power shell - getting started with wmi events
TRANSCRIPT
Skip
to co
nte
nt
Skip
to m
en
u
Art o
f Sh
ell
Win
dow
s Pow
erS
hell co
de a
s an
art fo
rm
Search
search...
Hom
eA
bou
t Tre
vor
Site
Map
Nov 1
6 2
00
9
Pow
erS
hell: G
ettin
g sta
rted
with
WM
I Eve
nts
Cate
gory: p
ow
ersh
ell,scrip
ting
,tools,w
mi —
pcg
eek8
6 @
6:3
6 a
m
Intro
du
ctio
nPow
erS
hell ve
rsion
1 p
rovid
ed
good
inte
gra
tion
with
WM
I usin
g th
e G
et-W
miO
bje
ct cmd
let, a
llow
ing
you
to e
asily re
trieve
an
d m
od
ify WM
I insta
nce
s, an
d ca
ll WM
I meth
od
s, bu
t Pow
erS
hell v2
has ta
ken
it, an
d m
an
y oth
er th
ing
s, a lo
t farth
er.
On
e o
f those
are
as is e
ven
ting
, an
d n
ot ju
st WM
I eve
ntin
g, b
ut re
spon
din
g to
WM
I eve
nts is w
hat I’d
like to
discu
ss in th
isarticle
. Beca
use
WM
I con
tain
s a la
rge re
posito
ry of in
form
atio
n re
gard
ing
a syste
m’s h
ard
ware
an
d so
ftware
state
, it isu
sefu
l to u
nd
ersta
nd
WM
I eve
nts, so
that yo
u ca
n d
ete
rmin
e w
here
they ca
n fi
t into
you
r en
viron
men
t. Th
is top
ic is mostly
geare
d to
ward
s system
s ad
min
istrato
rs or e
ng
ineers th
at a
re lo
okin
g to
do so
me a
dva
nce
d m
on
itorin
g o
f their syste
ms.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
1 o
f 26
06
/10
/20
11
03
:29
PM
To g
et sta
rted
with
WM
I eve
nts in
Pow
erS
hell v2
, I’m g
oin
g to
show
you
an
exa
mp
le o
f how
to u
se W
MI e
ven
ts to d
ete
ctD
HC
P le
ase
chan
ges. D
HC
P re
new
als o
ccur in
freq
uen
tly, rela
tive to
the fre
qu
en
cy of m
an
y oth
er e
ven
t types, h
ow
eve
rfo
rcing
a D
HC
P re
new
al is e
asy, a
nd
there
fore
makes fo
r a g
ood
deve
lop
men
t exa
mp
le. A
lso, it se
em
s like e
very o
ther
article
ou
t there
use
s Win
32
_Pro
cess in
stan
ce cre
atio
ns o
r dele
tion
s for th
eir W
MI e
ven
ting
exa
mp
les, so
I fig
ure
d I w
ou
ldtry so
meth
ing
a little
bit d
iffere
nt. K
eep
in m
ind
that D
HC
P le
ase
up
date
s are
on
ly on
e o
f thou
san
ds o
f pote
ntia
l use
s for
WM
I eve
nts; I a
m sim
ply a
ttem
ptin
g to
con
vey th
e co
nce
pt to
you
, so th
at yo
u ca
n fi
gu
re o
ut o
ther m
eth
od
s of u
sing
it for
you
r ow
n n
eed
s.
