首先看到下面一个例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")$strWQL = "SELECT * " & _"FROM __InstanceCreationEvent " & _ "WITHin$2 " & _"WHERE TargetInstance ISA 'Win32_Process' " & _"AND TargetInstance.Name = 'notepad.exe'"ConsoleWrite( "Waiting for a new instance of Notepad to start..." & @CrLf )$objEventSource = $objWMIService.ExecNotificationQuery($strWQL)$objEventObject = $objEventSource.NextEvent()ConsoleWrite( "A new instance of Notepad was just started." & @CrLf )当你运行记事本时程序就会发出一条提示。下面是对这段代码的解释:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
连接到命名空间。
$strWQL = "SELECT * " & _
"FROM __InstanceCreationEvent " & _ "WITHin 2 " & _"WHERE TargetInstance ISA 'Win32_Process' " & _"AND TargetInstance.Name = 'notepad.exe'"
这是一段WQL查询代码,__InstanceCreationEvent 表示监视新实例的建立,在这里表示新进程建立。类似的东西还有__InstanceModificationEvent、__InstanceDeletionEvent、__InstanceOperationEvent,它们分别表示修改、删除、全部操作(既以上三种的综合)。WITHin 2 表示每两秒查询一次。TargetInstance ISA 'Win32_Process' 表示监控Win32_Process类。TargetInstance.Name = 'notepad.exe'表示监控Name属性为notepad.exe的实例。
$objEventSource = $objWMIService.ExecNotificationQuery($strWQL)
$objEventObject = $objEventSource.NextEvent()
ExecNotificationQuery和ExecQuery的意义差不多一样,不过前者是专门用来获取WMI事件。$objEventSource.NextEvent() 表示不断进行WQL查询,直到通知产生,这段时间内脚本会暂停。
另外,用$objEventObject.Path_.Class你可以获取通知的种类,比如__InstanceCreationEvent。你还可以用$objEventObject.TargetInstance.+属性 来获取产生通知的实例的属性。
理论就讲到这里,剩下的东西相信大家看了下面的几个例子后就明白了。
下面是一段监视进程的范例:
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")$strQuery = "SELECT * " & _"FROM __InstanceOperationEvent " & _ "WITHin 2 " & _"WHERE TargetInstance ISA 'Win32_Process' " $objEventSource = $objWMIService.ExecNotificationQuery($strQuery)ConsoleWrite( "进程监控开始..." & @CRLF )While 1$objEventObject = $objEventSource.NextEvent()Switch $objEventObject.Path_.ClassCase "__InstanceCreationEvent" ConsoleWrite("新进程建立:" & $objEventObject.TargetInstance.Name & @CrLf )Case "__InstanceDeletionEvent"ConsoleWrite("进程被关闭:" & $objEventObject.TargetInstance.Name & @CrLf )EndSwitchWEnd
下面是一段文件监控的例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")$colMonitoredEvents = $objWMIService.ExecNotificationQuery _("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _& "TargetInstance.GroupComponent= " _& "'Win32_Directory.Name=""c:\\\\1""'")While 1$objEventObject = $colMonitoredEvents.NextEvent()Select Case $objEventObject.Path_.Class()="__InstanceCreationEvent"ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR)Case $objEventObject.Path_.Class()="__InstanceDeletionEvent"ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR)EndSelectWEnd
下面是监控USB设备的例子:
$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")$colEvents = $objWMIService.ExecNotificationQuery _("Select * From __InstanceOperationEvent Within 5 Where " _& "TargetInstance isa 'Win32_LogicalDisk'")While 1$objEvent = $colEvents.NextEventIf $objEvent.TargetInstance.DriveType = 2 Then Select Case $objEvent.Path_.Class()="__InstanceCreationEvent"Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been added." & @CR)Case $objEvent.Path_.Class()="__InstanceDeletionEvent"Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been removed."& @CR)EndSelectEndIfWEnd
