分类: WINDOWS
2008-12-07 00:37:32
九、WMI事件
所谓WMI事件,即特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。
首先看到下面一个例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
$strWQL = "SELECT * " & _
"FROM __InstanceCreationEvent " & _
"WITHin$2 " & _
"WHERE TargetInstance ISA 'Win32_Process' " & _
"AND TargetInstance.Name = 'notepad.exe'"
ConsoleWrite( "Waiting for a new instance of Notepad to start..." & @CrLf )
$objEventSource = $objWMIService.ExecNotificationQuery($strWQL)
$objEventObject = $objEventSource.NextEvent()
ConsoleWrite( "A new instance of Notepad was just started." & @CrLf )当你运行记事本时程序就会发出一条提示。下面是对这段代码的解释:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")连接到命名空间。
$strWQL = "SELECT * " & _
"FROM __InstanceCreationEvent " & _
"WITHin 2 " & _
"WHERE TargetInstance ISA 'Win32_Process' " & _
"AND TargetInstance.Name = 'notepad.exe'"这是一段WQL查询代码,__InstanceCreationEvent 表示监视新实例的建立,在这里表示新进程建立。类似的东西还有__InstanceModificationEvent、__InstanceDeletionEvent、__InstanceOperationEvent,它们分别表示修改、删除、全部操作(既以上三种的综合)。WITHin 2 表示每两秒查询一次。TargetInstance ISA 'Win32_Process' 表示监控Win32_Process类。TargetInstance.Name = 'notepad.exe'表示监控Name属性为notepad.exe的实例。
$objEventSource = $objWMIService.ExecNotificationQuery($strWQL)
$objEventObject = $objEventSource.NextEvent()ExecNotificationQuery和ExecQuery的意义差不多一样,不过前者是专门用来获取WMI事件。$objEventSource.NextEvent() 表示不断进行WQL查询,直到通知产生,这段时间内脚本会暂停。
另外,用$objEventObject.Path_.Class你可以获取通知的种类,比如__InstanceCreationEvent。你还可以用$objEventObject.TargetInstance.+属性 来获取产生通知的实例的属性。
理论就讲到这里,剩下的东西相信大家看了下面的几个例子后就明白了。
下面是一段监视进程的范例:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
$strQuery = "SELECT * " & _
"FROM __InstanceOperationEvent " & _
"WITHin 2 " & _
"WHERE TargetInstance ISA 'Win32_Process' "
$objEventSource = $objWMIService.ExecNotificationQuery($strQuery)
ConsoleWrite( "进程监控开始..." & @CRLF )
While 1
$objEventObject = $objEventSource.NextEvent()
Switch $objEventObject.Path_.Class
Case "__InstanceCreationEvent"
ConsoleWrite("新进程建立:" & $objEventObject.TargetInstance.Name & @CrLf )
Case "__InstanceDeletionEvent"
ConsoleWrite("进程被关闭:" & $objEventObject.TargetInstance.Name & @CrLf )
EndSwitch
WEnd下面是一段文件监控的例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colMonitoredEvents = $objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComponent= " _
& "'Win32_Directory.Name=""c:\\\\1""'")
While 1
$objEventObject = $colMonitoredEvents.NextEvent()
Select
Case $objEventObject.Path_.Class()="__InstanceCreationEvent"
ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)
Case $objEventObject.Path_.Class()="__InstanceDeletionEvent"
ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR)
EndSelect
WEnd下面是监控USB设备的例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colEvents = $objWMIService.ExecNotificationQuery _
("Select * From __InstanceOperationEvent Within 5 Where " _
& "TargetInstance isa 'Win32_LogicalDisk'")
While 1
$objEvent = $colEvents.NextEvent
If $objEvent.TargetInstance.DriveType = 2 Then
Select
Case $objEvent.Path_.Class()="__InstanceCreationEvent"
Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been added." & @CR)
Case $objEvent.Path_.Class()="__InstanceDeletionEvent"
Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been removed."& @CR)
EndSelect
EndIf
WEnd
