WMI Eventing (Subscription): Unterschied zwischen den Versionen
Admin (Diskussion | Beiträge) |
Admin (Diskussion | Beiträge) |
||
| Zeile 42: | Zeile 42: | ||
''In order to work with these events, we need to understand the concept of filters, but before we talk about filter, we take a quick segue to WQL. WQL is WMI query language and is like SQL. It uses the same syntax as SQL to query WMI for information.'' | ''In order to work with these events, we need to understand the concept of filters, but before we talk about filter, we take a quick segue to WQL. WQL is WMI query language and is like SQL. It uses the same syntax as SQL to query WMI for information.'' | ||
| − | + | ||
| + | |||
| + | |||
= Examples = | = Examples = | ||
Version vom 24. September 2021, 07:26 Uhr
Inhaltsverzeichnis
Description
WMI provide the capability to monitor system wide events and notify user. There are two types of events in WMI Intrinsic and Extrinsic events.
Only on Instrinsic Events we have to define a pooling interval for example: Select * from __InstanceCreationEvent within 10
Instrinsic WMI Events
Intrinsic events are tied closer to WMI itself. They are triggered in response to changes in WMI structure. For example, if a new process is created on the system it will result in a new instance being created for the WIN32_Process class, this will result in an event of type __Instancecreationevent. Another example would be a new class being created in WMI this will result in an event of type __ClassCreationEvent. Just like everything in WMI is represented as objects, events are represented as objects too and each event type has an associated class as listed below. However, one thing to keep in mind is that these objects representing an event are short-lived hence we use pooling when we are creating our event filter else we can miss these objects being created.
Following are different types of Intrinsic events:
- __NamespaceOperationEvent
- __NamespaceModificationEvent
- __NamespaceDeletionEvent
- __NamespaceCreationEvent
- __ClassOperationEvent
- __ClassDeletionEvent
- __ClassModificationEvent
- __ClassCreationEvent
- __InstanceOperationEvent
- __InstanceCreationEvent
- __MethodInvocationEvent
- __InstanceModificationEvent
- __InstanceDeletionEvent
- __TimerEvent
Extrinsic Events
Extrinsic events are generated based on underlying OS level changes. This is a major difference while intrinsic events are looking for changes within WMI structure, extrinsic events are looking for changes outside WMI at OS level. For example, Computer shutdown event is an OS level event hence its classified as Extrinsic event. Extrinsic events do not require pooling.
Following are different types of extrinsic events:
- Win32_ComputerShutdownEvent
- Win32_IP4RouteTableEvent
- Win32_ProcessStartTrace
- Win32_ModuleLoadTrace
- Win32_ThreadStartTrace
- Win32_VolumeChangeEvent
- Msft_WmiProvider*
- RegistryKeyChangeEvent
- RegistryValueChangeEvent
In order to work with these events, we need to understand the concept of filters, but before we talk about filter, we take a quick segue to WQL. WQL is WMI query language and is like SQL. It uses the same syntax as SQL to query WMI for information.
Examples
Example: Windows Eventlogs (All Windows Eventlogs)
Register/Create Subscription (remote)
##Event log watch -- Windows Eventlog $WMI = @{ SourceIdentifier = "RHEEventlog" Query = "select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent'" #and (TargetInstance.EventCode = '3108')" Action = { $Eventrhe = $event.SourceEventArgs.NewEvent.TargetInstance $InsertStrings = $Eventrhe.InsertionStrings #InsertStrings = Windows Eventlog Variables $MemberNames = (($Eventrhe | Get-Member) | ? {($_.MemberType -eq "Property") -and !($_.Name -match "__")}).Name Foreach ($MemberName in $MemberNames) { Write-Host $MemberName":" $Eventrhe.$MemberName } $Nr = 0 Foreach ($InsertString in $InsertStrings) { $Nr++ Write-Host "InsertString($nr):" $InsertString -ForegroundColor red } Write-Host "---------------------------------------------------------------" -ForegroundColor Green } } $Null = Register-WMIEvent @WMI -ComputerName <Remote-Hostname>
Unregister/Remove Subscription
Unregister-Event -SourceIdentifier "RHEEventlog"
Get Subscriptions
Get-EventSubscriber
Example: Service Modification
The following Service modification subscription logs everytime a service changed (start, stop).
#Filter #Creating a new event filter $wmiParams.Class = '__EventFilter' $wmiParams.Arguments = @{ Name = 'ServiceFilter' EventNamespace = 'root\CIMV2' QueryLanguage = 'WQL' Query = "select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'" } $filterResult = Set-WmiInstance @wmiParams #Consumer $wmiParams.Class = 'LogFileEventConsumer' $wmiParams.Arguments = @{ Name = 'ServiceConsumer' Text = 'A change has occurred on the service: %TargetInstance.DisplayName%' FileName = "C:\Temp\Log.log" } $consumerResult = Set-WmiInstance @wmiParams #Binding $wmiParams.Class = '__FilterToConsumerBinding' $wmiParams.Arguments = @{ Filter = $filterResult Consumer = $consumerResult } $bindingResult = Set-WmiInstance @wmiParams
