This post builds on Jeffrey’s post on wmi events – http://blogs.msdn.com/powershell/archive/2007/01/28/working-with-wmi-events.aspx
Powershell V1 does not give a cmdlet to support WMI events, I have written a simple powershell script to help users who want to write monitoring with powershell for V1(Please see attached.) (A brief intro of WMI events at the end of the post for the uninitiated)
Get-WMIEvent (or “gwe” alias) –
- This script handles remote calls as well.
- You can specify timeout
- You can give event class (if an event provider exists) or event query.
It takes these arguments –
$class – Event class
$Path – Namespace path. Defaults to root\cimv2
$query – Notification query
$Timeout – Timeout for the query
$Credential – Credentials for remote connection
$ComputerName – Remote machine name
$watch = Get-WmiEvent -Class “Win32_ProcessStartTrace” -ComputerName “wmix86testlh1″ -Credential administrator -Timeout “0.0:0:1″
$watch = Get-WmiEvent -Query “Select * from __InstanceCreationEvent WITHIN 1 WHERE targetinstance isa ‘Win32_Process’ AND targetinstance.name = ‘notepad.exe'” –ComputerName “wmix86testlh1″ -Credential “administrator”
Return type of the function – the .net object ManagementEventWatcher.
Eventwatcher can now be used to wait for events ($watch.WaitForNextEvent().)
Now you can write scripts on the line of –
$result = $watch.WaitForNextEvent()
$path = $result.targetinstance.__path
$liveObject = [wmi]$path
For more on how to use the watcher object visit this link – http://msdn2.microsoft.com/en-us/library/ms257355.aspx
Umm, what? You don’t know anything about WMI events? Here goes a small introduction for you then –
Events are things that occur within a computer environment. Actually, those are potential events. When you actually register an interest in an occurrence and it takes place, that’s an event.
In simple terms, a WMI event is a notification that something of interest – that is, something you want to be notified about – has occurred. For example, you might want to be notified when your web server’s total processor utilization exceeds the 90% threshold for some number of intervals. Or you might want to be notified when your company’s file server drops below 10% of its total storage capacity. WMI events are the mechanism WMI provides that let you configure, receive and respond to system changes using a script.
Another way to think of WMI events is that WMI events are to WMI what alerts are to Performance Monitor, what traps are to SNMP, and what rules are to Microsoft Operations Manager (MOM). All four represent ways to monitor and respond to system and/or network changes.
Sounds interesting? If yes go read this from “the scripting guys” – http://www.microsoft.com/technet/scriptcenter/resources/tales/sg0103.mspx. The examples though are in vbscript but with the cmdlet attached you can try cooking up the PowerShell version.
Kapil Mathur [MSFT]