Jump to content

File Monitoring Example


ptrex
 Share

Recommended Posts

FIle Monitorng Example - using ExecNotificationQuery

Some one in the Help Forum wanted to have script to monitor files in a certain directory.

You could write a basic script in AU3 to do that, but it would not be as efficient as using the native WMI functions for this.

$strComputer = "."
$objWMIService = ObjGet("winmgmts:" & $strComputer & "rootcimv2")

$colMonitoredEvents = $objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:1""'")

While 1
$objEventObject = $colMonitoredEvents.NextEvent()

Select
Case $objEventObject.Path_.Class()="__InstanceCreationEvent"
ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
Case $objEventObject.Path_.Class()="__InstanceDeletionEvent"
ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR)
    EndSelect
WEnd

Create a folder C:1 and add or delete a file in there.

See what happens.

Enjoy !!

ptrex

Edited by ptrex
Link to comment
Share on other sites

iop, i've made a lot of script using wmi events (to manage our servers)

the best way is to have the execnotificationasyncquery

the advantage is that you can have a multiple query, and only one sink (event receiver)

i like to see that i'm not alone in my ActiveX & Com addiction XD

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

Link to comment
Share on other sites

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

;WMI monitoring
#include<array.au3>
#include<date.au3>


Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc
Edited by arcker

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

Link to comment
Share on other sites

i "sink" (lol) that it's the most complicated method is the execnotificationqueryasync

i've just learn this in 2 days

it's really powerful, so it you doubt, just think about it

wmi rocks, and prove M$ competence

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

books are not free, google is...

try with some vbs and some researches on the MSDN

that's how i did

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

Link to comment
Share on other sites

yep i tested it,

Sometimes WMI can be crashed

so i often used :

net stop winmgmt

net start winmgmt

and things going well

edit :

ohhh sorry, i've used a wrong valueset (used for monitoring ntlog)

post updated

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

  • 1 month later...

Hi all,

Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value

$filename = $targetinstance.item("PartComponent").value

$filename = $targetinstance.item("PartComponent")

$filename = $targetinstance.PartComponent

EDIT: Also tried:

$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)

And they all generate errors.

Anyone got any ideas?

Thanks in advance,

Andy

Edited by Andrew Peacock
Link to comment
Share on other sites

Hello Ptrex !

I have made a big mistake : I have run your script on my computer (single user, windows XPP) and, when I reboot (usually on c:\), my sytem try to boot now on my diskette drive !

What could I do ?

Thank's a lot for your help or for the help of anybody else !

Loïc

Edited by ldub
Link to comment
Share on other sites

I have run your script on my computer

no it's not possible with this script

try to configure well your bios before targetting scripts

try to reconfigure your boot.ini if needed

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

;WMI monitoring
#include<array.au3>
#include<date.au3>
Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc
I have gotten this to somewhat work - is the sinktest suppose to be a value of the process started or just the name "sinktest"?

If the latter - is there anyway to show the started process?

All by me:

"Sometimes you have to go back to where you started, to get to where you want to go." 

"Everybody catches up with everyone, eventually" 

"As you teach others, you are really teaching yourself."

From my dad

"Do not worry about yesterday, as the only thing that you can control is tomorrow."

 

WindowsError.gif

WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF

AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send

StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2

AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit  Docs

SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF

Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language

Programming Tips

Excel Changes

ControlHover.UDF

GDI_Plus

Draw_On_Screen

GDI Basics

GDI_More_Basics

GDI Rotate

GDI Graph

GDI  CheckExistingItems

GDI Trajectory

Replace $ghGDIPDll with $__g_hGDIPDll

DLL 101?

Array via Object

GDI Swimlane

GDI Plus French 101 Site

GDI Examples UEZ

GDI Basic Clock

GDI Detection

Ternary operator

Link to comment
Share on other sites

i really don't undertstand what you mean

if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]
Link to comment
Share on other sites

Hi all,

Can anyone help with this question I raised earlier?

Thanks in advance,

Andy

Hi all,

Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value

$filename = $targetinstance.item("PartComponent").value

$filename = $targetinstance.item("PartComponent")

$filename = $targetinstance.PartComponent

EDIT: Also tried:

$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)

And they all generate errors.

Anyone got any ideas?

Thanks in advance,

Andy

Link to comment
Share on other sites

i really don't undertstand what you mean

if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId
oÝ÷ Ûú®¢×éí+%w¢²»§jëh×6

ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)

oÝ÷ Ø̨ºÚn¶+

I get the ID but I am looking to get the name of the process - any ideas

All by me:

"Sometimes you have to go back to where you started, to get to where you want to go." 

"Everybody catches up with everyone, eventually" 

"As you teach others, you are really teaching yourself."

From my dad

"Do not worry about yesterday, as the only thing that you can control is tomorrow."

 

WindowsError.gif

WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF

AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send

StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2

AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit  Docs

SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF

Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language

Programming Tips

Excel Changes

ControlHover.UDF

GDI_Plus

Draw_On_Screen

GDI Basics

GDI_More_Basics

GDI Rotate

GDI Graph

GDI  CheckExistingItems

GDI Trajectory

Replace $ghGDIPDll with $__g_hGDIPDll

DLL 101?

Array via Object

GDI Swimlane

GDI Plus French 101 Site

GDI Examples UEZ

GDI Basic Clock

GDI Detection

Ternary operator

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...