wmi registered event removal
host="."
WQL="select * from __eventfilter where Name like '%NTC%'"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\subscription")
Set colItems = objWMIService.ExecQuery(WQL)
For Each objItem in colItems
set ASSOobjItem = objItem.Associators_("__FilterToConsumerBinding")
For each objASSOobjItem in ASSOobjItem
objASSOobjItem.Delete_
Next
Wscript.Echo objItem.Delete_
Next
Event Registration
#PRAGMA AUTORECOVER
#pragma namespace("\\\\.\\root\\subscription")
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "NTC20130523001 Process Monitor";
ScriptingEngine = "VBScript";
ScriptFileName = "D:\\Q.vbs";
};
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "NTC20130523001 Process Monitor";
Query = "Select * From __InstanceCreationEvent Within 2"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"calc.exe\" ";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
%windir%\system32\wbem\mofcomp.exe customize.mof
manaully do wmi event registration
1: create filter
2: create consumer
3: right click on the created filter/consumer from the right pane and pick desired object to register
REF:http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-Subscriptions-Using-M
REF:http://support.microsoft.com/kb/2545227
沒有留言:
張貼留言