Ab
ou
t WM
I Eve
nt Q
uerie
sF
or th
ose
of yo
u w
ho m
ay b
e u
nfa
milia
r with
WM
I eve
nt q
uerie
s (aka. n
otifi
catio
n q
uerie
s), they u
se a
synta
x simila
r toth
is:
SELECT <Properties> FROM <EventClass> WITHIN <Seconds> WHERE TargetInstance ISA '<WmiClass>' AND <OtherCriteria>
Now
, writin
g a
n e
ven
t qu
ery is a
little b
it diff
ere
nt fro
m a
stan
dard
sele
ct qu
ery. W
hy, yo
u a
sk? W
ell, th
e syste
m e
ven
tcla
sses yo
u’ll w
ork
with
resp
on
d to
WM
I insta
nce
eve
nts fo
r all o
f the b
uilt-in
WM
I classe
s. In o
ther w
ord
s, they a
rere
spon
sible
for a
very la
rge n
um
ber o
f eve
nts. B
eca
use
of th
is, you
will n
eed
to w
rite a
qu
ery th
at p
rovid
es e
xten
sive fi
lters
in o
rder to
avo
id so
me in
here
nt lim
itatio
ns o
f WM
I. Th
e m
ain
eve
nt cla
sses o
f wh
ich I sp
eak a
re a
s follo
ws:
__Insta
nce
Cre
atio
nE
ven
t – occu
rs wh
en
a W
MI in
stan
ce is cre
ate
d (e
g. a
Win
32
_Pro
cess b
ein
g in
stan
tiate
d)
__Insta
nce
Dele
tion
Eve
nt – o
ccurs w
hen
a W
MI in
stan
ce is d
ele
ted
(eg
. a W
in3
2_P
roce
ss term
inatin
g)
__Insta
nce
Mod
ifica
tion
Eve
nt – o
ccurs w
hen
a W
MI in
stan
ce is m
od
ified
(eg
. a W
in3
2_P
roce
ss use
s ad
ditio
nal m
em
ory,
or d
eallo
cate
s som
e)
__Insta
nce
Op
era
tion
Eve
nt – o
ccurs w
hen
a W
MI in
stan
ce is cre
ate
d, d
ele
ted
, or m
od
ified
(an
y of th
e a
bove
)
Th
ese
are
the m
ain
WM
I eve
nt cla
sses yo
u’ll w
ork
with
, un
less yo
u h
ave
an
oth
er sp
ecifi
c need
, for e
xam
ple
: mon
itorin
g a
3rd
party p
iece
of so
ftware
, or a
re lo
okin
g to
mon
itor in
stalla
tion
or d
ele
tion
of W
MI cla
sses (a
s op
pose
d to
insta
nce
s of
classe
s).
If you
wou
ld lik
e to
test o
ut w
riting
an
eve
nt q
uery, yo
u ca
n u
se th
e W
bem
test u
tility, that is in
clud
ed
with
Win
dow
s 20
00
an
d u
p (X
P, 20
03
, Vista
, 20
08
, 7, 2
00
8 R
2). S
imp
ly type “w
bem
test” a
t the ru
n p
rom
pt, o
r from
a co
mm
an
d p
rom
pt, th
en
use
the “C
on
nect” b
utto
n to
con
nect to
the “ro
ot\cim
v2” n
am
esp
ace
, an
d yo
u sh
ou
ld b
e p
rese
nte
d w
ith a
win
dow
that
looks sim
ilar to
the b
elo
w scre
en
shot. M
ake su
re th
at yo
u se
lect th
e “A
synch
ron
ou
s” meth
od
invo
catio
n o
ptio
n, a
s that w
illen
han
ce w
bem
test’s G
UI p
erfo
rman
ce d
urin
g e
ven
t qu
erie
s; If you
leave
it at th
e d
efa
ult o
f “Sem
isynch
ron
ou
s“, you
will
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
2 o
f 26
06
/10
/20
11
03
:29
PM
pro
bab
ly fin
d th
e G
UI fru
stratin
g to
work
with
, as it h
an
gs d
urin
g th
e p
ollin
g in
terva
l.
Wb
em
Test U
tility (con
necte
d to
root\cim
v2)
To te
st ou
t an
eve
nt q
uery se
lect th
e “N
otifi
catio
n Q
uery” b
utto
n, a
nd
you
’ll be p
rese
nte
d w
ith a
box to
type yo
ur q
uery
into
. For n
ow
, just to
get yo
u sta
rted
, an
easy q
uery to
type h
ere
wou
ld b
e:
SELECT * FROM __InstanceModificationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_Process'
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
3 o
f 26
06
/10
/20
11
03
:29
PM
Notifi
catio
n Q
uery W
ind
ow
(wb
em
test)
On
ce yo
u’ve
writte
n yo
ur q
uery, se
lect “A
pp
ly,” wait th
e in
terva
l you
specifi
ed
(in th
e W
ITH
IN cla
use
), an
d yo
u w
ill start to
see W
MI e
ven
t insta
nce
s start to
pop
ula
te in
the “Q
uery R
esu
lt” win
dow
. Th
is win
dow
will re
main
op
en
(an
d su
bscrib
ed
toeve
nts) u
ntil yo
u clo
se it. Y
ou
can
dou
ble
-click o
n th
ese
eve
nt in
stan
ces to
op
en
them
, an
d th
en
close
the “Q
uery R
esu
lt”w
ind
ow
if you
’d lik
e to
stop
pollin
g fo
r eve
nts.
