57 replies to this topic

[ptrex]

FIle Monitorng Example - using ExecNotificationQuery

Some one in the Help Forum wanted to have script to monitor files in a certain directory.

You could write a basic script in AU3 to do that, but it would not be as efficient as using the native WMI functions for this.

$strComputer = "."
$objWMIService = ObjGet("winmgmts:" & $strComputer & "rootcimv2")

$colMonitoredEvents = $objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:1""'")

While 1
$objEventObject = $colMonitoredEvents.NextEvent()

Select
Case $objEventObject.Path_.Class()="__InstanceCreationEvent"
ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
Case $objEventObject.Path_.Class()="__InstanceDeletionEvent"
ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR)
    EndSelect
WEnd

Create a folder C:1 and add or delete a file in there.

See what happens.

Enjoy !!

ptrex

Edited by ptrex, 14 September 2012 - 09:17 AM.

[arcker]

iop, i've made a lot of script using wmi events (to manage our servers)
the best way is to have the execnotificationasyncquery
the advantage is that you can have a multiple query, and only one sink (event receiver)
i like to see that i'm not alone in my ActiveX & Com addiction XD

[ptrex]

@arcker

I am a COM fan too !!

An example of your script using : execnotificationasyncquery would help me investigate that route as well.

Thanks

ptrex

[arcker]

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

AutoIt        expandcollapse  popup

;WMI monitoring
#include<array.au3>
#include<date.au3>


Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc

Edited by arcker, 13 March 2007 - 01:10 PM.

[ptrex]

@ARcher

Thanks for the nice example.

I have to update my knowledge to see what the benifit is of using the "ExecNotificationQueryAsync" method. :">

regards,

ptrex

[arcker]

i "sink" (lol) that it's the most complicated method is the execnotificationqueryasync
i've just learn this in 2 days
it's really powerful, so it you doubt, just think about it
wmi rocks, and prove M$ competence

[seandisanti]

nice, thanks for the examples guys. COM i like a lot, but haven't played much with WMI. i've got a book on it, just haven't bothered cracking it open yet; maybe i should do that...

[arcker]

books are not free, google is...
try with some vbs and some researches on the MSDN
that's how i did

[ptrex]

@arcker

Just to let you know when I ran you example if failed with an error when opening a new application.

Failed the get the Object ?

Did you run it and test it.

regards

ptrex

[arcker]

yep i tested it,
Sometimes WMI can be crashed
so i often used :
net stop winmgmt
net start winmgmt
and things going well

edit :
ohhh sorry, i've used a wrong valueset (used for monitoring ntlog)
post updated

[ptrex]

@arcker

Now it is working OK.

Thanks

ptrex

[i542]

Wow, that is great! I was thinking about that too but i didn't know how...
i542

[Andrew Peacock]

Hi all,
Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value
$filename = $targetinstance.item("PartComponent").value
$filename = $targetinstance.item("PartComponent")
$filename = $targetinstance.PartComponent

EDIT: Also tried:
$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)


And they all generate errors.

Anyone got any ideas?

Thanks in advance,
Andy

Edited by Andrew Peacock, 24 April 2007 - 11:12 AM.

[ldub]

Hello Ptrex !

I have made a big mistake : I have run your script on my computer (single user, windows XPP) and, when I reboot (usually on c:\), my sytem try to boot now on my diskette drive !

What could I do ?

Thank's a lot for your help or for the help of anybody else !

Loïc

Edited by ldub, 28 April 2007 - 04:39 PM.

[arcker]

I have run your script on my computer

no it's not possible with this script

try to configure well your bios before targetting scripts

try to reconfigure your boot.ini if needed

[ldub]

Thanks for your help. I beg you pardon... I'm a beginner.

What can we do to protect our computer when running scripts which may not be perfect ?

[nitekram]

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

AutoIt        expandcollapse  popup

;WMI monitoring
#include<array.au3>
#include<date.au3>
Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc

I have gotten this to somewhat work - is the sinktest suppose to be a value of the process started or just the name "sinktest"?
If the latter - is there anyway to show the started process?

[arcker]

i really don't undertstand what you mean
if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId

[Andrew Peacock]

Hi all,
Can anyone help with this question I raised earlier?

Thanks in advance,
Andy

Hi all,
Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value
$filename = $targetinstance.item("PartComponent").value
$filename = $targetinstance.item("PartComponent")
$filename = $targetinstance.PartComponent

EDIT: Also tried:
$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)
And they all generate errors.

Anyone got any ideas?

Thanks in advance,
Andy

[nitekram]

[quote name='arcker' post='336946' date='May 2 2007, 09:26 AM']i really don't undertstand what you mean
if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId
ƒo݊÷ Ûú®¢×–…éí†+%Šw¢²»§jëhŠ×6

ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)

ƒo݊÷ Ø̨ºÚn¶+

I get the ID but I am looking to get the name of the process - any ideas