如何订阅Windows文件修改事件
我想订阅特定文件的情况下使用WQL
与此查询被修改:如何订阅Windows文件修改事件
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\"
我可以将事件成功寄存器(见输出在底部),并且可以看到它与我注册的脚本(消费者)绑定。
但是,当我修改C:\test\filewatching\
中的文件时,脚本无法运行。
下面是在同一文件夹,注册为文件创建事件代码,这个工程:
#WQL
$query = @"
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA "Cim_DirectoryContainsFile" AND TargetInstance.GroupComponent="Win32_Directory.Name='C:\\test\\filewatching'"
"@
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = 'WQL'
$instanceFilter.Query = $query
$instanceFilter.Name = 'EventFilterNameHere'
$instanceFilter.EventNameSpace = 'root/CIMV2'
$result = $instanceFilter.Put()
# Consumer
$script =
@"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True)
objFile.WriteLine "New File Created"
objFile.Close
"@
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance()
$instanceConsumer.Name = 'ConsumerNameHere'
$instanceConsumer.ScriptingEngine = 'VBScript'
$instanceConsumer.ScriptFilename = ''
$instanceConsumer.ScriptText = $script
$instanceConsumer.Put()
# Binding
[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name)
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name)
$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $Filter
$instanceBinding.Consumer = $Consumer
$instanceBinding.Put()
所以我知道有什么错我的PowerShell。这让我觉得我的查询一定是错的。
我已经尝试了一下上面的InstanceModificationEvent
查询的一些调整,但没有成功。 (这些调整包括诸如将C:
改为C
或从TargetInstace.Path
移除\
s的东西)。
我需要此订阅才是永久性的,并且如果PC已打开或关闭,则无法重置 - 这就是我使用WQL的原因。如果任何人都可以提出另一种实现方法,或者我可以如何解决我的问题,我将永远感激!
Path : \\WIN7-IT3\root\subscription:ActiveScriptEventConsumer.Name="Co
nsumerNameHere"
RelativePath : ActiveScriptEventConsumer.Name="ConsumerNameHere"
Server : WIN7-IT3
NamespacePath : root\subscription
ClassName : ActiveScriptEventConsumer
IsClass : False
IsInstance : True
IsSingleton : False
Path : \\WIN7-IT3\root\subscription:__FilterToConsumerBinding.Consumer
="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveScriptEventConsumer.Na
me=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Subscripti
on:__EventFilter.Name=\"EventFilterNameHere\""
RelativePath : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscri
ption:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",Filt
er="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"Event
FilterNameHere\""
Server : WIN7-IT3
NamespacePath : root\subscription
ClassName : __FilterToConsumerBinding
IsClass : False
IsInstance : True
IsSingleton : False
查询WMI订阅:查询后
Get-WmiObject -Namespace root\Subscription -Class __Eventfilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
输出:
运行脚本后输出
__GENUS : 2 __CLASS : __EventFilter __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __EventFilter.Name="EventFilterNameHere" __PROPERTY_COUNT : 6 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" CreatorSID : {1, 5, 0, 0...} EventAccess : EventNamespace : root/CIMV2 Name : EventFilterNameHere Query : SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\" QueryLanguage : WQL PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : __FilterToConsumerBinding __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveS criptEventConsumer.Name=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Su bscription:__EventFilter.Name=\"EventFilterNameHere\"" __PROPERTY_COUNT : 7 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__FilterToConsumerBinding.Consumer="\\\\WIN7-IT 3\\ROOT\\Subscription:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",F ilter="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"EventFilterName Here\"" Consumer : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHer e" CreatorSID : {1, 5, 0, 0...} DeliverSynchronously : False DeliveryQoS : Filter : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" MaintainSecurityContext : False SlowDownProviders : False PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3
跨越this page迷迷糊糊张贴这个问题,我从中摸索出我需要的查询后不久:
注意,相反,其他几个帖子在网上,什么工作对我来说竟是省略TargetInstance
的Path
和Drive
部分,并且只包含我要观看的文件的完整路径和名称。
这适用于我,因为我只会看1个特定的文件。如果您需要使用此方法观看多个文件,则需要注册多个订阅。
登记文件修改观察者的完整代码:
#WQL
$query = @"
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'CIM_DataFile' AND TargetInstance.Name='c:\\test\\filewatching\\tester.txt'
"@
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = 'WQL'
$instanceFilter.Query = $query
$instanceFilter.Name = 'EventFilterNameHere'
$instanceFilter.EventNameSpace = 'root/CIMV2'
$result = $instanceFilter.Put()
# Consumer
$script =
@"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True)
objFile.WriteLine "New File Created"
objFile.Close
"@
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance()
$instanceConsumer.Name = 'ConsumerNameHere'
$instanceConsumer.ScriptingEngine = 'VBScript'
$instanceConsumer.ScriptFilename = ''
$instanceConsumer.ScriptText = $script
$instanceConsumer.Put()
# Binding
[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name)
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name)
$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $Filter
$instanceBinding.Consumer = $Consumer
$instanceBinding.Put()
需要消费者和过滤器的路径连接到粘合剂 ,而不是系统中的每个过滤器\消费者
$result = $instanceFilter.Put()
$filterPath = $result.Path
$result = $instanceConsumer.Put()
$consumerPath = $result.Path
$bind.Filter = $filterPath
$bind.Consumer = $consumerPath