Eve
nt Q
uery R
esu
lts (wb
em
test)
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
4 o
f 26
06
/10
/20
11
03
:29
PM
Here
is wh
at yo
u’ll se
e w
hen
you
dou
ble
-click o
n o
ne o
f these
eve
nts:
WM
I Eve
nt In
stan
ce (w
bem
test)
As yo
u ca
n se
e, th
e e
ven
t insta
nce
con
tain
s a fe
w u
sefu
l pro
pertie
s:
TIM
E_C
RE
AT
ED
– Wh
en
the e
ven
t occu
rred
(we’ll ta
lk a
bou
t how
to in
terp
ret th
is late
r)S
EC
UR
ITY
_DE
SC
RIP
TO
R – N
ot su
re w
hat th
is is use
d fo
r, bu
t it ap
pears to
be N
UL
L typ
ically
Pre
viou
sInsta
nce
– Th
e W
MI in
stan
ce in
its state
, prio
r to th
e e
ven
tTarg
etIn
stan
ce – T
he W
MI in
stan
ce in
its state
, afte
r the e
ven
t occu
rred
By d
ou
ble
-clickin
g o
n th
e P
revio
usIn
stan
ce a
nd
Targ
etIn
stan
ce p
rop
ertie
s (an
d th
en
clickin
g th
e “V
iew
Em
bed
ded
”
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
5 o
f 26
06
/10
/20
11
03
:29
PM
bu
tton
), we ca
n vie
w th
e W
MI in
stan
ce, a
nd
its pro
pertie
s, both
befo
re th
e e
ven
t occu
rred
, an
d a
fter th
e e
ven
t occu
rred
.B
eca
use
we h
ave
acce
ss to b
oth
of th
ese
state
s in a
n __In
stan
ceM
od
ifica
tion
Eve
nt, w
e ca
n d
o a
com
pariso
n to
see w
hich
pro
pertie
s actu
ally ch
an
ged
, an
d w
hich
on
es d
idn
’t. Th
e __In
stan
ceC
reatio
nE
ven
t, __Insta
nce
Dele
tion
Eve
nt, a
nd
__In
stan
ceO
pera
tion
Eve
nt cla
sses d
o n
ot h
ave
the P
revio
usIn
stan
ce p
rop
erty, b
eca
use
they a
re o
nly d
ealin
g w
ith a
WM
Iin
stan
ce in
a sin
gle
state
, not a
befo
re/a
fter sta
te.
Pro
perty E
dito
r for T
arg
etIn
stan
ce (w
bem
test)
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
6 o
f 26
06
/10
/20
11
03
:29
PM
Ob
ject E
dito
r for T
arg
etIn
stan
ce (w
bem
test)
Th
e a
bove
screen
shot is a
rep
rese
nta
tion
of th
e W
MI in
stan
ce a
fter it w
as m
od
ified
. Had
we g
on
e th
rou
gh
an
d o
pen
ed
the
Pre
viou
sInsta
nce
pro
perty, w
e w
ou
ld h
ave
seen
a sim
ilar scre
en
for it a
s well. O
n to
p o
f that, yo
u ca
n click
the “S
how
MO
F” b
utto
n, w
hich
gen
era
tes th
e M
an
ag
ed
Ob
ject F
orm
at (M
OF
) synta
x that re
pre
sen
ts that o
bje
ct. Th
is is gre
at fo
rd
eve
lop
men
t an
d tro
ub
lesh
ootin
g, b
eca
use
you
can
cop
y/paste
both
the M
OF
synta
x for b
oth
Pre
viou
sInsta
nce
an
dTarg
etIn
stan
ce in
to a
text e
dito
r, an
d co
mp
are
all o
f the d
iffere
nt p
rop
erty va
lues th
at ch
an
ged
. In fa
ct, to sa
ve e
ven
havin
g to
do th
at, yo
u ca
n g
o a
ll the w
ay b
ack
to th
e __In
stan
ceM
od
ifica
tion
Eve
nt scre
en
, click “S
how
MO
F” th
ere
, an
d it
will in
clud
e th
e su
b-in
stan
ces (e
mb
ed
ded
ob
jects).
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
7 o
f 26
06
/10
/20
11
03
:29
PM
__Insta
nce
Mod
ifica
tion
Eve
nt M
OF
Syn
tax (w
bem
test)
For n
ow
, this co
nclu
des th
e se
ction
ab
ou
t WM
I eve
nt q
uerie
s, an
d h
ow
to te
st them
usin
g th
e w
bem
test u
tility. If you
have
oth
er q
uestio
ns re
gard
ing
WM
I Eve
nts, p
lease
revie
w th
e re
sou
rces a
vaila
ble
on
MS
DN
.
