Working with WMI Events (2)

Working with WMI Events (2)

  • Comments 5

This post builds on Jeffrey's post on wmi events - http://blogs.msdn.com/powershell/archive/2007/01/28/working-with-wmi-events.aspx

Powershell V1 does not give a cmdlet to support WMI events, I have written a simple powershell script to help users who want to write monitoring with powershell  for V1(Please see attached.) (A brief intro of WMI events at the end of the post for the uninitiated)

Get-WMIEvent (or "gwe" alias) -

  1. This script handles remote calls as well.
  2. You can specify timeout
  3. You can give event class (if an event provider exists) or event query.

It takes these arguments –

$class – Event class
$Path – Namespace path. Defaults to root\cimv2
$query – Notification query
$Timeout – Timeout for the query
$Credential – Credentials for remote connection
$ComputerName – Remote machine name

Eg:

$watch = Get-WmiEvent -Class "Win32_ProcessStartTrace" -ComputerName "wmix86testlh1" -Credential administrator  -Timeout "0.0:0:1"

$watch = Get-WmiEvent -Query "Select * from __InstanceCreationEvent WITHIN 1 WHERE targetinstance isa 'Win32_Process' AND targetinstance.name = 'notepad.exe'" –ComputerName "wmix86testlh1" -Credential "administrator"

Return type of the function – the .net object ManagementEventWatcher.

Eventwatcher can now be used to wait for events ($watch.WaitForNextEvent().)   

Now you can write scripts on the line of -

$result = $watch.WaitForNextEvent()
$result.targetinstance
$path = $result.targetinstance.__path
$liveObject = [wmi]$path

For more on how to use the watcher object visit this link - http://msdn2.microsoft.com/en-us/library/ms257355.aspx

Umm, what? You don't know anything about WMI events? Here goes a small introduction for you then –

Events are things that occur within a computer environment. Actually, those are potential events. When you actually register an interest in an occurrence and it takes place, that's an event.

In simple terms, a WMI event is a notification that something of interest – that is, something you want to be notified about – has occurred. For example, you might want to be notified when your web server's total processor utilization exceeds the 90% threshold for some number of intervals. Or you might want to be notified when your company's file server drops below 10% of its total storage capacity. WMI events are the mechanism WMI provides that let you configure, receive and respond to system changes using a script.

Another way to think of WMI events is that WMI events are to WMI what alerts are to Performance Monitor, what traps are to SNMP, and what rules are to Microsoft Operations Manager (MOM). All four represent ways to monitor and respond to system and/or network changes.

Sounds interesting? If yes go read this from "the scripting guys" - http://www.microsoft.com/technet/scriptcenter/resources/tales/sg0103.mspx. The examples though are in vbscript but with the cmdlet attached you can try cooking up the PowerShell version.

Kapil Mathur [MSFT]

Attachment: get-wmievent.ps1
Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
  • The only caveat here is WaitForNextEvent blocks all keyboard input you receieve an event, this includes Ctrl+C. So if you screw up, you have to kill your powershell session.

    If you're more familiar with traditional .net events, the Wmi Watcher class exposes a EventArrived event. Powershell v1 doesn't have any solid support for handling sync or async events, so enter my shameless plug for my free, open-source eventing library: http://www.codeplex.com/pseventing

    This library allows you to subscribe to standard events and collect them in the background while you get on with scripting:

    1 PS> $watch = gwe -Class "Win32_ProcessStartTrace"

    2 PS> Connect-EventListener watch eventarrived,disposed -Verbose

    VERBOSE: Target is a ManagementEventWatcher

    VERBOSE: Now listening for 'eventarrived' events from $watch

    VERBOSE: Target is a ManagementEventWatcher

    VERBOSE: Now listening for 'disposed' events from $watch

    3 PS> $watch.Start()

    Now, if you really want to block and wait, use:

    4 PS> get-event -wait

    except this time you can break out with ctrl+c at any time.

    alternatively, continue scripting away and check for events with get-event:

    4 PS> $events = get-event

    5 PS> $events | ft -auto

    Occurred            Source                                  Name         Args

    --------            ------                                  ----         ----

    07/16/2007 12:24 PM System.Management.Automation.PSVariable EventArrived System.Management.EventArrivedEventArgs

    Btw, the Source property is a reference to the $watch variable. I believe powershell v2 has some kind of event handling, and I'd be interested to hear more about it from you guys. You've been suspiciously quiet about it all ;-)

    Thanks guys for a great product!

    - Oisin / x0n

  • Nice! A plugin to support async eventing for powershell. Interesting project.

  • I posted the following on Powershell team's blog - Powershell V1 does not give a cmdlet to support WMI

  • I posted the following on Powershell team's blog - Powershell V1 does not give a cmdlet to support

  • When I run this script I get an error message of for the line of

    $result = $watch.WaitForNextEvent()

    exception calling "WaitForNextEvent()" with "0" argument(s): "Unparsable query. "

    if I take out "()" then I get no error message but there is also no event logs raised. Could someone explain this please.

Page 1 of 1 (5 items)