This session was done at Bangalore IT Pro UG meet on 20th August 2011. This was an introductory session to WMI eventing in PowerShell.

1. PowerShell and WMI Eventing for IT Pros Ravikanth C

2. About me Lead Engineer at Dell Windows PowerShell MVP Developer on several PowerShell projects on Codeplex Author of Free eBook: WMI Query Language via PowerShell Free eBook: Layman’s guide to PowerShell 2.0 remoting Co-author on Quest’s SharePoint 2010 & PowerShell cheat sheet Blog at http://www.ravichaganti.com/blog

3. Agenda What is WMI? WMI and PowerShell WMI Events – An Introduction Intrinsic Events Extrinsic Events Timer Events WMI event consumers Temporary Permanent Q & A

4. What is WMI? Windows Management Instrumentation Microsoft’s implementation of WBEM Set of classes that supply management information Manage Windows environment faster & easier Available since NT 4 Myths WMI is too hard IT admins can’t use WMI for automation

5. VBScript vs PowerShell VBScript PowerShell set objWMIService = GetObject("winmgmts:" _ & "{impersonationlevel=impersonate}!" _ & ".ootimv2") set colProcesses = objWMIService.ExecQuery _ ("SELECT * FROM Win32_Process") for each objProcess in colProcesses WScript.Echo "Name : " + objProcess.Name WScript.Echo "Handle : " + objProcess.Handle WScript.Echo "Handles: " + Cstr(objProcess.HandleCount) WScript.Echo "ThreadCount : " + Cstr(objProcess.ThreadCount) next Get-WmiObject –Class Win32_Process

6. WMI and PowerShell PowerShell v2 has 5 WMI cmdlets Get-WmiObject Register-WmiEvent Invoke-WmiMethod Remove-WmiObject Set-WmiInstance Get-WmiObject for traversing WMI classes and Objects Default name space is rootimv2 List all Win32 WMI classes Get-WmiObject-NamespaceRootimv2-List|?{$_.Name-like'*Win32*'}

7. WMI Events – An Introduction Events generated by operating system and several other components Register-WMIEvent can be used to subscribe to events Not all WMI classes are event classes Requires Admin privileges Can monitor remote systems Complex event registrations require knowledge of WQL Event Query Types Intrinsic Events Extrinsic Events Timer Events

8. WMI Events - Hierarchy

9. WMI Events – Intrinsic Events Represent changes to standard WMI data model WMI uses polling to detect a change Derived from __IntrinsicEvent class and includes __InstanceCreationEvent __InstanceDeletionEvent __InstanceModificationEvent __InstanceOperationEvent Syntax SELECT Property_List FROM EventClass WITHIN PollingIntervalWHERE TargetInstance | PreviousInstanceISA WMIClassNameAND TargetInstance.WMIClassPropertyName = Value

10. WMI Events – Extrinsic Events Represent events that do not directly link to standard WMI model Example: Windows Registry Provider Events, Power Management Events Derived from __ExtrinsicEvent class Registry Event Provider RegistryValueChangeEvent RegistryKeyChangeEvent RegistryTreeChangeEvent

11. WMI Events – Timer Events Two types of Timer Events AbsoluteTimer Events IntervalTimer Events Win32_LocalTime and Win32_CurrentTime replaced the legacy __AbsoluteTimerInstructionand __IntervalTimerInstructionclasses Not really required for a regular system admin job

12. WMI Events – Event Consumers Temporary Consumers Event registration dies as soon as the host exits Register-WmiEvent Permanent Consumers Event registration available even after a system reboot 5 Types of built-in types Log File Commandline ActiveScript SMTP EventLog PowerEvents Module for permanent consumers http://powerevents.codeplex.com

13. Thank YouQ/A