{"id":16291,"date":"2010-12-07T00:01:00","date_gmt":"2010-12-07T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/12\/07\/use-powershell-to-monitor-and-respond-to-events-on-your-server\/"},"modified":"2010-12-07T00:01:00","modified_gmt":"2010-12-07T00:01:00","slug":"use-powershell-to-monitor-and-respond-to-events-on-your-server","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-monitor-and-respond-to-events-on-your-server\/","title":{"rendered":"Use PowerShell to Monitor and Respond to Events on Your Server"},"content":{"rendered":"<p><span style=\"font-size: 10pt\"><\/span><\/p>\n<p><span style=\"font-size: 10pt\"><strong>Summary: <\/strong>Learn how to use Windows PowerShell to monitor and to respond to events on your computer or server without the need to run a script.<\/span><\/p>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><img decoding=\"async\" height=\"34\" width=\"34\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" align=\"left\" alt=\"Hey, Scripting Guy! Question\" border=\"0\" title=\"Hey, Scripting Guy! Question\" \/><\/span><\/span><\/span><\/span><\/span>Hey, Scripting Guy! I am interested in learning how to use <a href=\"http:\/\/technet.microsoft.com\/en-us\/scriptcenter\/powershell.aspx\"><span style=\"color: #0000ff\">Windows PowerShell<\/span><\/a> to create a Windows Management Instrumentation (<a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/aa394582(VS.85).aspx\"><span style=\"color: #0000ff\">WMI<\/span><\/a>) permanent event consumer. Basically, what I need is a script that will monitor a particular service and if the status of that service changes I need the script to launch a script that will perform a specific action. Is this something I can do with Windows PowerShell, or do I need to compile a Managed Object Format (MOF) file? Everything I can find on the Internet says I need to use a MOF file, but I do not like MOF files and would rather use a Windows PowerShell script so I can create these permanent event consumers on a remote machine. <\/span><\/p>\n<p><span style=\"font-size: 10pt\">&#8212; CD<\/span><\/p>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><span style=\"font-size: 10pt\"><img decoding=\"async\" height=\"34\" width=\"34\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" align=\"left\" alt=\"Hey, Scripting Guy! Answer\" border=\"0\" title=\"Hey, Scripting Guy! Answer\" \/><\/span><\/span><\/span><\/span><\/span>Hello CD, Microsoft Scripting Guy Ed Wilson here. You are absolutely correct. There are two cool things about creating permanent event consumers via script. The first thing is that it can easily be performed remotely. Therefore,, I can target a several machines with the script and create the event consumer on the remote machines. The second cool thing is the fact that permanent event consumers are cool. They monitor for and respond to events without the need for a script to be running. Talk about something cool! I run one script one time, and then my computer will always look for an event and respond to it. <a href=\"http:\/\/en.wikipedia.org\/wiki\/Dude\"><span style=\"color: #0000ff\">Dude<\/span><\/a> (or Dudette) that rocks! This means that almost every one of the <a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/tags\/events+and+monitoring\/\"><span style=\"color: #0000ff\">event and monitoring scripts<\/span><\/a> that are discussed in the <a href=\"http:\/\/blogs.technet.com\/heyscriptingguy\/\"><span style=\"color: #0000ff\">Hey, Scripting Guy! Blog<\/span><\/a> can be converted to a permanent event monitor. <\/span><\/p>\n<p class=\"Readeraidonly\"><span style=\"font-size: 10pt\">Portions of today&rsquo;s post are adapted from my WMI book, <a href=\"http:\/\/www.amazon.com\/Microsoft-Windows-Scripting-WMI-Self-Paced\/dp\/0735622310\/ref=ntt_at_ep_dpt_6\"><i><span style=\"color: #0000ff\">Microsoft Windows Scripting with WMI: Self-Paced Learning Guide<\/span><\/i><\/a><i>,<\/i> that was published by Microsoft Press in 2006. <\/span><\/p>\n<p><span style=\"font-size: 10pt\">In <a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2010\/12\/06\/learn-how-to-use-vbscript-to-create-permanent-wmi-events.aspx\"><span>yesterday&rsquo;s<\/span><\/a> Hey, Scripting Guy! Blog post, I talked about the concepts involved in creating a permanent event consumer. <\/span><\/p>\n<p><span style=\"font-size: 10pt\">In yesterday&rsquo;s post, the script that was created uses the <b>ActiveScriptEventConsumer<\/b> WMI class to run a VBScript when the status of the Bits service changes. The <b>ActiveScriptEventConsumer<\/b> WMI class provides the most flexibility because it enables you to run a script which means that in reality it is the only class that you would actually need. However, some other standard consumer classes might be more efficient. For example, if you have to write to an event log, then the <b>NTEventLogEventConsumer<\/b> is more efficient than the <b>ActiveScriptEventConsumer<\/b> (although your script could write to the event log, using a specially tailored consumer is generally better). Table 1 details the standard consumer classes. For more information about these classes, see the <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/aa393649(VS.85).aspx\"><span style=\"color: #0000ff\">MSDN documentation<\/span><\/a>.