Using Power Events

Example: log every creation of process into a file

I will log every creation of process calc.exe into a file c:\temp\Calc.log. I will be using PowerEvents.

First create filter using wql query

$f=New-WmiEventFilter -Name ProcessStarted -Query “select * from __InstanceCreationEvent within 2 where TargetInstance ISA ‘Win32_Process’ and TargetInstance.Name=’calc.exe'”

Notice the condition in the WQL query – TargetInstance.Name =’calc.exe’ (not TargetInstance.ProcessName because ProcessName is a Powershell alias to Name property in win32_process WMI class as you can find out using Get-WmiObject -Class win32_process  | Get-Member)

One can check wheather the WMI event query works using wbemtest utility

Create consumer using -ScriptFile parameter (not succesfull)

At first I tried -ScriptFile parameter of New-WmiEventConsumer

$c = New-WmiEventConsumer -Name ProcessStartedConsumer –ConsumerType Script –ScriptFile D:\scripts\psh\EventConsumer.vbs

The content of file D:\scripts\psh\EventConsumer.vbs being

set fso = CreateObject(“Scripting.FileSystemObject”)

set LogFile = fso.OpenTextFile(“c:\temp\Calc.log”, 8, true)

call LogFile.WriteLine(Date() & ” ” & Time() & “: Calc.exe run”)

but I could not get it to work

Create consumer using -ScriptText parameter (successfull)

prepare VBscript code as a herestring

$VBcode = @”

set fso = CreateObject(“Scripting.FileSystemObject”)

set LogFile = fso.OpenTextFile(“c:\temp\Calc.log”, 8, true)

call LogFile.WriteLine(Date() & ” ” & Time() & “: Calc.exe run”)

“@

Create event consumer of type script

$c = New-WmiEventConsumer -Name ProcessStartedConsumer –ConsumerType Script –ScriptText $VBcode

notice the use of herestring with the -ScriptText parameter


#full code

#create filter using wql query

$f = New-WmiEventFilter -Name ProcessStarted -Query “select * from __InstanceCreationEvent within 2 where TargetInstance ISA ‘Win32_Process’ and TargetInstance.Name=’calc.exe'”

#get ready vb script code

$VBcode = @”

set fso = CreateObject(“Scripting.FileSystemObject”)

set LogFile = fso.OpenTextFile(“c:\temp\Calc.log”, 8, true)

call LogFile.WriteLine(Date() & ” ” & Time() & “: Calc.exe run”)

“@

#create event consumer of type script

$c = New-WmiEventConsumer -Name ProcessStartedConsumer –ConsumerType Script –ScriptText $VBcode

#link filter and consumer together

New-WmiFilterToConsumerBinding -Filter $f -Consumer $c

Advertisements

Tagged: ,

One thought on “Using Power Events

  1. Antonio Gianni 11.12.2011 at 05:00 Reply

    I have been testing PowerEvents module for 3 days with mixed results. I am able to get 4 of the 5 ConsumerType working but having difficult with -ConsumerType CommandLine using cmd, ps1 or vbs. Have not been able to make it work with “script” as you mentioned (only when inline). Would greatly appreciate and example with cmd if you have it working. This is a very easy example but can’t get it to work.

    event.cmd contains this single line simply to test setup->
    ipconfig.exe > C:\temp\cmd_event.log

    POSH Statements (runing as local admin)

    Set-ExecutionPolicy Unrestricted
    Import-Module PowerEvents

    $query = “Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA ‘CIM_DataFile’ AND TargetInstance.Drive=’C:’ AND TargetInstance.Path=’\\Scripts\\'”
    $filter = New-WmiEventFilter -Name “FileMonitor” -Query $query
    $consumer = New-WmiEventConsumer -Verbose -Name “NewFileCreated” -ConsumerType CommandLine -CommandLineTemplate “cmd.exe /c `”C:\temp\event.cmd`””
    New-WmiFilterToConsumerBinding -Filter $filter -Consumer $consumer -Verbose

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

smsagent

Tips, tricks and time-savers for the Windows and ConfigMgr administrator

To The Point

Anything about Technology and Business

Brian's Power Windows Blog

Microsoft in the Enterprise. Windows, Hyper-V, Exchange, SQL, and more!

PowerScripting Podcast

Shownotes and links for the PowerScripting Podcast, a podcast to help people learn Windows Powershell

Learn Powershell | Achieve More

What is this Powershell of which you speak?

%d bloggers like this: