WMI Event -> Windows Event on File Create?

  • Article

 

 

Here are 2 scripting options that demonstrate how to create a Windows Event from a WMI Event when a new file is created. Use the following sites for reference:

Details on the WMI Event Watcher Task: https://msdn.microsoft.com/en-us/library/ms141130.aspx

Details from a PowerShell v2 perspective: https://www.microsoft.com/technet/scriptcenter/topics/winpsh/events.mspx

PowerShell V2 example (note, PowerShell must be running for this to fire and this example doesn’t include the file name in the Event text, see the above site for creating that type of script).

register-wmievent -query "select * from __instancecreationevent within 1 where targetinstance isa 'cim_directorycontainsfile' and targetinstance.groupcomponent=`"win32_directory.name='c:\\temp'`"" -sourceidentifier "New File" -action {eventcreate /id 1000 /t information /l application /d "A new file was created."}

VBScript (note: the CMD session that launches this script must be left open for this to fire):

'"." represents localhost. If you want listen to another machine plese use the remote machine name

strComputer = "."

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set objFSO = CreateObject("Scripting.FileSystemObject")

Const ForReading = 1

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _

("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " _

& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _

& "TargetInstance.GroupComponent= " _

& "'Win32_Directory.Name=""c:\\\\temp""'")

Do While TRUE

     Set objEventObject = colMonitoredEvents.NextEvent()

     Select Case objEventObject.Path_.Class

     Case "__InstanceCreationEvent"

     'once the WMI Event is detected, we create a Windows Event

     TriggerEvent(objEventObject.TargetInstance.PartComponent)

     End Select

Loop

Function TriggerEvent(ByVal filename)ActiveItemArray = split(filename, "=")

     CurrentItemFileName = ActiveItemArray(1)

     CurrentItemFileNameClean = Replace(CurrentItemFileName, "\\", "\")

     CurrentItemFileNameCleanFinal = Replace(CurrentItemFileNameClean, """", "")

     set WshShell = WScript.CreateObject("WScript.Shell")

     createEventText = "The following file was created: " & CurrentItemFileNameCleanFinal

     createEventCommand = "eventcreate /id 1000 /t information /l application /d """ & createEventText & """"

     WshShell.Run(createEventCommand)

End Function

Otto Helweg [MSFT]

 https://blogs.technet.com/otto/default.aspx