Wednesday, July 30, 2014

Powershell and event providers

When you write:

Select * From __InstanceCreationEvent WITHIN 1 where target instance ISA 'Win32_Process'"

What does that really mean?

  1. It means that when a Win32_Process Class gets created, you get notified.
  2. It means that when an __InstanceCreationEvent Class is used, you get notified.
  3. None of the above
  4. All of the above -- including None of the above
  5. All of the above -- excluding 3 and 4
  6. I'm as confused as you are, ACE, so let's crash and burn together.
Truth, an event provider is there to help us get notified when something happens. There's a whole lot of events that happen within the world of Windows and WMI.

__InstanceOperationEvent
__InstanceModificationEvent
__InstanceCreationEvent
__MethodInvocationEvent
__InstanceDeletionEvent

__ClassOperationEvent
__ClassDeletionEvent
__ClassModificationEvent
__ClassCreationEvent

__NamespaceOperationEvent
__NamespaceModificationEvent
__NamespaceDeletionEvent
__NamespaceCreationEvent

__TimerEvent
__ExtrinsicEvent
__SystemEvent

__EventDroppedEvent
__EventQueueOverflowEvent

__QOSFailureEvent
__ConsumerFailureEvent


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)