Bu
ildin
g O
ur D
HC
P L
ease
WM
I Eve
nt Q
uery
In th
is sectio
n, le
t’s talk
a little
bit m
ore
deep
ly ab
ou
t the W
MI e
ven
t qu
ery w
e n
eed
to cre
ate
in o
rder to
dete
ct DH
CP
lease
chan
ges. R
em
em
ber, th
e g
oal o
f this a
rticle is to
show
you
how
to d
ete
ct an
d re
spon
d to
WM
I eve
nts th
at in
dica
te a
chan
ge in
the D
HC
P le
ase
time. A
t an
y poin
t, we ca
n in
voke a
DH
CP
lease
ren
ew
al b
y issuin
g th
e co
mm
an
d:
ipconfig /renew
or (fro
m P
ow
erS
hell):
([wmiclass]"Win32_NetworkAdapterConfiguration").RenewDHCPLeaseAll()
Gra
nte
d, th
e P
ow
erS
hell m
eth
od
is a little
lon
ger, b
ut it’s a
lso m
ore
un
dersta
nd
ab
le, a
s we’re
dire
ctly callin
g th
e W
MI A
PI
to in
itiate
the D
HC
P re
new
al, ra
ther th
an
goin
g th
rou
gh
a so
ftware
utility. I ju
st wan
ted
to m
ake su
re yo
u u
nd
ersto
od
that,
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
8 o
f 26
06
/10
/20
11
03
:29
PM
with
ou
t “ipco
nfi
g”, th
ere
is still an
easy w
ay to
do th
is thro
ug
h P
ow
erS
hell. T
hat’s th
e b
eau
ty of P
ow
erS
hell …
simp
leacce
ss to .N
ET
an
d W
MI o
bje
cts! An
yway, w
e’re
gettin
g o
ff-to
pic h
ere
.
Now
that w
e k
now
how
to in
itiate
a D
HC
P re
new
al, w
e ca
n ta
lk a
bou
t how
to w
rite o
ur e
ven
t qu
ery in
such
a w
ay th
at w
eca
n p
ick u
p o
n th
is eve
nt. It so
hap
pen
s that th
ere
is a W
MI cla
ss calle
d W
in3
2_N
etw
ork
Ad
ap
terC
on
fig
ura
tion
in th
ero
ot\cim
v2 W
MI n
am
esp
ace
, wh
ich co
nta
ins in
form
atio
n a
bou
t the n
etw
ork
ad
ap
ters in
a co
mp
ute
r (not re
stricted
to o
nly
ph
ysical a
dap
ters). T
his cla
ss has so
me u
sefu
l pro
pertie
s:
Win
32
_Netw
ork
Ad
ap
terC
on
fig
ura
tion
WM
I Cla
ss (wb
em
test)
Th
e “D
HC
PL
ease
Ob
tain
ed
” pro
perty is p
retty se
lf-exp
lan
ato
ry, an
d co
nta
ins th
e d
ate
& tim
e th
at th
e D
HC
P le
ase
was
ob
tain
ed
on
a p
articu
lar n
etw
ork
ad
ap
ter. N
ow
, keep
in m
ind
that yo
u w
ill typica
lly see a
nu
mb
er o
f insta
nce
s of th
e
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
9 o
f 26
06
/10
/20
11
03
:29
PM
Win
32
_Netw
ork
Ad
ap
terC
on
fig
ura
tion
, bu
t norm
ally o
nly th
e “re
al” n
etw
ork
inte
rface
s (eg
. wire
d, w
irele
ss, or V
PN
) will
actu
ally h
ave
a n
on
-nu
ll valu
e fo
r “DH
CP
Lease
Ob
tain
ed
“. Th
is will b
e h
elp
ful in
form
atio
n fo
r writin
g o
ur W
MI e
ven
t qu
ery.
