Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How use C# to create EventFilter, EventConsumer and FilterToConsumerBinding?

366 views
Skip to first unread message

Dave Kolb

unread,
Dec 12, 2002, 3:33:00 PM12/12/02
to
Anyone have a C# or VB.NET example of how to create EventFilter,
EventConsumer and FilterToConsumerBinding object set in the WMI Repository
so as to implement a permanent event consumer on a target machine from a
remote machine?

Thanks,
Dave


Dave Kolb

unread,
Dec 13, 2002, 10:33:33 AM12/13/02
to

Andy, thanks you very much. Dave


"Andy Cheung [MSFT]" <ha...@online.microsoft.com> wrote in message
news:#moK2TjoCHA.2276@TK2MSFTNGP12...
> Attached a sample that might help.
>
> --
> Andy Cheung
> Microsoft WMI Test Engineer
> This posting is provided "As Is" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message
> news:eqlSm2hoCHA.2520@TK2MSFTNGP10...

Dave Kolb

unread,
Dec 13, 2002, 11:08:06 AM12/13/02
to
Andy,

In order to enumerate the permanent consumer related classes and discover
their bindings to each other I'm guessing I can just doing a WQL data query
such as "select * from __EventFilter" and "Select * from
__FilterToConsumerBinding where Consumer = 'MyEventConsumer' or Filter =
'MyEventFilter' ".

But how would one enumerate all the __EventConsumer's since any actual
consumer would be derived from this superclass?

Something like "Select * from ???? where ???? ISA __EventConsumer"

Thanks,
Dave


Dave Kolb

unread,
Dec 13, 2002, 4:12:38 PM12/13/02
to
Andy,

If I code your example and do similar to the below I get the EventFilter and
the binding objects but I do not get an object returned for the
__EventConsumer as I created a derived object (ActiveScriptEventConsumer in
my case).

How can I ask for objects derived from __EventConsumer without knowing their
specific name?

Thanks,
Dave

// show the new classes

ManagementClass c;

c = new ManagementClass(new ManagementScope(@"\root\cimv2"), new
ManagementPath("__EventConsumer"), null);

foreach (ManagementObject o in c.GetInstances())

Console.WriteLine("Next instance of __EventConsumer: {0}",
o.Path.ToString());

c = new ManagementClass(new ManagementScope(@"\root\cimv2"), new
ManagementPath("__EventFilter"), null);

foreach (ManagementObject o in c.GetInstances())

Console.WriteLine("Next instance of __EventFilter: {0}",
o.Path.ToString());

"Andy Cheung [MSFT]" <ha...@online.microsoft.com> wrote in message
news:#moK2TjoCHA.2276@TK2MSFTNGP12...
> Attached a sample that might help.
>
> --
> Andy Cheung
> Microsoft WMI Test Engineer
> This posting is provided "As Is" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message
> news:eqlSm2hoCHA.2520@TK2MSFTNGP10...

Andy Cheung [MSFT]

unread,
Dec 14, 2002, 6:12:11 PM12/14/02
to
The EnumerationOptions class gives you more control when you enumerate WMI
objects. To enumerate instances of a WMI class and its derived classes, you
would provide an instance of EnumerationOptions class with EnumerateDeep
property enabled. Here is a sample:

EnumerationOptions enumOptions = new EnumerationOptions();
enumOptions.EnumerateDeep = true;
foreach (ManagementObject o in c.GetInstances(enumOptions))


Console.WriteLine("Next instance of __EventConsumer: {0}",
o.Path.ToString());

--


Andy Cheung
Microsoft WMI Test Engineer
This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message

news:e$QuZxuoCHA.1616@TK2MSFTNGP10...

Dave Kolb

unread,
Dec 17, 2002, 10:27:23 AM12/17/02
to
Thanks

"Andy Cheung [MSFT]" <ha...@online.microsoft.com> wrote in message

news:uMM85Y8oCHA.2308@TK2MSFTNGP10...

Dave Kolb

unread,
Dec 17, 2002, 10:36:20 AM12/17/02
to
I can get a similar test example to work just fine but only if the
ActiveScriptEventConsumer's "ScriptFileName" is a path on my local drive.
Nothing happens for a network share.

Also the script can only create a file on the local drive and not on a
network share.

The network share has full permissions for EVERYONE.

I have run the script to make sure it runs standalone and is not a script
problem.

Must the script be local and only write to local drives or am I having some
kind of permissions problem? My code an script are below.

Thanks,
Dave

using System;

using System.Management;

//using System.Reflection;

//using System.Collections;

//using System.Diagnostics;

namespace WmiShow

{

class Class1

{

public void Run()

{

//////////////////////////////////////////////////////////////////////

/// This snippet demonstrates how to subscribe a permanent WMI event.

/// Subscribing a permanent event involves three steps:

/// 1) creating an instance of event filter

/// 2) creating an instance of event consumer

/// 3) creating an instance of association to bind the event filter

/// and the event consumer created in step 1 and 2.

///

/// Note:

/// - This sample requires you to have write access to WMI respository.

/// - Before running this program, run the following at the command line.

/// This will register the SMTPEventConsumer class with WMI in the specified

/// namespace.

/// > cd winnt\system32\wbem

/// > mofcomp -N:root\cimv2 smtpcons.mof

/// > mofcomp -N:root\cimv2 scrcons.mof

/// - Fill in serverName and password variables as well as SmtpServer,

/// FromLine, and ToLine properties below.