<\/span><\/p>\n<p class=\"TableNum-Title\"><span style=\"font-size: 10pt\"><strong>Table 1<\/strong><\/span><\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" border=\"1\" class=\"MsoTableGrid\" style=\"border-collapse: collapse\">\n<tbody>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;padding-top: 0in;border: windowtext 1pt solid\">\n<p class=\"TableHead\"><span style=\"font-size: 10pt\"><strong>Class name<\/strong><\/span><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: windowtext 1pt solid;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableHead\"><b><span style=\"font-size: 10pt\">Description<\/span><\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">ActiveScriptEventConsumer<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Executes a predefined script in an arbitrary scripting language when an event is delivered to it. This consumer is available on Windows 2000 and above. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">ScriptingStandardConsumerSetting<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Provides registration data common to all instances of the <b>ActiveScriptEventConsumer<\/b> class. This consumer is available on Windows 2000 and above.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">LogFileEventConsumer<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Writes customized strings to a text log file when events are delivered to it. This consumer is available on Windows XP and above.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">NTEventLogEventConsumer<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Logs a specific message to the Windows NT event log when an event is delivered to it. This consumer is available on Windows XP and above.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">SMTPEventConsumer<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Sends an email message using SMTP every time that an event is delivered to it. This consumer is available on Windows 2000 and above.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"199\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: windowtext 1pt solid;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 149.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><b><span style=\"font-size: 10pt\">CommandLineEventConsumer<\/span><\/b><\/p>\n<\/td>\n<td width=\"439\" valign=\"top\" style=\"border-bottom: windowtext 1pt solid;border-left: #f0f0f0;padding-bottom: 0in;background-color: transparent;padding-left: 5.4pt;width: 329.4pt;padding-right: 5.4pt;border-top: #f0f0f0;border-right: windowtext 1pt solid;padding-top: 0in\">\n<p class=\"TableText\"><span style=\"font-size: 10pt\">Launches an arbitrary process in the local system context when an event is delivered to it. This consumer is available on Windows XP and above.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">The <b>CreatePermenantEventConsumer.ps1<\/b> script creates a permanent event consumer that monitors the <i>bits<\/i> service. If the status of the service changes, it fires an event that is received by the <b>ActiveScriptEventConsumer<\/b>. When the event is received by the <b>ActiveScriptEventConsumer<\/b>, it runs a simple VBScript that will toggle the status of the <i>browser<\/i> service. Therefore, if the <i>browser<\/i> service is running and an event is received, the <i>browser<\/i> service will be stopped; if the <i>browser<\/i> service is currently stopped and an event is received it will be started. <\/span><\/p>\n<p class=\"CodeBlockHead\" style=\"padding-left: 30px\"><strong>CreatePermenantEventConsumer.ps1<\/strong><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$computer = &#8220;mred1&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$filterNS = &#8220;root\\cimv2&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$wmiNS = &#8220;root\\subscription&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$query = &#8220;Select * from __InstanceModificationEvent within 10 where <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>targetInstance isa &#8216;Win32_Service&#8217; and targetInstance.Name = &#8216;Bits'&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$filterName = &#8220;Win32ServiceModification&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$scriptFileName = &#8220;C:\\fso\\ToggleBrowserService.vbs&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$filterPath = Set-WmiInstance -Class __EventFilter `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-ComputerName $computer -Namespace $filterNS -Arguments `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>@{name=$filterName; EventNameSpace=$filterNS; QueryLanguage=&#8221;WQL&#8221;;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;&nbsp;&nbsp; <\/span>Query=$query}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-ComputerName $computer -Namespace $wmiNS `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-Arguments @{name=&#8221;ToggleBits&#8221;; ScriptFileName=$scriptFileName;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>ScriptingEngine=&#8221;VBScript&#8221;}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Set-WmiInstance -Class __FilterToConsumerBinding -ComputerName $computer `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>-Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} |<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>out-null<\/span><\/span><\/p>\n<p><span style=\"font-size: 10pt\"><\/span><\/p>\n<p><span style=\"font-size: 10pt\">The <b>CreatePermenantEventConsumer.ps1<\/b> must be run with administrator rights, and before running the script, I right-click the Windows PowerShell ISE icon and select <b>Run as administrator<\/b>. When the <b>CreatePermenantEventConsumer.ps1<\/b> script runs no output is generated. This output of the script and the use of the <b>Get-Service<\/b> cmdlet to check the status of the bits and the browser service is seen in the following figure.