For o
ur fi
rst atte
mp
t at w
riting
an
eve
nt q
uery, w
e m
igh
t com
e u
p w
ith so
meth
ing
as sim
ple
as th
is:
SELECT * FROM __InstanceModificationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_NetworkAdapterConfiguration'
Afte
r all, th
at q
uery w
ill retu
rn a
ny ch
an
ged
insta
nce
s of n
etw
ork
ad
ap
ter co
nfi
gu
ratio
ns, b
ut w
hat is th
e p
rob
lem
with
that? W
ell, th
e p
rob
lem
is that w
e’ll g
et b
ack
eve
nts fo
r a w
hole
lot m
ore
than
just D
HC
P le
ase
chan
ges. S
o th
en
, how
do
we ze
ro in
the in
form
atio
n w
e n
eed
? If you
check
ou
t my (a
lbeit h
igh
-leve
l) orig
inal d
efi
nitio
n o
f a W
MI e
ven
t qu
ery, yo
u’ll
notice
the “A
ND
<O
therC
riteria
>” p
art a
t the e
nd
. Th
an
kfu
lly, we ca
n d
ig d
eep
er in
to o
bje
cts’ pro
pertie
s, as p
art o
f ou
rq
uery, to
dete
rmin
e a
restricte
d se
t of re
turn
ed
insta
nce
s. Beca
use
we a
lread
y kn
ow
that: 1
) there
is aD
HC
PL
ease
Ob
tain
ed
pro
perty, a
nd
2) w
e h
ave
acce
ss to b
oth
a P
revio
usIn
stan
ce a
nd
Targ
etIn
stan
ce, w
e ca
n co
nstru
ct aq
uery th
at lo
oks lik
e th
is:
SELECT * FROM __InstanceModificationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_NetworkAdapterConfiguration' AND TargetInstance.DHC
If you
exa
min
e th
e a
bove
qu
ery, yo
u’ll se
e th
at w
e’re
furth
er re
stricting
the q
uery, b
y on
ly retu
rnin
g in
stan
ces w
here
the
targ
et in
stan
ce’s D
HC
PL
ease
Ob
tain
ed
pro
perty d
oes n
ot m
atc
h th
e p
revio
us in
stan
ce’s D
HC
PL
ease
Ob
tain
ed
pro
perty.
Wh
at th
is eff
ective
ly give
s us, is o
nly e
ven
ts wh
ere
the D
HC
P re
new
al tim
e h
as ch
an
ged
, an
d n
oth
ing
else
! So, fo
r the
rem
ain
der o
f this a
rticle, th
e q
uery d
irectly a
bove
this p
ara
gra
ph
is wh
at w
e’ll u
se to
dete
ct DH
CP
lease
time ch
an
ges.
Befo
re w
e g
o o
n, a
nd
now
that w
e h
ave
iden
tified
the q
uery to
use
, let’s te
st it ou
t usin
g w
bem
test:
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
10
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
1. O
pen
wb
em
test, co
nn
ect to
rootcim
v2, se
lect
Asyn
chro
nou
s, an
d click
Notifi
catio
n Q
uery
2. P
aste
you
r notifi
catio
n q
uery a
nd
click A
pp
ly
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
11
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
3. U
se P
ow
erS
hell to
initia
te a
DH
CP
ren
ew
al
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
12
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
4. D
ou
ble
-click th
e re
sultin
g e
ven
t
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
13
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
5. C
lick th
e S
how
MO
F b
utto
n
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
14
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
6. C
heck
ou
t the P
revio
usIn
stan
ce a
nd
Targ
etIn
stan
ce va
lues
for th
e D
HC
PL
ease
Ob
tain
ed
pro
perty!
Th
is com
ple
tes th
e cu
rren
t sectio
n, o
n d
ete
rmin
ing
the W
MI e
ven
t qu
ery to
iden
tify DH
CP
lease
chan
ges. N
ext, w
e’ll lo
ok
at h
ow
to u
se a
ll of th
is with
Pow
erS
hell.
