| Richard's profileRichard Siddaway's BlogPhotosBlogLists |  Tools  Help |
|
November 07 PowerShell EventingThis isn’t the latest sport added for the 2012 Olympics but a way to dig deeper into what is happening on your machine. There is a continuous stream of events occurring on a computer – programs stop or start, files open or close etc etc. Some, but all, of these events are recorded in the event logs. If we want to understand what is happening we can track this using the PowerShell Event engine that is introduced in PowerShell v2. Three types of events can be registered – PowerShell engine, .NET and WMI using the following cmdlets respectively Register-EngineEventRegister-ObjectEvent Register-WmiEvent
We can use the following cmdlets to discover the events that actually happen. Get-Event We’ll start by looking at WMI events. We can use Register-WmiEvent to register the event we want to track. In this case we want to know when new processes are started. We can create an event registration using Register-WmiEvent -Query "Select * from __instancecreationevent within 5 where targetinstance isa 'Win32_Process'" -MessageData "Process Started" -SourceIdentifier "New Process" __instancecreationevent is a WMI System Class. 5 refewrs to the system being scanned every 5 seconds WMI System classes are created on a per WMI namespace basis i.e. a new set of system classes is created for each WMI namespace. The full list of WMI system classes can be seen at http://msdn.microsoft.com/en-us/library/aa394583(VS.85).aspx or can be browsed using PowerGUI's WMI browser. We can view the system classes relating to WMI events. Get-WmiObject -Namespace 'root\cimv2' -List "__*Event" and we will see that there is a __InstanceDeletionEvent class as well. if we want to track process creation and deletion (program open and close) we will need to register this as well. Register-WmiEvent -Query "Select * from __instancedeletionevent within 5 where targetinstance isa 'Win32_Process'" -MessageData "Process Stopped" -SourceIdentifier "End Process" When we run these commands nothing seems to happen. We can see the event registrations (or subscriptions) PS> Get-EventSubscriber SubscriptionId : 1 SubscriptionId : 2 If we start notepad and and then check the process PS> Get-Process notepad | select name, starttime Name StartTime we can compare this to the event information PS> Get-Event -SourceIdentifier "New Process" ComputerName :
Which doesn’t seem to tell is much beyond the fact that a process has started – it specifically doesn’t tell us which process has started. Similarly when we stop a process PS> Stop-Process -Name notepad ComputerName : We get a message that the process has stopped but no identification as to which process. Events only exist in the current session and the subscriptions are lost if the PowerShell session is closed. Couple of quick points The event queue can be quickly cleaned using Get-Event | Remove-Event. We can remove event subscriptions using Unregister-Event -SourceIdentifier "New Process" We will dig further into the eventing capabilities in future posts TrackbacksThe trackback URL for this entry is: http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!2598.trak Weblogs that reference this entry
|
|
|
