I was messing around with my son\u2019s computer today trying to figure out why one of his programs wouldn\u2019t work. I was going to use ProcMon to monitor the processes but wasn\u2019t sure what the processes where. So first I had to figure out what processes were getting started when I ran his program. I guessed that there was a WMI event for this but as always with WMI \u2013 WHAT IS THE NAME OF THE EVENT?<\/p>\n
In the past, this is where things stopped. WMI was awesome but god help you if you didn\u2019t know exactly what you wanted. We made this a ton easier in PowerShell V2 so I decided to give it a try. First thing I did was to LIST all the WMIOBJECTS that had the term PROCESS in the name. I did that with this:<\/p>\n
PS> Get-WMIObject<\/span> -NameSpace<\/span> root<\/span> -Recurse<\/span> -List<\/span> *Process*<\/span> <\/pre>\n <\/p>\n
<\/p>\n
That gave me too many results to wade through so I needed to filter it down some more. Every WMI object as a property called __Derivation which is a list of strings showing the class hierarchy for that object. The point of that is that all WMI Event classes will contain the string \u201c__Event\u201d in this property. So then I did this:<\/p>\n
<\/span><\/pre>\nPS> Get-WMIObject<\/span> -NameSpace<\/span> root<\/span> -Recurse<\/span> -List<\/span> *Process*<\/span> |<\/span>Where<\/span> {<\/span>$_<\/span>.<\/span>Derivation<\/span> -contains<\/span> "__Event"<\/span>}<\/span> <\/pre>\n NameSpace: ROOT\\CIMV2 <\/font><\/p>\nName Methods Properties
—- ——- ———-
Win32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY…\n
Win32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY…\n
Win32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessNa… <\/font><\/p>\n NameSpace: ROOT\\WMI <\/font><\/p>\nName Methods Properties
—- ——- ———-
ProcessorCStateEvent {} {Active, InstanceName, SECURITY_DESCRIPTOR, TIME_C…\n
ProcessorPerfStateEvent {} {Active, HighestState, InstanceName, SECURITY_DESC…\n
ProcessorThrottleStateEvent {} {Active, HighestState, InstanceName, SECURITY_DESC…\n
PortCls_IrpProcessing {} {SECURITY_DESCRIPTOR, TIME_CREATED} <\/font><\/p>\n <\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
That made it pretty easy to figure out that I wanted to look at Win32_ProcessStartTrace. Just to make sure I got the class using the \u2013Amended parameter. This adds documentation to the returned object in the QUALIFIERS property. This information is normally not provided because it can be expensive to retrieve so WMI only provides it if\/when you ask for it.<\/p>\n
$Class<\/span> =<\/span> Get-WmiObject<\/span> -List<\/span> Win32_ProcessStartTrace<\/span> -Amended<\/span>\n$Class<\/span>.<\/span>Qualifiers<\/span> |<\/span>ft<\/span> Name<\/span>,<\/span>Value<\/span> -auto<\/span> <\/pre>\nThis returned:<\/p>\n
Name Value\n
—- —–\n
abstract True\n
Description The ProcessStartTrace event class indicates a new process has started.\n
Locale 1033<\/font><\/p>\n <\/p>\n
<\/p>\n
<\/p>\n
With that I was ready to go. I used the new Register-WMIEvent class to solve the problem. This takes a WMI query and can optionally take an ACTION. I decided to format the event and write the results to the host whenever a process was started. This looks a little chewy but is actually pretty straight forward. <\/p>\n
$Query<\/span> =<\/span> 'SELECT * FROM Win32_ProcessStartTrace'<\/span>\n$action<\/span> =<\/span> {<\/span>\n $e<\/span> =<\/span> $Event<\/span>.<\/span>SourceEventArgs<\/span>.<\/span>NewEvent<\/span>\n $fmt<\/span> =<\/span> 'ProcessStarted: (ID={0,5}, Parent={1,5}, Time={2,20}, Name="{3}")'<\/span>\n $msg<\/span> =<\/span> $fmt<\/span> -f<\/span> $e<\/span>.<\/span>ProcessId<\/span>,<\/span> $e<\/span>.<\/span>ParentProcessId<\/span>,<\/span> $event<\/span>.<\/span>TimeGenerated<\/span>,<\/span> $e<\/span>.<\/span>ProcessName<\/span>\n Write-host<\/span> -ForegroundColor<\/span> Red<\/span> $msg<\/span>\n}<\/span>\nRegister-WmiEvent<\/span> -Query<\/span> $Query<\/span> -SourceIdentifier<\/span> ProcessStart<\/span> -Action<\/span> $Action<\/span> <\/pre>\n <\/p>\n
This then worked a treat. Every time a process was created, I got output like this on my host:<\/p>\n
ProcessStarted: (ID= 8740, Parent= 1140, Time=8\/30\/2009 3:41:54 PM, Name="Magnify.exe")\n
ProcessStarted: (ID=13748, Parent= 1068, Time=8\/30\/2009 3:41:54 PM, Name="Utilman.exe")\n
ProcessStarted: (ID=11964, Parent=13748, Time=8\/30\/2009 3:41:54 PM, Name="Magnify.exe")\n
ProcessStarted: (ID= 9872, Parent= 1068, Time=8\/30\/2009 3:41:58 PM, Name="Utilman.exe")<\/font><\/p>\nThis worked a treat. When I was done, I just unregistered from the event.<\/p>\n
Unregister-Event<\/span> -SourceIdentifier<\/span> ProcessStart<\/span> <\/pre>\n <\/p>\n
<\/p>\n
<\/p>\n
I love to tell the story from years ago about a customer that told me they had a love\/hate relationship with WMI.
When I asked them why they loved it, they said, \u201cEverything you could ever want to know is available in WMI<\/em>\u201d.\n
When I asked them why they hated it, they said, \u201cWe can\u2019t FIND IT<\/em>!\u201d<\/p>\n <\/p>\n
I strongly encourage you to spend some time learning and using the new WMI cmdlets we put into PowerShell V2, they will pay you back over and over again.<\/p>\n
<\/p>\n
Enjoy! <\/p>\n
Jeffrey Snover [MSFT]\n
Distinguished Engineer\n
Visit the Windows PowerShell Team blog at: http:\/\/blogs.msdn.com\/PowerShell<\/a>\n
Visit the Windows PowerShell ScriptCenter at: http:\/\/www.microsoft.com\/technet\/scriptcenter\/hubs\/msh.mspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"I was messing around with my son\u2019s computer today trying to figure out why one of his programs wouldn\u2019t work. I was going to use ProcMon to monitor the processes but wasn\u2019t sure what the processes where. So first I had to figure out what processes were getting started when I ran his program. I […]<\/p>\n","protected":false},"author":600,"featured_media":13641,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-powershell"],"acf":[],"blog_post_summary":"
I was messing around with my son\u2019s computer today trying to figure out why one of his programs wouldn\u2019t work. I was going to use ProcMon to monitor the processes but wasn\u2019t sure what the processes where. So first I had to figure out what processes were getting started when I ran his program. I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/3601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/users\/600"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/comments?post=3601"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/posts\/3601\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media\/13641"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/media?parent=3601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/categories?post=3601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/powershell\/wp-json\/wp\/v2\/tags?post=3601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}