Counting Files with WMI Event Queries

This topic contains 0 replies, has 1 voice, and was last updated by  Forums Archives 5 years, 7 months ago.

  • Author
    Posts
  • #6439

    by laertejunior at 2012-10-28 09:21:04

    Hi, I use in y day to day this excellent post from Ravi -> http://www.ravichaganti.com/blog/?p=1951 about monitoring creating files in a folder.

    Ok, this works fine,but I am facing a situation that I only want that the event is fired when the number of the files created are 3.

    Then I tried this WQL :
    $query = "Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'CIM_DirectoryContainsFile' AND TargetInstance.GroupComponent='Win32_Directory.Name=""C:\\\\Test""' group within 3"

    and Not works. I thought, perheaps something with the group clause and I add the "having NumberOfEvents = 3 " and aftert that "having NumberOfEvents >2 "

    Then I tried using CIMDataFile using group and group/having

    All the tests not worked. It fire the event,but I did a LOT of test and could not find a default value, it seems to be random when the event is fired.

    I also checked the $event variable and could not find anything that could help me to find an idea about what is happening.

    can you help me guys?

    Thanks:)

    Posh V2.0 and Register-WMiEvent. I cannot use 3.0

    by DonJ at 2012-10-31 08:38:00

    Events on the CIM_DataFile class are known to be less-than-100% reliable – just be aware of that. But, you might consider contacting Ravi directly (I'm not sure if he's on here or not). He probably has a pretty good idea of what you're dealing with since he wrote the original script.

    by coderaven at 2012-11-02 20:55:28

    Thinking about this I would consider counting the files in the folder when you receive the event. If there are no other file in the folder or the once that will be place can be filtered you have a better shot. The issue here is that if you get the first 2 events and not the third, you would have an issue.

    by RichardSiddaway at 2012-11-03 09:05:56

    You have a couple of problems with using WMI to monitor file creation like this.

    Firstly the CIM_DirectoryContainsFile is an association class which means that it links a file with a directory

    Get-CimInstance -ClassName CIM_DirectoryContainsFile | select -f 2 | fl *

    will show that CIM_DirectoryContainsFile has two properties of interest:
    GroupComponent that contains the Win32_Directory class – the directory
    PartComponent that contains the CIM_DataFile class – the file

    Each time a file is created, modified or deleted in a folder a WMI event fires.

    Ravi's original script had this query
    $query = "Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'CIM_DirectoryContainsFile'

    It looks for an __InstanceCreationEvent that occurred in the last 5 seconds where the class that was created was 'CIM_DirectoryContainsFile'

    Your query:
    $query = "Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'CIM_DirectoryContainsFile' AND TargetInstance.GroupComponent='Win32_Directory.Name=""C:\\\\Test""' group within 3"

    Is OK apart from the group within 3 part.

    IF you look at the WQL reference at http://msdn.microsoft.com/en-us/library ... 46(v=vs.85).aspx

    The group clause is for events that occur within a given time limit – not a count of the number of events that occur. The having clause can be used to count a number of events – http://msdn.microsoft.com/en-us/library ... 54(v=vs.85).aspx

    I tried this
    if (Get-EventSubscriber | where {$_.SourceIdentifier -eq "newfile"}) { Unregister-Event -SourceIdentifier "newfile" }

    $nquery = "SELECT * FROM __InstanceCreationEvent Within 5 WHERE TargetInstance ISA 'CIM_DirectoryContainsFile' AND TargetInstance.GroupComponent = 'Win32_Directory.Name=""C:\\\\MyTest""' GROUP WITHIN 5 BY TargetInstance.GroupComponent HAVING NumberOfEvents = 3"

    Register-WmiEvent -Query $nquery -SourceIdentifier "newfile"

    It appears to work correctly if the folder is empty before any files are created for the first event.

    Is there a reason that you need to monitor the number of files created?

    There's more information on monitoring the file system using WMI in chapter 8 of PowerShell and WMI – http://www.manning.com/siddaway2/

    by laertejunior at 2012-11-06 19:39:00

    Hey Richard, Thanks I will try it.

    Yes, there is a reason for that 🙂

    by RichardSiddaway at 2012-11-07 10:46:26

    OK 🙂

You must be logged in to reply to this topic.