A Found Problem: File creation caused by _FileCreate or FileOpen can not be detected by WMI

[sunzen]

Hi,all

I want to detect the execution end of a script program from another machine. A trick i thought of is to create a file at the end of script and detect the file creation by WMI on another machine.

The file creation code by WMI is like this:

$strComputer = "machineB"
  $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

  $colMonitoredEvents = $objWMIService.ExecNotificationQuery _
  ("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
 & "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
 & "TargetInstance.GroupComponent= " _
 & "'Win32_Directory.Name=""c:\\\\1""'")

While 1
  $objEventObject =$colMonitoredEvents.NextEvent()

  Select
  Case  $objEventObject.Path_.Class()="__InstanceCreationEvent"
  ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
  EndSelect
WEnd

For File creation, i tried two ways of creating a new file: _FileCreate, FileOpen()/FileWrite().

But neither of them can be detected by WMI code. While file creation caused by clicking "creating a new file" menu item of windows context menu can be detected. What's wrong with file creation mechanism of AutoIT?

By the way, Is there anyone who can give me some comment about other possible approaches of detecting end of a program execution?

Edited June 24, 2010 by sunzen

[PsaltyDS]

Just watch for the process name/PID to close/disappear.

P.S. Can't reproduce your results. I ran this as a compiled .exe:

Sleep(2000)
For $n = 1 To 10
    $sPath = "C:\Temp\TestMe_" & $n & ".txt"
    Sleep(1000)
    FileDelete($sPath)
    Sleep(1000)
    $hFile = FileOpen($sPath, 1)
    FileWriteLine($hFile, "Test: " & $n)
    FileClose($hFile)
Next

While running this from SciTE and watching the console:

HotKeySet("{ESC}", "_Quit")

$strComputer = @ComputerName
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

$colMonitoredEvents = $objWMIService.ExecNotificationQuery _
        ("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
         & "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
         & "TargetInstance.GroupComponent= " _
         & "'Win32_Directory.Name=""c:\\\\Temp""'")

While 1
    $objEventObject = $colMonitoredEvents.NextEvent()

    Select
        Case $objEventObject.Path_.Class() = "__InstanceCreationEvent"
            ConsoleWrite("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
    EndSelect
WEnd

Func _Quit()
    Exit
EndFunc

This was the output:

>Exit code: 0    Time: 622.941
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_1.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_2.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_3.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_4.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_5.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_6.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_7.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_8.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_10.txt"
A new file was just created: \\MyComputerName\root\cimv2:CIM_DataFile.Name="c:\\Temp\\TestMe_9.txt"
>Exit code: 1    Time: 92.079

Edited June 24, 2010 by PsaltyDS

[sunzen]

ohh...

Thanks for your attention.

I repain attention, and notice that:

When I run the target script manually, the file creation can be detected by WMI.

But When I run the target script program via ScheduledJob of WMI, the file creation can still not be detected, even though I can see via windows explore that the file is really created.

Just watch for the process name/PID to close/disappear.

We can know the process name, but we don't know the target process ID. So when detecting process, It is possible that the process may be started by other triggers. Moreover, It seems we can't get process exit value, so we don't know whether the program execution really finishs its duty (It maybe exit at halfway).

More information about the background:

I want to remotely schedule a job and detect the execution result of that job.

We can use WMI to schedule a job (with ScheduledJOb class), but job execution result can not be gotten, for Microsoft did not implement it.

The key requirement is to remotely invoke an executable program and detect its exit status. There are many great Windows developer in this community. Is there anyone who can give some suggestion?

P.S. Psexec of Pstool can simply achive it, but its behind mechanism is unknown.

Thanks.

Sunzen

[PsaltyDS]

1. Getting the PID from the process name is trivial with ProcessExists(), ProcessList(), _ProcessListProperties(), through WMI, or even with a DLL call.

2. Properties of the process include the owner, parent's PID (PPID), and the full command line it was started with. The example script _ProcessListProperties() will demonstrate some of that for you. Surely you can figure out which process you want from all that info?

3. If you get the PID, then the handle to the process, you can get the exit code. If there's some special issue about that method with a scheduled task, I don't think I've seen it mentioned on the forums here.

4. All this depends on having proper admin perms to the target. Do you?

[sunzen]

Thanks a lot for your information.

I will try the way of detecting via process.

Thanks Again.