ptrex

File Monitoring Example

60 posts in this topic

#1 ·  Posted (edited)

FIle Monitorng Example - using ExecNotificationQuery

Some one in the Help Forum wanted to have script to monitor files in a certain directory.

You could write a basic script in AU3 to do that, but it would not be as efficient as using the native WMI functions for this.

$strComputer = "."
$objWMIService = ObjGet("winmgmts:" & $strComputer & "rootcimv2")

$colMonitoredEvents = $objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:1""'")

While 1
$objEventObject = $colMonitoredEvents.NextEvent()

Select
Case $objEventObject.Path_.Class()="__InstanceCreationEvent"
ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
Case $objEventObject.Path_.Class()="__InstanceDeletionEvent"
ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR)
    EndSelect
WEnd

Create a folder C:1 and add or delete a file in there.

See what happens.

Enjoy !!

ptrex

Edited by ptrex

Share this post


Link to post
Share on other sites



iop, i've made a lot of script using wmi events (to manage our servers)

the best way is to have the execnotificationasyncquery

the advantage is that you can have a multiple query, and only one sink (event receiver)

i like to see that i'm not alone in my ActiveX & Com addiction XD


-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

;WMI monitoring
#include<array.au3>
#include<date.au3>


Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc
Edited by arcker

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

i "sink" (lol) that it's the most complicated method is the execnotificationqueryasync

i've just learn this in 2 days

it's really powerful, so it you doubt, just think about it

wmi rocks, and prove M$ competence


-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

nice, thanks for the examples guys. COM i like a lot, but haven't played much with WMI. i've got a book on it, just haven't bothered cracking it open yet; maybe i should do that...


1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

books are not free, google is...

try with some vbs and some researches on the MSDN

that's how i did


-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

yep i tested it,

Sometimes WMI can be crashed

so i often used :

net stop winmgmt

net start winmgmt

and things going well

edit :

ohhh sorry, i've used a wrong valueset (used for monitoring ntlog)

post updated


-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

Wow, that is great! I was thinking about that too but i didn't know how... :whistle:

i542


I can do signature me.

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Hi all,

Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value

$filename = $targetinstance.item("PartComponent").value

$filename = $targetinstance.item("PartComponent")

$filename = $targetinstance.PartComponent

EDIT: Also tried:

$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)

And they all generate errors.

Anyone got any ideas?

Thanks in advance,

Andy

Edited by Andrew Peacock

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

Hello Ptrex !

I have made a big mistake : I have run your script on my computer (single user, windows XPP) and, when I reboot (usually on c:\), my sytem try to boot now on my diskette drive !

What could I do ?

Thank's a lot for your help or for the help of anybody else !

Loïc

Edited by ldub

Share this post


Link to post
Share on other sites

I have run your script on my computer

no it's not possible with this script

try to configure well your bios before targetting scripts

try to reconfigure your boot.ini if needed


-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

#16 ·  Posted

Thanks for your help. I beg you pardon... I'm a beginner.

What can we do to protect our computer when running scripts which may not be perfect ?

Share this post


Link to post
Share on other sites

#17 ·  Posted

no problem, i make an example a i send you this :

this current script illustrates the full possibilities of event creation

i've added the the owner information

this script reports all new process for computers declared in the arrays

edit : updated

;WMI monitoring
#include<array.au3>
#include<date.au3>
Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account
$arrComputers = _ArrayCreate("ncd004501003", "ncd004501004")
$strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'"
$SINK = ObjCreate("WbemScripting.SWbemSink")
ObjEvent($SINK, "SINK_")
For $strComputer In $arrComputers
    $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet")
    $objContext.Add ("hostname", $strComputer)
    $objContext.Add ("SinkName", "sinktest")
    $objWMIService = ObjGet("winmgmts:" _
             & "!\\" & $strComputer & "\root\cimv2")
    If Not @error Then
        $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext)
        ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF)
    EndIf
Next
ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF)
While 1
    Sleep(10000)
WEnd
;******************************************************************************
Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext)
    ;Trap asynchronous events.
    Local $essai1, $essai2
    $objAsyncContextItem = $objAsyncContext.Item ("hostname")
    ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF)
    ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)
    $objLatestEvent.TargetInstance.getowner($essai1,$essai2)
    ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF)
    ConsoleWrite("  Time: " & _NowDate() & @CRLF)
EndFunc   ;==>SINK_OnObjectReady

func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext)
    ConsoleWrite("progress ... " & @crlf )
    ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf )
endfunc
I have gotten this to somewhat work - is the sinktest suppose to be a value of the process started or just the name "sinktest"?

If the latter - is there anyway to show the started process?


All by me:

"Sometimes you have to go back to where you started, to get to where you want to go." 

"Everybody catches up with everyone, eventually" 

"As you teach others, you are really teaching yourself."

From my dad

"Do not worry about yesterday, as the only thing that you can control is tomorrow."

 

WindowsError.gif

WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF

AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send

StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2

AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit  Docs

SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF

Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language

Programming Tips

Excel Changes

ControlHover.UDF

GDI_Plus

Draw_On_Screen

GDI Basics

GDI_More_Basics

GDI Rotate

GDI Graph

GDI  CheckExistingItems

GDI Trajectory

Replace $ghGDIPDll with $__g_hGDIPDll

DLL 101?

Array via Object

GDI Swimlane

GDI Plus French 101 Site

GDI Examples UEZ

GDI Basic Clock

GDI Detection

Ternary operator

Share this post


Link to post
Share on other sites

#18 ·  Posted

i really don't undertstand what you mean

if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId

-- Arck System _ Soon -- Ideas make everything

"La critique est facile, l'art est difficile"

Projects :

[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list]

Share this post


Link to post
Share on other sites

#19 ·  Posted

Hi all,

Can anyone help with this question I raised earlier?

Thanks in advance,

Andy

Hi all,

Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:

$filename = $targetinstance.PartComponent.value

$filename = $targetinstance.item("PartComponent").value

$filename = $targetinstance.item("PartComponent")

$filename = $targetinstance.PartComponent

EDIT: Also tried:

$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)

And they all generate errors.

Anyone got any ideas?

Thanks in advance,

Andy

Share this post


Link to post
Share on other sites

#20 ·  Posted

i really don't undertstand what you mean

if you need the processID, try :

$objLatestEvent.TargetInstance.ProcessId
oÝ÷ Ûú®¢×éí+%w¢²»§jëh×6

ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF)

oÝ÷ Ø̨ºÚn¶+

I get the ID but I am looking to get the name of the process - any ideas


All by me:

"Sometimes you have to go back to where you started, to get to where you want to go." 

"Everybody catches up with everyone, eventually" 

"As you teach others, you are really teaching yourself."

From my dad

"Do not worry about yesterday, as the only thing that you can control is tomorrow."

 

WindowsError.gif

WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF

AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send

StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2

AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit  Docs

SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF

Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language

Programming Tips

Excel Changes

ControlHover.UDF

GDI_Plus

Draw_On_Screen

GDI Basics

GDI_More_Basics

GDI Rotate

GDI Graph

GDI  CheckExistingItems

GDI Trajectory

Replace $ghGDIPDll with $__g_hGDIPDll

DLL 101?

Array via Object

GDI Swimlane

GDI Plus French 101 Site

GDI Examples UEZ

GDI Basic Clock

GDI Detection

Ternary operator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now