WMI事件流沙

zoukankan html css js c++ java

WMI事件流沙

九、WMI事件
所谓WMI事件，即特定对象的属性发生改变时发出的通知，其中包括增加、修改、删除三种类型。
首先看到下面一个例子：
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
$strWQL = "SELECT * " & _ "FROM __InstanceCreationEvent " & _ "WITHin$2 " & _ "WHERE TargetInstance ISA 'Win32_Process' " & _ "AND TargetInstance.Name = 'notepad.exe'"
ConsoleWrite( "Waiting for a new instance of Notepad to start..." & @CrLf ) $objEventSource = $objWMIService.ExecNotificationQuery($strWQL) $objEventObject = $objEventSource.NextEvent() ConsoleWrite( "A new instance of Notepad was just started." & @CrLf )
当你运行记事本时程序就会发出一条提示。下面是对这段代码的解释：
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
连接到命名空间。
$strWQL = "SELECT * " & _ "FROM __InstanceCreationEvent " & _ "WITHin 2 " & _ "WHERE TargetInstance ISA 'Win32_Process' " & _ "AND TargetInstance.Name = 'notepad.exe'"
这是一段WQL查询代码，__InstanceCreationEvent 表示监视新实例的建立，在这里表示新进程建立。类似的东西还有__InstanceModificationEvent、__InstanceDeletionEvent、__InstanceOperationEvent，它们分别表示修改、删除、全部操作（既以上三种的综合）。WITHin 2 表示每两秒查询一次。TargetInstance ISA 'Win32_Process' 表示监控Win32_Process类。TargetInstance.Name = 'notepad.exe'表示监控Name属性为notepad.exe的实例。
$objEventSource = $objWMIService.ExecNotificationQuery($strWQL) $objEventObject = $objEventSource.NextEvent()
ExecNotificationQuery和ExecQuery的意义差不多一样，不过前者是专门用来获取WMI事件。$objEventSource.NextEvent() 表示不断进行WQL查询，直到通知产生，这段时间内脚本会暂停。
另外，用$objEventObject.Path_.Class你可以获取通知的种类，比如__InstanceCreationEvent。你还可以用$objEventObject.TargetInstance.+属性来获取产生通知的实例的属性。
理论就讲到这里，剩下的东西相信大家看了下面的几个例子后就明白了。
下面是一段监视进程的范例：
$strComputer = "."
$objWMIService = ObjGet("winmgmts://" & $strComputer & "/root/cimv2")
$strQuery = "SELECT * " & _ "FROM __InstanceOperationEvent " & _ "WITHin 2 " & _ "WHERE TargetInstance ISA 'Win32_Process' "
$objEventSource = $objWMIService.ExecNotificationQuery($strQuery)
ConsoleWrite( "进程监控开始..." & @CRLF )
While 1 $objEventObject = $objEventSource.NextEvent() Switch $objEventObject.Path_.Class Case "__InstanceCreationEvent" ConsoleWrite("新进程建立:" & $objEventObject.TargetInstance.Name & @CrLf ) Case "__InstanceDeletionEvent" ConsoleWrite("进程被关闭:" & $objEventObject.TargetInstance.Name & @CrLf ) EndSwitch WEnd
下面是一段文件监控的例子：
$strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colMonitoredEvents = $objWMIService.ExecNotificationQuery _ ("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _ & "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _ & "TargetInstance.GroupComponent= " _ & "'Win32_Directory.Name=""c:\\\\1""'")
While 1 $objEventObject = $colMonitoredEvents.NextEvent()
Select Case $objEventObject.Path_.Class()="__InstanceCreationEvent" ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR) Case $objEventObject.Path_.Class()="__InstanceDeletionEvent" ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR) EndSelect WEnd
下面是监控USB设备的例子：
$strComputer = "." $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colEvents = $objWMIService.ExecNotificationQuery _ ("Select * From __InstanceOperationEvent Within 5 Where " _ & "TargetInstance isa 'Win32_LogicalDisk'")
While 1 $objEvent = $colEvents.NextEvent If $objEvent.TargetInstance.DriveType = 2 Then
Select Case $objEvent.Path_.Class()="__InstanceCreationEvent" Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been added." & @CR) Case $objEvent.Path_.Class()="__InstanceDeletionEvent" Consolewrite("Drive " & $objEvent.TargetInstance.DeviceId & "has been removed."& @CR) EndSelect EndIf WEnd

查看全文

相关阅读:
register变量
 register变量
 const和volatile是否可以同时修饰一个变量？有什么特殊含义？
关于多态性和虚函数的理解
 static全局变量与普通的全局变量有什么区别
 《c专家编程》学习笔记
 正则表达式入门学习
 mvc ActionResult
ASP.NET MVC：通过 FileResult 向浏览器发送文件(传)
Asp.net mvc 中的HttpContext

原文地址：https://www.cnblogs.com/darkdance/p/2267062.html

WMI事件 流沙