Event notification is built into WMI and if you open up CIM Studio (one of the tools in the WMI Toolkit) and navigate to '__SystemClass\__IndicationRelated' you will find all of the classes related to event handling. There are two types of event that you can use -
-
Intrinsic Events
These are generated by WMI in response to changes in the CIM repository and further breakdown into events related to namespaces, classes, instances and timers. You can see these by navigating to '__SystemClass\__IndicationRelated\__Event' where you will find
- __NamespaceOperationEvent and its children
- __ClassOperationEvent and its children
- __InstanceOperationEvent and its children
- __TimerEvent
If you poke around under these classes you'll see that there are various events that fire when something interesting happens in the CIM repository. The timer event is different as this lets you set up an event that fires on a regular basis or at a scheduled time.
Extrinsic Events
Providers
Extrinsic events are fired into WMI by providers. Providers allow third parties to plug in to WMI and make their management information available. You'll probably have a whole bunch of these registered on your systems. They are often created as DLLs with an accompanying MOF file. You can find some provider related files in '%windir%\system32\wbem'. Look for any files with 'prov' in their names. Alternatively running these commands will give you an exhaustive list of the providers installed in the 'root\CIMv2' namespace from WMIs perspective.
get-wmiobject -class "__InstanceProviderRegistration" | select-object -property Provider
get-wmiobject -class "__ClassProviderRegistration" | select-object -property Provider
get-wmiobject -class "__EventProviderRegistration" | select-object -property Provider
get-wmiobject -class "__MethodProviderRegistration" | select-object -property Provider
get-wmiobject -class "__PropertyProviderRegistration" | select-object -property Provider
get-wmiobject -class "__EventConsumerProviderRegistration" | select-object -property Provider
and Events
In order to list all of the extrinsic events available on a system you need to recurse through all of the namespaces in WMI listing out all of the '__ExtrinsicEvent' classes that you find. This next piece of code does exactly that. It uses a couple of functions -
- Get-ExtrinsicEvents
- runs a query against all of the classes in a particular namespace and lists only the '__ExtrinsicEvent' classes. Specifying 'meta-class' causes Get-WmiObject to retrieve class rather than instance objects from the repository.
- ExamineNamespace
- recurses through a namespace hierarchy calling Get-ExtrinsicEvents
function Get-ExtrinsicEvents( [string]$ns )
{
Get-WmiObject -class meta_class
-namespace $ns
-filter "__this isa '__ExtrinsicEvent'" |
select-object Name | Format-Table -HideTableHeaders
}
function ExamineNamespace( [string]$ns )
{
write-host "==================" $ns
Get-ExtrinsicEvents $ns
foreach ($n in (Get-WmiObject -Class "__NAMESPACE" -namespace $ns))
{
ExamineNamespace ($n.__NAMESPACE + "\" + $n.Name)
}
}
ExamineNamespace "ROOT"
In my next post I'll look at how you register you interest in specific WMI events and how you can launch PowerShell scripts in response to WMI events.