WMI Eventing (Subscription)

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche

Description

WMI provide the capability to monitor system wide events and notify user. There are two types of events in WMI Intrinsic and Extrinsic events.
Only on Instrinsic Events we have to define a pooling interval for example: Select * from __InstanceCreationEvent within 10


Instrinsic WMI Events

Intrinsic events are tied closer to WMI itself. They are triggered in response to changes in WMI structure. For example, if a new process is created on the system it will result in a new instance being created for the WIN32_Process class, this will result in an event of type __Instancecreationevent. Another example would be a new class being created in WMI this will result in an event of type __ClassCreationEvent. Just like everything in WMI is represented as objects, events are represented as objects too and each event type has an associated class as listed below. However, one thing to keep in mind is that these objects representing an event are short-lived hence we use pooling when we are creating our event filter else we can miss these objects being created.

Following are different types of Intrinsic events:

  • __NamespaceOperationEvent
  • __NamespaceModificationEvent
  • __NamespaceDeletionEvent
  • __NamespaceCreationEvent
  • __ClassOperationEvent
  • __ClassDeletionEvent
  • __ClassModificationEvent
  • __ClassCreationEvent
  • __InstanceOperationEvent
  • __InstanceCreationEvent
  • __MethodInvocationEvent
  • __InstanceModificationEvent
  • __InstanceDeletionEvent
  • __TimerEvent


Extrinsic Events

Extrinsic events are generated based on underlying OS level changes. This is a major difference while intrinsic events are looking for changes within WMI structure, extrinsic events are looking for changes outside WMI at OS level. For example, Computer shutdown event is an OS level event hence its classified as Extrinsic event. Extrinsic events do not require pooling.

Following are different types of extrinsic events:

  • Win32_ComputerShutdownEvent
  • Win32_IP4RouteTableEvent
  • Win32_ProcessStartTrace
  • Win32_ModuleLoadTrace
  • Win32_ThreadStartTrace
  • Win32_VolumeChangeEvent
  • Msft_WmiProvider*
  • RegistryKeyChangeEvent
  • RegistryValueChangeEvent

In order to work with these events, we need to understand the concept of filters, but before we talk about filter, we take a quick segue to WQL. WQL is WMI query language and is like SQL. It uses the same syntax as SQL to query WMI for information.

Examples

Example: Windows Eventlogs (All Windows Eventlogs)

Register/Create Subscription (remote)

##Event log watch -- Windows Eventlog
$WMI = @{
    SourceIdentifier = "RHEEventlog"
    Query = "select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent'" #and (TargetInstance.EventCode = '3108')"
    Action = {
        $Eventrhe = $event.SourceEventArgs.NewEvent.TargetInstance
        $InsertStrings = $Eventrhe.InsertionStrings #InsertStrings = Windows Eventlog Variables
        $MemberNames = (($Eventrhe | Get-Member) | ? {($_.MemberType -eq "Property") -and !($_.Name -match "__")}).Name
 
            Foreach ($MemberName in $MemberNames) {
                Write-Host $MemberName":" $Eventrhe.$MemberName
            } 
 
            $Nr = 0
            Foreach ($InsertString in $InsertStrings) {
                $Nr++
                Write-Host "InsertString($nr):" $InsertString -ForegroundColor red
            }
        Write-Host "---------------------------------------------------------------" -ForegroundColor Green
    }
}
$Null = Register-WMIEvent @WMI -ComputerName <Remote-Hostname>


Unregister/Remove Subscription

 Unregister-Event -SourceIdentifier "RHEEventlog"


Get Subscriptions

 Get-EventSubscriber


Example: Service Modification

The following Service modification subscription logs everytime a service changed (start, stop). 

#Filter
#Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
    Name = 'ServiceFilter'
    EventNamespace = 'root\CIMV2'
    QueryLanguage = 'WQL'
    Query = "select * from __instanceModificationEvent within 5 where targetInstance isa 'win32_Service'"
}
$filterResult = Set-WmiInstance @wmiParams
 
 
#Consumer
$wmiParams.Class = 'LogFileEventConsumer'
$wmiParams.Arguments = @{
    Name = 'ServiceConsumer'
    Text = 'A change has occurred on the service: %TargetInstance.DisplayName%'
    FileName = "C:\Temp\Log.log"
}
$consumerResult = Set-WmiInstance @wmiParams
 
 
#Binding
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
    Filter = $filterResult
    Consumer = $consumerResult
}
$bindingResult = Set-WmiInstance @wmiParams
Von „http://wiki.webperfect.ch/index.php?title=WMI_Eventing_(Subscription)&oldid=2957