Pow
erS
hell W
MI E
ven
t Cm
dle
tsN
ow
that w
e’ve
talk
ed
ab
ou
t WM
I eve
nt q
uerie
s, how
to te
st them
ou
t by th
em
selve
s first, a
nd
how
to b
uild
ou
r DH
CP
lease
eve
nt q
uery, w
e a
re re
ad
y to ta
lk a
bou
t the P
ow
erS
hell cm
dle
ts that a
llow
us to
easily p
ut th
ose
qu
erie
s to g
ood
use
.T
he e
asie
st way to
get sta
rted
with
Pow
erS
hell a
nd
eve
nts, is to
simp
ly issue th
e co
mm
an
d:
help *event*
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
15
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Help
*eve
nt* C
om
man
d
Fro
m th
is com
man
d’s o
utp
ut, yo
u’ll se
e th
at th
ere
are
a n
um
ber o
f eve
nt-re
late
d C
md
lets a
s well a
s a H
elp
File
to g
et u
ssta
rted
. We’ll co
nce
rn o
urse
lves w
ith ju
st a fe
w o
f these
cmd
lets h
ow
eve
r:
Reg
ister-W
miE
ven
t – Reg
isters a
n e
ven
t sub
scriptio
n a
nd
allo
ws yo
u to
specify a
Pow
erS
hell S
criptB
lock
to re
spon
dto
the e
ven
tG
et-E
ven
tSu
bscrib
er – R
etrie
ves a
list of a
ll curre
nt e
ven
t sub
scriptio
ns (n
ot ju
st WM
I on
es)
Un
reg
ister-E
ven
t – Un
reg
isters e
ven
t sub
scriber(s) (n
ot ju
st WM
I on
es)
Rem
em
ber, fo
r an
y Pow
erS
hell cm
dle
ts, simp
ly type th
e fo
llow
ing
to g
et fu
ll docu
men
tatio
n o
n h
ow
to u
se it:
help <cmdletname> -full
help Register-WmiEvent -full
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
16
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Reg
ister-W
miE
ven
t Help
If you
type “R
eg
ister-W
miE
ven
t” with
ou
t an
y para
mete
rs, you
’ll be p
rom
pte
d fo
r a W
MI cla
ss nam
e. U
nfo
rtun
ate
ly, for o
ur
pu
rpose
s, this ca
n b
e d
ece
iving
, beca
use
as w
e ta
lked
ab
ou
t ab
ove
, we d
on
’t actu
ally w
an
t to re
giste
r for a
ll eve
nt
insta
nce
s, on
ly certa
in o
nes. B
eca
use
of th
is, we’ll n
eed
to sp
ecify th
e “-Q
uery” p
ara
mete
r on
the “R
eg
ister-W
miE
ven
t”cm
dle
t, wh
ich le
ts us se
t the e
ven
t / notifi
catio
n q
uery w
e w
an
t to u
se. Yo
ur e
ven
t qu
ery ca
n b
e sto
red
in a
Pow
erS
hell
string
varia
ble
also
, bu
t for th
e sa
ke o
f this a
rticle, w
e’ll ju
st keep
it in-lin
e w
ith th
e cm
dle
t. Now
tech
nica
lly, we co
uld
run
this cm
dle
t usin
g o
nly th
e “-Q
uery” p
ara
mete
r like th
is:
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
17
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Reg
ister-W
miE
ven
t with
ou
t an
actio
n
Ru
nn
ing
this co
mm
an
d yie
lds a
new
eve
nt su
bscrip
tion
, bu
t wh
at h
ap
pen
s wh
en
an
eve
nt is a
ctually trig
gere
d? Yo
ug
uesse
d it, n
oth
ing
by d
efa
ult. A
ctually, w
hat th
is does is p
uts e
ven
ts into
an
eve
nt q
ueu
e, so
they ca
n b
e re
trieve
d u
sing
the G
et-E
ven
t cmd
let, b
ut fo
r now
we w
an
t an
imm
ed
iate
resp
on
se to
ou
r eve
nt. S
o, le
t’s un
-reg
ister th
e e
ven
tsu
bscrip
tion
we cre
ate
d a
nd
try ag
ain
.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
18
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Un
reg
isterin
g P
ow
erS
hell e
ven
t han
dle
rs
If we w
an
t som
eth
ing
to a
ctually h
ap
pen
in re
spon
se to
these
eve
nts w
e a
re su
bscrib
ing
to, w
e’ll n
eed
to sp
ecify a
n a
ction
usin
g th
e “-A
ction
” para
mete
r on
the “R
eg
ister-W
miE
ven
t” cmd
let. T
he a
ction
para
mete
r allo
ws u
s to sp
ecify a
Pow
erS
hell
script b
lock
to re
spon
d to
eve
nts. T
his co
uld
be a
s simp
le a
s a q
uick
“Write
-Host” co
mm
an
d, o
r we co
uld
call a
pre
-defi
ned
fun
ction
as o
ur e
ven
t han
dle
r (eg
. fun
ction
“Dh
cpL
ease
Ch
an
geH
an
dle
r“). Let’s stick
with
a sim
ple
“Write
-Host” fo
r now
thou
gh
, an
d th
en
call a
DH
CP
ren
ew
al to
test it o
ut. I’ll ta
lk a
bou
t som
e m
ore
ad
van
ced
op
tion
s in th
e n
ext se
ction
.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
19
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Ou
r com
ple
ted
sam
ple
!
So th
at’s it! If yo
u’ve
mad
e it th
is far, yo
u’ve
fig
ure
d o
ut h
ow
to re
giste
r for W
MI e
ven
ts an
d re
spon
d to
them
usin
g a
Pow
erS
hell scrip
t blo
ck! If yo
u’re
inte
reste
d, stick
aro
un
d, a
nd
I’ll show
you
how
to d
o so
me e
ven
coole
r stuff
in th
e n
ext
sectio
n.
Ad
van
ced
WM
I Even
t Han
dlin
gA
lrigh
t, so yo
u’ve
mad
e it fa
r en
ou
gh
to fi
gu
re o
ut h
ow
to re
giste
r WM
I eve
nt h
an
dle
rs, bu
t you
wan
t a b
it more
. Mayb
eyo
u’re
ask
ing
you
rself: “C
an
I see in
form
atio
n a
bou
t the e
ven
t from
the scrip
t, like I d
id u
sing
wb
em
test?” If so
, then
you
’llb
e g
lad
to h
ear th
at th
e a
nsw
er is “ye
s!”
To sta
rt off
, let’s lo
ok a
t the h
elp
for th
e “-A
ction
” para
mete
r of “R
eg
ister-W
miE
ven
t“:
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
20
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
-Action <scriptblock>
Specifies commands that handle the events. The commands in the Action parameter run when an event is raised ins
tead of sending the event to the event queue. Enclose the commands in braces ( { } ) to create a script block.
The value of the Action parameter can include the $Event, $EventSubscriber, $Sender, $SourceEventArgs, and $Sou
rceArgs automatic variables, which provide information about the event to the Action script block. For more inf
ormation, see about_Automatic_Variables.
When you specify an action, Register-WmiEvent returns an event job object that represents that action. You can
use the cmdlets that contain the Job noun (the Job cmdlets) to manage the event job.
Required? false
Position? 102
Default value The event is added to the event queue.
Accept pipeline input? false
Accept wildcard characters? false
Fro
m th
is, we se
e th
at th
ere
are
a fe
w b
uilt-in
varia
ble
s that e
nab
le u
s to ca
ptu
re e
ven
t info
rmatio
n, w
ith a
refe
ren
ce o
ver
to th
e “a
bou
t_Au
tom
atic_V
aria
ble
s” help
file
. Th
e $
Eve
nt va
riab
le so
un
ds p
retty p
rom
ising
, doesn
’t it? Let’s ta
ke a
look a
tth
at (in
the a
fore
men
tion
ed
help
file
):
$Event
Contains a PSEventArgs object that represents the event that is being
processed. This variable is populated only within the Action block of
an event registration command, such as Register-ObjectEvent. The value
of this variable is the same object that the Get-Event cmdlet returns.
Therefore, you can use the properties of the $Event variable, such as
$Event.TimeGenerated , in an Action script block.
Th
at so
un
ds lik
e w
hat w
e’re
afte
r: info
rmatio
n a
bou
t the e
ven
t that g
ets cre
ate
d. S
o le
t’s rep
lace
ou
r “-Actio
n” scrip
t blo
ckw
ith th
e fo
llow
ing
: { $
Glo
bal:M
yEve
nt =
$E
ven
t }. T
his w
ay, w
hen
an
eve
nt g
ets cre
ate
d, it w
ill assig
n th
e e
ven
t to th
eg
lob
al $
MyE
ven
t varia
ble
, so w
e ca
n p
lay w
ith it.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
21
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Ch
eck
ing
ou
t the co
nte
nts o
f $E
ven
t
As w
e ca
n se
e, th
e $
Eve
nt va
riab
le (w
hich
we re
assig
ned
to $
MyE
ven
t) con
tain
s a P
SE
ven
tArg
s ob
ject. If w
e issu
e a
few
more
com
man
ds to
the P
ow
erS
hell co
nso
le, w
e ca
n d
iscove
r the u
nd
erlyin
g W
MI e
ven
t ob
ject, so
we ca
n re
trieve
rele
van
tin
