More Event Scripting with WMI - Using __InstanceOperationEvent
(Page 4 of 4 )
So now we’ve learned how to implement WMI events to watch for creations, deletions, and modifications. By now you’re probably wondering what you can do if you want to watch for any or all of these events at the same time.
Let’s take this code as an example.
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceCreationEvent OR __InstanceDeletionEvent " _
& WITHIN 10 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:\test""'")
In this query we’ve instructed WMI to look for either a creation event or a deletion event. It seems simple enough, but there’s one problem. It won’t work.
WMI will issue an “Unparsable query” error when you try to do this. As it turns out, WMI only likes to deal with one event at a time. This is a very logical script so how can we solve this problem?
Enter WMI’s fourth and final event type. The __InstanceOperationEvent event will monitor for any of the creation, deletion, or modification events. It works a little bit differently though.
You’re going to start out with the same code construct. Simply drop the new event into your query.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer _
& "rootcimv2")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:\test""'")
Here’s where things get a little tricky. The __InstanceOperationEvent still returns a collection of events, and we’re still going to process them with an endless do loop. But now we have to determine which event has occurred. We’ll do that by setting up a Select statement for each event type we're looking for.
Do While True
Set objEvent = colEvents.NextEvent()
Select Case objEvent.Path_.Class
Case "__InstanceCreationEvent"
WScript.Echo "File Created:", _
parsePath(objEvent.TargetInstance.PartComponent)
Case "__InstanceDeletionEvent"
WScript.Echo "File Deleted:", _
parsePath(objEvent.TargetInstance.PartComponent)
Case "__InstanceModificationEvent"
WScript.Echo "File Modified:", _
parsePath(objEvent.TargetInstance.PartComponent)
End Select
Loop
The key to this whole code segment is the use of the Path_.Class property. This property contains the type of event that was returned. The Select Case statement chooses how to process the event based on what type it was. If we were only concerned with creation and deletion events, we could simply omit the Case statement for modified ones.
If you were looking for changes to a specific file, you would want to implement an If statement to check the file name. This is just a base script and should be customized to fit your needs.
The topics in this series are quite advanced. You should play around with them to get a good handle on what’s really happening behind the scenes. Once you understand the concept, you’ll find that building your own customized script isn’t as daunting a task as it might seem.
Making use of event driven programming will open many possibilities to you as a programmer. You now have the power to create scripts capable of reacting to the system in real time. Now go explore and see what you can come up with. Until next time…keep coding!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