///


ManagementObject myEventFilter = null;

ManagementObject myEventConsumer = null;

ManagementObject myBinder = null;

try

{

string serverName = ".";

//string password = "AdminPasswordHere";

ManagementScope scope = new
ManagementScope(string.Format(@"\\{0}\root\cimv2", serverName));

//scope.Options.Username = serverName + "\\Administrator";

//scope.Options.Password = password;

// Create an instance of event filter

ManagementClass wmiEventFilter = new ManagementClass(scope, new
ManagementPath("__EventFilter"), null);

String strQuery = @"SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE
TargetInstance ISA 'Win32_Process'"

+ " AND TargetInstance.Name = 'winword.exe'";

WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);

myEventFilter = wmiEventFilter.CreateInstance();

myEventFilter["Name"] = "WordStopEventFilter";

myEventFilter["Query"] = myEventQuery.QueryString;

myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;

myEventFilter["EventNameSpace"] = @"\root\cimv2";

myEventFilter.Put();

Console.WriteLine("Permanent event filter is created.");

// Create an instance of event consumer

myEventConsumer =

new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"),
null).CreateInstance();

myEventConsumer["Name"] = "SasdxkActiveScriptEventConsumer";

myEventConsumer["ScriptingEngine"] = "VBScript";

//myEventConsumer["ScriptFileName"] =
@"\\sashq\root\u\sasdxk\PcData\WMI\TestWmi.vbs";

myEventConsumer["ScriptFileName"] = @"c:\WMI\TestWmi.vbs";

myEventConsumer.Put();

Console.WriteLine("Permanent event consumer is created.");

// Create an instance of association

myBinder =

new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"),
null).CreateInstance();

myBinder["Filter"] = myEventFilter.Path.RelativePath;

myBinder["Consumer"] = myEventConsumer.Path.RelativePath;

myBinder.Put();

Console.WriteLine("Permanent subscription is created.");

catch (Exception e)

{

Console.WriteLine(e);

}

}


[STAThread]

static void Main(string[] args)

{ (new Class1()).Run(); }

}

}

-------------------

Dim objFS, objFile

Dim path
'path = "\\sashq\root\u\sasdxk\PcData\WMI\WmiTest.log"
path = "c:\WMI\WmiTest.log"
'MsgBox path

Set objFS = CreateObject("Scripting.FileSystemObject")
Set objFile = objFS.OpenTextFile(path, 8, true)
objFile.WriteLine "Winword.exe finished at time: " & Now

'Note the usage of TargetEvent object. It is an __InstanceDeletionEvent
instance
' so it has a property named TargetInstance, which in turn is a
Win32_Process instance
' used to fire the event. Win32_Process class has two properties called
"UserModeTime" and
' "KernelModeTime" and this is to put in the log file created by the
script.

objFile.WriteLine " UserModeTime: " &
TargetEvent.TargetInstance.UserModeTime
objFile.WriteLine " KernelModeTime: " &
TargetEvent.TargetInstance.KernelModeTime
objFile.Close


Manfred Braun

unread,
Dec 17, 2002, 2:13:34 PM12/17/02
to
Hello Dave,

it looks clear to me, because WMI runs under LocalSystem, which has no
network rights and there is - so far I now - to do impersonation directly.
What you might do is, create an MTS component, which "runs" under a more
privileged account und instantiate this in the script. This should give
success.

Hope, this helps.

Best regards,
Manfred Braun

(Private)
Mannheim
Germany

mailto:_manfred...@berlin.de
(Remove the anti-spam-underscore to mail me!)

"Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message

news:upNDIIepCHA.2444@TK2MSFTNGP10...

Dave Kolb

unread,
Dec 17, 2002, 5:42:24 PM12/17/02
to

Why would a service running on a machine not be counted as part of EVRYONE?
I am running it on an XP machine so it should supply the computer's
credentials to remote servers.

Per the SDK:

When a service runs under the LocalSystem account on a computer that is a
domain member, the service has whatever network access is granted to the
computer account (or to any groups of which the computer account is a
member). Note that in Windows 2000, a domain computer account is a service
principal (just like a user account). This means that a computer account can
be in a security group, and an ACE in a security descriptor can grant access
to a computer account.

"Manfred Braun" <_manfred...@berlin.de> wrote in message
news:ODXVx$fpCHA.1664@TK2MSFTNGP10...

Manfred Braun

unread,
Dec 17, 2002, 7:22:57 PM12/17/02
to
Hello Dave,

sorry, that I slept, I've not regarded, that you are using w2k ;-)
And sorry, for beeing so late, just my posting does'nt appear here [for me,
don't know why].

Best regards,
Manfred

"Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message

news:u0wdN2hpCHA.2384@TK2MSFTNGP09...

Ivan Brugiolo [MSFT]

unread,
Dec 17, 2002, 7:26:56 PM12/17/02
to
You can always enable Audit for logon events,
and see which credential are acually used inside srv.sys to open the file.
If you don't have a domain, the Machine account will connect with the NULL
SESSION,
and if Guest is not enabled, that you might have problems.

--


This posting is provided "As Is" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Dave Kolb" <Dave.Kol...@remove.sas.com> wrote in message

news:u0wdN2hpCHA.2384@TK2MSFTNGP09...

Dave

unread,
Dec 18, 2002, 12:45:38 AM12/18/02
to
This is all within our Windows 2000 domain running in native mode. BUt after
thinking about it the UNC path that I'm using to get to the share may be on
a NetApp file server which calling it NT4 compatible would be generous. I'll
have to try a share on a 2000 server tomorrow.

"Ivan Brugiolo [MSFT]" <ivan...@online.microsoft.com> wrote in message
news:ursMnwipCHA.1964@TK2MSFTNGP10...

Dave Kolb

unread,
Dec 18, 2002, 10:14:56 AM12/18/02
to
Yup. Works fine on a real 2000 server! Not the 1st time a NetApp filer has
tripped me up.

Dave

"Dave" <DaveAtHome...@nc.rr.com> wrote in message
news:#h4yZglpCHA.2388@tk2msftngp13...

0 new messages