form
atio
n fro
m it.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
22
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Th
e u
nd
erlyin
g W
MI e
ven
t ob
ject
Fin
ally! W
e’ve
gotte
n to
the b
otto
m o
f ou
r WM
I eve
nt o
bje
ct, an
d ca
n n
ow
check
ou
t the W
MI p
rop
ertie
s that w
e w
an
ted
toco
mp
are
, in o
rder to
dete
rmin
e th
e d
iffere
nce
s betw
een
the d
iffere
nt in
stan
ces o
f Win
32
_Netw
ork
Ad
ap
terC
on
fig
ura
tion
.L
et’s ta
ke a
look a
t the D
HC
PL
ease
Ob
tain
ed
pro
perty o
n b
oth
ou
r Targ
etIn
stan
ce a
nd
Pre
viou
sInsta
nce
. Also
, let’s lo
ok a
tth
e .N
ET
AP
I to ta
ke th
e T
IME
_CR
EA
TE
D p
rop
erty a
nd
con
vert it to
a re
ad
ab
le D
ate
Tim
e fo
rmat; It’s sim
ple
, trust m
e.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
23
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Th
e u
nd
erlyin
g W
MI E
ven
t Ob
ject
Th
ere
they a
re …
the tw
o C
IM_D
AT
ET
IME
valu
es th
at re
pre
sen
t ou
r DH
CP
Lease
Ob
tain
ed
valu
es b
efo
re a
nd
afte
r the
eve
nt o
ccurre
d (th
at w
e trig
gere
d)! T
he T
IME
_CR
EA
TE
D p
rop
erty is a
64
-bit in
teg
er th
at re
pre
sen
ts the n
um
ber o
f 10
0n
an
o-se
con
d in
terva
ls that h
ave
occu
rred
betw
een
12
:00
:00
AM
Jan
uary 1
st, 16
01
an
d th
e tim
e th
at th
e e
ven
t was
gen
era
ted
. Don
’t ask
.
Th
is exa
mp
le sh
ow
s that yo
u ca
n d
ynam
ically re
trieve
eve
nt in
form
atio
n o
n-th
e-fl
y from
a P
ow
erS
hell W
MI e
ven
tsu
bscrip
tion
. Th
is info
rmatio
n co
uld
be u
sed
in o
ther w
ays, su
ch a
s sen
din
g a
n e
-mail a
lert to
an
ad
min
istrato
r, callin
g a
nexe
cuta
ble
, or ju
st ab
ou
t an
ythin
g e
lse yo
u co
uld
thin
k o
f.
Con
clu
sion
Th
is article
stem
med
from
my in
tere
st in le
arn
ing
ab
ou
t eve
nt su
pp
ort in
Pow
erS
hell ve
rsion
2.0
. I hop
e th
at b
y portra
ying
my e
xperie
nce
s with
Pow
erS
hell e
ven
ts, you
are
ab
le to
learn
som
eth
ing
as w
ell.
Ple
ase
pass a
ny fe
ed
back
you
may h
ave
on
to m
e via
pcg
eek8
6@
gm
ail.co
m o
r in th
e co
mm
en
ts of th
is article
.
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
24
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
2Like
One p
erson likes th
is. Be th
e first of yo
ur frien
ds.
Did
you
like this?
Sh
are it:
Tag
s: au
tom
atio
n, ca
llback
, cim, cim
om
, cmd
let, d
mtf, e
ven
ting
, micro
soft, p
ow
ersh
ell, scrip
ting
, wb
em
, wb
em
test,
win
dow
s man
ag
em
en
t instru
men
tatio
n
Com
men
ts (5)
Pag
es:A
bou
t Tre
vor
Site
Map
Cate
gorie
s:.N
ET
Active
Dire
ctory
Ap
ple
con
fig
mg
rC
on
fig
Mg
r vNext
fixe
sIn
tel vP
roPeop
lep
ow
ersh
ell
scriptin
gto
ols
Un
cate
gorize
dvb
script
wm
iA
rchive
s:N
ove
mb
er 2
01
0O
ctob
er 2
01
0S
ep
tem
ber 2
01
0A
ug
ust 2
01
0
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
25
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M
Jun
e 2
01
0M
ay 2
01
0A
pril 2
01
0M
arch
20
10
Dece
mb
er 2
00
9N
ove
mb
er 2
00
9O
ctob
er 2
00
9S
ep
tem
ber 2
00
9A
ug
ust 2
00
9Ju
ly 20
09
Jun
e 2
00
9M
ay 2
00
9A
pril 2
00
9M
eta
:Log
inR
SS
Com
men
ts RS
SValid
XH
TM
LX
FN
WP
top
Pow
ere
d b
y Word
Pre
ss an
d S
tard
ust
Cre
ate
d b
y Tom
maso
Bald
ovin
o
Art o
f Sh
ell »
wb
em
test
http
://pow
ersh
ell.a
rtofsh
ell.co
m/ta
g/w
bem
test/
26
of 2
60
6/1
0/2
01
1 0
3:2
9 P
M