WMI Permanent Eventing

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 5 months ago.

  • Author
    Posts
  • #6445

    by cookie.monster at 2012-12-06 13:51:31

    Having a bit of trouble with WMI permanent eventing. Any insight would be greatly appreciated!

    Quick version: I create and validate a filter, create (tried *many*) a consumer, bind them, trigger the filter. Occasionally, things work and the script is triggered. Mostly, nothing happens. Even with the same code. Is the whole permanent eventing system consistent, or is this typical behavior?

    Details on steps I've taken:
    Downloaded PowerEvents.
    Ran the following code to generate a query:
    $query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode=256"
    #or
    $query = @"
    Select * from __InstanceCreationEvent within 30
    where targetInstance isa 'Cim_DirectoryContainsFile'
    and targetInstance.GroupComponent = 'Win32_Directory.Name="c:\\\\test"'
    "@

    Confirmed the WQL query is correct by testing it in wbemtest Notification Query...
    Ran new-wmieventfilter from PowerEvents with that query to create the filter.
    Constructed various consumers, for example:

    $command = "cmd /c `"powershell.exe -noprofile -executionpolicy bypass -file $file -user test -message `"`"test again`"`"`""
    $command = "powershell.exe -noprofile -executionpolicy bypass -file $file"
    #various other simple consumers like a log file...

    Ran new-wmieventconsumer with CommandLine consumertype and $command for CommandLineTemplate
    Ran new-wmifiltertoconsumerbinding for the filter and consumer.
    Created files or triggered events to test things.
    Occasionally, things work and the script is triggered. More often, nothing happens. Even when I clear everything out and try again with the same code, I get these inconsistent results.

    Same behavior when I try just adapting this:
    http://blogs.technet.com/b/heyscripting ... cript.aspx

    Throwing in the towel for today!

    by RichardSiddaway at 2012-12-07 06:25:54

    Not done a lot with permanent eventing but WMi eventing isn't necessarily the most reliable of things from annecdotal evidence.

    I'll try and take a look at this for you

    by cookie.monster at 2012-12-07 08:29:21

    Hi Richard – No worries for now! I will spin up a few clean VMs and run through specific tests and post results here : ) If it ends up not being consistent, there are plenty of alternatives.

You must be logged in to reply to this topic.