Event Scripting with WMI - Using __InstanceDeletionEvent
(Page 4 of 4 )
As you can probably imagine, the __InstanceDeletionEvent works the same way. Just replace the event in your WMI query and let it go to work. The script would look like this:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer _
& "rootcimv2")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:\test""'")
Do While True
Set objEvent = colEvents.NextEvent()
WScript.Echo "File Deleted:", _
objEvent.TargetInstance.PartComponent
Loop
This example will watch the C:test folder for file deletions. All of the same rules apply: the query will run continuously until stopped and you must force it to exit the Do loop.
There is a plethora of different ways you can make use of the Create and Delete events. It doesn’t just apply to files. You can use this to monitor folders, drive letters, registry keys, services, and more. Play around with it and see what you can come up with.
Stick around for the second part of this series, when we’ll explore two other event types that WMI makes available to us. Until next time, keep coding.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