<\/span><\/p>\n<p class=\"Num-Caption\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3201.HSG-12-07-10-01.jpg\" border=\"0\" \/><\/p>\n<p><span style=\"font-size: 10pt\"><\/span><\/p>\n<p><span style=\"font-size: 10pt\">The command I used to check the status of both services is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Get-Service -Name browser, bits<\/span><\/span><\/p>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">When checking the status of the services, as well as toggling the <i>bits<\/i> service, I use the bottom execution pane. This is seen in following figure.<\/span><\/p>\n<p class=\"Num-Caption\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/1462.HSG-12-07-10-02.jpg\" border=\"0\" \/><\/p>\n<p><span style=\"font-size: 10pt\"><\/span><\/p>\n<p><span style=\"font-size: 10pt\">To create an instance of the <b>__EventFilter<\/b>, I use the <b>Set-WmiInstance<\/b>. The VBScript code that was discussed yesterday is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&#8216;Create the event filter<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set objfilterclass=objActiveScriptConsumer.get(&#8220;__EventFilter&#8221;)<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set objfilter=objfilterclass.spawninstance_()<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objfilter.name=&#8221;win32ServiceModification&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objFilter.EventNamespace=&#8221;\\root\\cimv2&#8243; &#8216;NOTE:IS NOT IN THE BOOK! Write at BTM pg.110<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objfilter.querylanguage=&#8221;wql&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objfilter.query=(qQuery)<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set filterpath = objfilter.put_<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">When you use the <b>Set-WmiInstance<\/b> Windows PowerShell cmdlet, each of the <b>__EventFilter<\/b> WMI class properties are assigned their values via a <b>HashTable<\/b>. This means the Windows PowerShell command to create the new instance of the <b>__EventFilter<\/b> WMI class can be done by using one logical line of code. The code is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$filterPath = Set-WmiInstance -Class __EventFilter `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-ComputerName $computer -Namespace $filterNS -Arguments `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>@{name=$filterName; EventNameSpace=$filterNS; QueryLanguage=&#8221;WQL&#8221;;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;&nbsp;&nbsp; <\/span>Query=$query}<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">The new instance of the <b>__EventFilter <\/b>class is stored in the <i>$FilterPath<\/i> variable. The returned instance of the class is used in the command to bind the filter to the consumer. <\/span><\/p>\n<p><span style=\"font-size: 10pt\">The next step is to create the consumer. The VBScript code from yesterday is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&#8216;Create the active script consumer<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set<span>&nbsp; <\/span>objConsumerClass=objActiveScriptConsumer.get(&#8220;ActiveScriptEventConsumer&#8221;)<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set objconsumer=objconsumerclass.spawninstance_()<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objconsumer.name=&#8221;ToggleBits&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objconsumer.scriptfilename=&#8221;C:\\FSO\\ToggleBrowserService.vbs&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objconsumer.scriptingengine=&#8221;vbscript&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set consumerpath = objconsumer.put_<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">Again, the <b>Set-WmiInstance <\/b>Windows PowerShell cmdlet is used to create a new instance of the <b>ActiveScriptEventConsumer<\/b> WMI class. As before each property receives its value via the hash table. The Windows PowerShell command is seen here. (As before, this is one logical line of Windows PowerShell code. I had to break it down into four lines to display it correctly on the blog platform. If you want to convert it to a single line, copy the following code and back each line back up to the previous line while taking care to remove the backtick, grave, reverse quote, backward apostrophe, or whatever you want to call the ` symbol).