh1" -Credential administrator -Timeout "0.0:0:1"
$watch = Get-WmiEvent -Query "Select * from __InstanceCreationEvent WITHIN 1 WHERE targetinstance isa 'Win32_Process' AND targetinstance.name = 'notepad.exe'" –ComputerName "wmix86testlh1" -Credential "administrator"
Return type of the function – the .net object ManagementEventWatcher.
Eventwatcher can now be used to wait for events ($watch.WaitForNextEvent().)
Now you can write scripts on the line of -
$result = $watch.WaitForNextEvent()$result.targetinstance$path = $result.targetinstance.__path$liveObject = [wmi]$path
For more on how to use the watcher object visit this link - http://msdn2.microsoft.com/en-us/library/ms257355.aspx
Umm, what? You don't know anything about WMI events? Here goes a small introduction for you then –
Events are things that occur within a computer environment. Actually, those are potential events. When you actually register an interest in an occurrence and it takes place, that's an event.
In simple terms, a WMI event is a notification that something of interest – that is, something you want to be notified about – has occurred. For example, you might want to be notified when your web server's total processor utilization exceeds the 90% threshold for some number of intervals. Or you might want to be notified when your company's file server drops below 10% of its total storage capacity. WMI events are the mechanism WMI provides that let you configure, receive and respond to system changes using a script.
Another way to think of WMI events is that WMI events are to WMI what alerts are to Performance Monitor, what traps are to SNMP, and what rules are to Microsoft Operations Manager (MOM). All four represent ways to monitor and respond to system and/or network changes.
Sounds interesting? If yes go read this from "the scripting guys" - http://www.microsoft.com/technet/scriptcenter/resources/tales/sg0103.mspx. The examples though are in vbscript but with the cmdlet attached you can try cooking up the PowerShell version.
Kapil Mathur [MSFT]
The only caveat here is WaitForNextEvent blocks all keyboard input you receieve an event, this includes Ctrl+C. So if you screw up, you have to kill your powershell session.
If you're more familiar with traditional .net events, the Wmi Watcher class exposes a EventArrived event. Powershell v1 doesn't have any solid support for handling sync or async events, so enter my shameless plug for my free, open-source eventing library: http://www.codeplex.com/pseventing
This library allows you to subscribe to standard events and collect them in the background while you get on with scripting:
1 PS> $watch = gwe -Class "Win32_ProcessStartTrace"
2 PS> Connect-EventListener watch eventarrived,disposed -Verbose
VERBOSE: Target is a ManagementEventWatcher
VERBOSE: Now listening for 'eventarrived' events from $watch
VERBOSE: Now listening for 'disposed' events from $watch
3 PS> $watch.Start()
Now, if you really want to block and wait, use:
4 PS> get-event -wait
except this time you can break out with ctrl+c at any time.
alternatively, continue scripting away and check for events with get-event:
4 PS> $events = get-event
5 PS> $events | ft -auto
Occurred Source Name Args
-------- ------ ---- ----
07/16/2007 12:24 PM System.Management.Automation.PSVariable EventArrived System.Management.EventArrivedEventArgs
Btw, the Source property is a reference to the $watch variable. I believe powershell v2 has some kind of event handling, and I'd be interested to hear more about it from you guys. You've been suspiciously quiet about it all ;-)
Thanks guys for a great product!
- Oisin / x0n
Nice! A plugin to support async eventing for powershell. Interesting project.
I posted the following on Powershell team's blog - Powershell V1 does not give a cmdlet to support WMI
I posted the following on Powershell team's blog - Powershell V1 does not give a cmdlet to support
When I run this script I get an error message of for the line of
$result = $watch.WaitForNextEvent()
exception calling "WaitForNextEvent()" with "0" argument(s): "Unparsable query. "
if I take out "()" then I get no error message but there is also no event logs raised. Could someone explain this please.