#ifndef _WIN32_DCOM #define _WIN32_DCOM #endif #include <windows.h> #include <objbase.h> #include <atlbase.h> #include <iostream> #include <wbemidl.h> #include <comutil.h> #include < string.h> int main( int argc, char** argv ) { HRESULT hr = CoInitializeEx( NULL, COINIT_MULTITHREADED ); if ( FAILED( hr ) ) { std::cerr << " COM initialization failed " << std::endl; return - 1; } // setup process-wide security context hr = CoInitializeSecurity( NULL, // we're not a server - 1, // we're not a server NULL, // dito NULL, // reserved RPC_C_AUTHN_LEVEL_DEFAULT, // let DCOM decide RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL ); if ( FAILED( hr ) ) { std::cerr << " Security initialization failed " << std::endl; return - 1; } int result = 0; // we're going to use CComPtr<>s, whose lifetime must end BEFORE CoUnitialize is called { // connect to WMI CComPtr< IWbemLocator > locator; hr = CoCreateInstance( CLSID_WbemAdministrativeLocator, NULL, CLSCTX_INPROC_SERVER, IID_IWbemLocator, reinterpret_cast< void** >( &locator ) ); if ( FAILED( hr ) ) { std::cerr << " Instantiation of IWbemLocator failed " << std::endl; return - 1; } // connect to local service with current credentials CComPtr< IWbemServices > service; hr = locator->ConnectServer( L " root\\cimv2 ", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &service ); if ( SUCCEEDED( hr ) ) { // execute a query CComPtr< IEnumWbemClassObject > enumerator; hr = service->ExecNotificationQuery( L " WQL ", L " SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE ( TargetInstance ISA \'Win32_LogicalDisk\' ) ", WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &enumerator ); std::cout << " QUERY " << hr << std::endl; if ( SUCCEEDED( hr ) ) { // #error "Comment out after read: program will terminate after two events; be sure not kill program by CTRL-C etc. See caveats section in article" int count = 0; do { CComPtr< IWbemClassObject > folder = NULL; ULONG retcnt = 0L; while ( ( hr = enumerator->Next( WBEM_INFINITE, 1L, &folder, &retcnt ) ) == WBEM_S_TIMEDOUT ); if ( SUCCEEDED( hr ) && ( hr != WBEM_S_FALSE ) ) { if ( retcnt > 0 ) { _variant_t var_OP; hr = folder->Get( L " __Class ", 0, &var_OP, NULL, NULL ); _bstr_t vlOP = var_OP; // count ++; // query returns a result - handle the event _variant_t var_val; hr = folder->Get( L " TargetInstance ", 0, &var_val, NULL, NULL ); if ( SUCCEEDED( hr ) ) { IUnknown* str = var_val; CComPtr< IWbemClassObject > obj; hr = str->QueryInterface( IID_IWbemClassObject, reinterpret_cast< void** >( &obj ) ); if ( SUCCEEDED( hr ) ) { _variant_t cn; hr = obj->Get( L " __Class ", 0, &cn, NULL, NULL ); if ( SUCCEEDED( hr ) ) { _bstr_t name = cn; if ( name == _bstr_t( L " Win32_LogicalDisk " ) ) { _variant_t labl; obj->Get( L " Name ", 0, &labl, NULL, NULL ); _bstr_t vl = labl; std::cout <<vlOP<< " Change to disk " << vl << std::endl; } } } } else { std::cerr << " IWbemClassObject::Get failed " << std::endl; result = - 1; } break; } else { std::cout << " Enumeration empty " << std::endl; } } else if ( FAILED( hr ) ) { std::cerr << " Error in iterating through enumeration 0x " << std::hex << hr << std::dec << std::endl; result = - 1; } else std::cout << " empty " << std::endl; } while ( count < 2 ); } else { std::cerr << " Query failed " << std::endl; result = - 1; } } else { std::cerr << " Couldn't connect to service " << std::endl; result = - 1; } } CoUninitialize(); return result; }