<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-ComputerName $computer -Namespace $wmiNS `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;<\/span>-Arguments @{name=&#8221;ToggleBits&#8221;; ScriptFileName=$scriptFileName;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>ScriptingEngine=&#8221;VBScript&#8221;}<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">Finally, I have to bind the consumer to the event. To do this, I have to create an instance of the <b>__FilterToConsumerBinding<\/b> WMI class. The VBScript code to do this (seen yesterday) is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&#8216;Do the binding<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">FTCB = &#8220;__filterToConsumerBinding&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set objbindingclass=objActiveScriptConsumer.get(FTCB)<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">set objbinding=objbindingclass.spawninstance_()<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objbinding.filter=filterpath<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objbinding.consumer=consumerpath<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">objbinding.put_<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">In Windows PowerShell, I use the <b>Set-WmiInstance<\/b> cmdlet to create and to configure a new instance of the class. In this script, I do not have to save the object that is returned (like I did in each of the two previous commands) and therefore I <a href=\"http:\/\/www.microsoft.com\/technet\/scriptcenter\/topics\/winpsh\/manual\/pipe.mspx\"><span style=\"color: #0000ff\">pipeline<\/span><\/a> the results to the <b>Out-Null<\/b> Windows PowerShell cmdlet. One thing that I did not mention yesterday is that if a suitable event filter (<b>__EventFilter<\/b>) already exists, or if a suitable event consumer class already exists, you do not have to create a new instance. All that must occur is for the event and the consumer to be bound together via the <b>__FilterToConsumerBinding<\/b> class. Although it is unlikely that both a suitable consumer and a suitable filter would already exist, it is definitely possible that one or the other might exist. Here is the Windows PowerShell code to do the binding.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Set-WmiInstance -Class __FilterToConsumerBinding -ComputerName $computer `<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>-Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} |<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp; <\/span>out-null<\/span><\/span><\/p>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">One thing I like to do when I am finished creating everything for the new permanent event consumer is to check whether everything looks like it is created correctly. To do this, I use Windows PowerShell&rsquo;s <b><a href=\"http:\/\/blogs.technet.com\/b\/heyscriptingguy\/archive\/2009\/03\/02\/how-can-i-use-wmi-with-windows-powershell.aspx\"><span style=\"color: #0000ff\">Get-WmiObject<\/span><\/a><\/b> cmdlet. With the <b>gwmi<\/b> alias, this is short work, although I have to create a simple script to do this. As this is a quick script, I incorporated the <b>gwmi<\/b> alias instead of typing <b>Get-WmiObject<\/b>. <\/span><\/p>\n<p class=\"CodeBlockHead\" style=\"padding-left: 30px\"><strong>ReportPermenantEventConsumer.ps1<\/strong><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi __EventFilter <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi ActiveScriptEventConsumer -Namespace root\\subscription<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi __FilterToConsumerBinding -Namespace root\\subscription<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">The report from these three commands is seen here.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">PS C:\\Windows\\system32&gt; C:\\data\\ScriptingGuys\\2010\\HSG_12_6_10\\ReportPermenantEventConsumer.ps1<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&nbsp;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__GENUS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 2<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__CLASS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __EventFilter<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SUPERCLASS<span>&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __IndicationRelated<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DYNASTY<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __SystemClass<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__RELPATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __EventFilter.Name=&#8221;Win32ServiceModification&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PROPERTY_COUNT : 6<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DERIVATION<span>&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {__IndicationRelated, __SystemClass}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SERVER<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: MRED1<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__NAMESPACE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ROOT\\cimv2<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: \\\\MRED1\\ROOT\\cimv2:__EventFilter.Name=&#8221;Win32ServiceModification&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">CreatorSID<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {1, 5, 0, 0&#8230;}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">EventAccess<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">EventNamespace<span>&nbsp;&nbsp; <\/span>: root\\cimv2<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Name<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: Win32ServiceModification<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Query<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: Select * from __InstanceModificationEvent within 10 where <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\"><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>targetInstance isa &#8216;Win32_Service&#8217; and targetInstance.Name = &#8216;Bits&#8217;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">QueryLanguage<span>&nbsp;&nbsp;&nbsp; <\/span>: WQL<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&nbsp;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__GENUS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 2<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__CLASS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ActiveScriptEventConsumer<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SUPERCLASS<span>&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __EventConsumer<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DYNASTY<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __SystemClass<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__RELPATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ActiveScriptEventConsumer.Name=&#8221;ToggleBits&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PROPERTY_COUNT : 8<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DERIVATION<span>&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {__EventConsumer, __IndicationRelated, __SystemClass}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SERVER<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: MRED1<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__NAMESPACE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ROOT\\subscription<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: \\\\MRED1\\ROOT\\subscription:ActiveScriptEventConsumer.Name=&#8221;ToggleBits&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">CreatorSID<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {1, 5, 0, 0&#8230;}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">KillTimeout<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 0<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">MachineName<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">MaximumQueueSize : <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Name<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ToggleBits<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">ScriptFilename<span>&nbsp;&nbsp; <\/span>: C:\\fso\\ToggleBrowserService.vbs<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">ScriptingEngine<span>&nbsp; <\/span>: VBScript<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">ScriptText<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&nbsp;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__GENUS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 2<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__CLASS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __FilterToConsumerBinding<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SUPERCLASS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __IndicationRelated<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DYNASTY<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __SystemClass<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__RELPATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __FilterToConsumerBinding.Consumer=&#8221;ActiveScriptEventConsumer.Name=\\&#8221;ToggleBits\\&#8221;&#8221;,Filter=&#8221;__EventFilter.Name=\\&#8221;Win32ServiceModification\\&#8221;&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PROPERTY_COUNT<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: 7<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__DERIVATION<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {__IndicationRelated, __SystemClass}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__SERVER<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: MRED1<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__NAMESPACE<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ROOT\\subscription<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: \\\\MRED1\\ROOT\\subscription:__FilterToConsumerBinding.Consumer=&#8221;ActiveScriptEventConsumer.Name=\\&#8221;ToggleBits\\&#8221;&#8221;,Filter=&#8221;__EventFilter.Name=\\&#8221;Win32ServiceModification\\&#8221;&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Consumer<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: ActiveScriptEventConsumer.Name=&#8221;ToggleBits&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">CreatorSID<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: {1, 5, 0, 0&#8230;}<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">DeliverSynchronously<span>&nbsp;&nbsp;&nbsp; <\/span>: False<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">DeliveryQoS<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Filter<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: __EventFilter.Name=&#8221;Win32ServiceModification&#8221;<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">MaintainSecurityContext : False<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">SlowDownProviders<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: False<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&nbsp;<\/span><\/span><\/p>\n<p><span style=\"font-size: 10pt\">Cleanup involves deleting each of the three new instances. In Windows PowerShell it is easy to delete these instances. I use the <b>Remove-WMIObject<\/b> cmdlet. I have to be very careful doing this to make sure that I delete only the instances I previously created. It turns out that my machine already has an instance of one of the classes installed. I use the Where-Object to filter the one I created. Proper WMI methodology would be to connect to the specific instance of the <b>__FilterToConsumer<\/b> binding class. But because this is an association class, it has two keys in its path to the instance. The Path to this class is seen here. <\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">__PATH<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span>: \\\\MRED1\\ROOT\\subscription:__FilterToConsumerBinding.Consumer=&#8221;ActiveScriptEventConsumer.Name=\\&#8221;ToggleBits\\&#8221;&#8221;,Filter=&#8221;__EventFilter.Name=\\&#8221;Win32ServiceModification\\&#8221;&#8221;<\/span><\/span><\/p>\n<p style=\"padding-left: 30px\"><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><span style=\"font-size: 10pt\">Using Windows PowerShell and the where-object I filter the name of the <b>__EventFilter<\/b>, and pipeline the object to the <b>Remove-WmiObject<\/b> cmdlet and I am done; no fussing with embedded quotation marks, no worrying about line wrapping or any of the typical problems confronting composite keys in WMI. Here is my cleanup code.<\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi __EventFilter | Remove-WmiObject<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi ActiveScriptEventConsumer -Namespace root\\subscription | Remove-WmiObject<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">gwmi __FilterToConsumerBinding -Namespace root\\subscription | <\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">Where-Object { $_.filter -match &#8216;Win32ServiceModification&#8217;} | Remove-WmiObject<\/span><\/span><\/p>\n<p class=\"CodeBlock\" style=\"padding-left: 30px\"><span style=\"font-size: 10pt\"><span style=\"font-family: Lucida Sans Typewriter\">&nbsp;<\/span><\/span><\/p>\n<p><span style=\"font-size: 10pt\">CD, that is all there is to working with permanent WMI event consumers. Permanent event consumer week will continue tomorrow when guest blogger Trevor Sullivanwill discuss a Windows PowerShell permanent event consumer <a href=\"http:\/\/blogs.technet.com\/heyscriptingguy\/archive\/tags\/getting+started\/modules\/default.aspx\"><span style=\"color: #0000ff\">module<\/span><\/a>. <\/span><\/p>\n<p><span style=\"font-size: 10pt\">I invite you to follow me on <a target=\"_blank\" href=\"http:\/\/bit.ly\/scriptingguystwitter\"><span style=\"color: #0000ff\">Twitter<\/span><\/a> or <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\"><span style=\"color: #0000ff\">Facebook<\/span><\/a>. If you have any questions, send email to me at <a target=\"_blank\" href=\"mailto:scripter@microsoft.com\"><span style=\"color: #0000ff\">scripter@microsoft.com<\/span><\/a> or post them on the <a href=\"http:\/\/social.technet.microsoft.com\/Forums\/en\/ITCG\/threads\/\"><span style=\"color: #0000ff\">Official Scripting Guys Forum.<\/span><\/a>. See you tomorrow. Until then, peace.<\/span><\/p>\n<p><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n<p><b><span style=\"font-size: 10pt\">Ed Wilson, Microsoft Scripting Guy<\/span><\/b><span style=\"font-size: 10pt\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Learn how to use Windows PowerShell to monitor and to respond to events on your computer or server without the need to run a script. &nbsp; Hey, Scripting Guy! I am interested in learning how to use Windows PowerShell to create a Windows Management Instrumentation (WMI) permanent event consumer. Basically, what I need is [&hellip;]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,3,4,45,6],"class_list":["post-16291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"<p>Summary: Learn how to use Windows PowerShell to monitor and to respond to events on your computer or server without the need to run a script. &nbsp; Hey, Scripting Guy! I am interested in learning how to use Windows PowerShell to create a Windows Management Instrumentation (WMI) permanent event consumer. Basically, what I need is [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=16291"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16291\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=16291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=16291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=16291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}