{"id":50643,"date":"2010-04-15T00:01:00","date_gmt":"2010-04-15T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/04\/15\/hey-scripting-guy-can-i-use-wmi-to-determine-when-someone-logs-off-a-user-or-shuts-down-a-server\/"},"modified":"2010-04-15T00:01:00","modified_gmt":"2010-04-15T00:01:00","slug":"hey-scripting-guy-can-i-use-wmi-to-determine-when-someone-logs-off-a-user-or-shuts-down-a-server","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-can-i-use-wmi-to-determine-when-someone-logs-off-a-user-or-shuts-down-a-server\/","title":{"rendered":"Hey, Scripting Guy! Can I Use WMI to Determine When Someone Logs Off a User or Shuts Down a Server?"},"content":{"rendered":"

\"Bookmark <\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! I have a Windows Server 2003 computer that I need to monitor for reboots. This may sound rather strange, but this server is more of a workstation, and we have a user mode application that runs under an actual user account. Therefore, we log on using the ID we have set up, launch the application, lock the console of the server, and that is the way the program is supposed to run. Once a day, a user goes to the server, unlocks the console, maximizes the application, and runs a report on the locally attached printer. The user is then supposed to minimize the application, lock the workstation, and collect the report. Unfortunately, if someone new runs the report about half the time, that person will shutdown the server, or log off the user account instead of locking the console. When this happens the application misses data, and it hoses<\/font><\/a> our accounting for the month. Is there a way to use WMI to let me know when someone either logs the user off, or shuts down the server? I know I can use ping to let me know if the server is shutdown, but this does nothing for logoffs. <\/p>\n<\/p>\n

— SM<\/p>\n

\n

 <\/p>\n<\/p>\n

\"Hey,Hello SM, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. It has been a lovely day in Charlotte, North Carolina, in the United States of America. The sky has been a deep clear blue that occurs after an onslaught of rain cleanses the sky. It reminds me of the sky I saw in Alaska while I was up there teaching a Windows PowerShell workshop. As you can see in the following photo, it is not the color that was the reminder, but maybe the absence of clouds in the sky. We do not have stark mountains or moose in Charlotte, but we do have trees and a few creek beds. So maybe there is not as strong a parallel as I was originally planning. Maybe I just miss Alaska. <\/p>\n

\"Photo<\/p>\n

\n

 <\/p>\n<\/p>\n

SM, you know your current situation is not ideal, and I hope your application is not running as a member of the Domain Admins, although I would not be surprised. The best solution would be to create a custom profile that does not include the logoff or shutdown buttons on the menu. Or better yet, you could remove the shutdown privilege from the user account that is logged onto the machine. However, you know your own business rules and environment much better than I do. <\/p>\n

To monitor for shutdown or logoff events, you can use the WMI class Win32_ComputerShutdownEvent<\/font><\/a>. The Win32_ComputerShutdownEvent<\/b> WMI class first appeared in Windows XP. It is therefore available on your Windows Server 2003 machine. To use this event class, you do not need to write a generic event query. Use the Register-WmiEvent<\/b> cmdlet, and specify the class name of Win32_ComputerShutdownEvent<\/b>. Target your remote computer by name or by IP address. If you need to supply alternate credentials for the command to work, you can use the –credentials<\/b> parameter and you will be prompted for the password. This command is seen here:<\/p>\n

Register-WmiEvent -Class win32_computerShutdownEvent -ComputerName win2003<\/p>\n

<\/font><\/span><\/p>\n

After you have an event subscription, by using the Get-Event<\/b> cmdlet you can retrieve any events that may have been generated. If you did not specify a source identifier when you used the Register-WmiEvent<\/b> cmdlet, the Get-Event<\/b> cmdlet will return all events that have been received. This command is seen here as it returns two events:<\/p>\n

PS C:> Get-Event<\/p>\n

ComputerName     <\/span>:
RunspaceId       <\/span>: 7bbb485c-6303-4d1e-9084-bc46851990d5
EventIdentifier  <\/span>: 1
Sender           <\/span>: System.Management.ManagementEventWatcher
SourceEventArgs  <\/span>: System.Management.EventArrivedEventArgs
SourceArgs       <\/span>: {System.Management.ManagementEventWatcher, System.Management.EventArrivedEventArgs}
SourceIdentifier : 5ff0a4c6-cb25-45c3-8efc-2c48b722ff34
TimeGenerated    <\/span>: 4\/12\/2010 2:13:06 PM
MessageData      <\/span>:<\/p>\n

ComputerName     <\/span>:
RunspaceId       <\/span>: 7bbb485c-6303-4d1e-9084-bc46851990d5
EventIdentifier  <\/span>: 2
Sender           <\/span>: System.Management.ManagementEventWatcher
SourceEventArgs  <\/span>: System.Management.EventArrivedEventArgs
SourceArgs       <\/span>: {System.Management.ManagementEventWatcher, System.Management.EventArrivedEventArgs}
SourceIdentifier : 5ff0a4c6-cb25-45c3-8efc-2c48b722ff34
TimeGenerated    <\/span>: 4\/12\/2010 2:13:29 PM
MessageData      <\/span>:<\/p>\n

<\/font><\/span><\/p>\n

The data we are interested in comes from the NewEvent<\/b> property. It returns the machine name and the type of event that was generated. A type of 1 is a shutdown or a reboot. A type of 0 means that the event was triggered by a logoff:<\/p>\n

PS C:> $a[1].sourceEventArgs.NewEvent<\/p>\n

__GENUS             <\/span>: 2
__CLASS             <\/span>: Win32_ComputerShutdownEvent
__SUPERCLASS        <\/span>: Win32_ComputerSystemEvent
__DYNASTY           <\/span>: __SystemClass
__RELPATH           <\/span>:
__PROPERTY_COUNT    <\/span>: 4
__DERIVATION    <\/span>    <\/span>: {Win32_ComputerSystemEvent, __ExtrinsicEvent, __Event, __IndicationRelated…}
__SERVER            <\/span>:
__NAMESPACE         <\/span>:
__PATH              <\/span>:
MachineName         <\/span>: WIN2003
SECURITY_DESCRIPTOR :
TIME_CREATED        <\/span>: 129155696093028224
Type        <\/span>        <\/span>: 1<\/p>\n

<\/font><\/span><\/p>\n

Because you already know the computer name, all you are interested in is the time the event was generated and the type of event. You can obtain this information by piping the results to the Foreach-Object<\/b> cmdlet as seen here:<\/p>\n

PS C:> Get-Event | Foreach-Object { Write-Host $_.timeGenerated $_.sourceEventArgs.NewEvent.type }<\/p>\n

<\/font><\/span><\/p>\n

4\/12\/2010 2:13:06 PM 0<\/p>\n

<\/font><\/span><\/p>\n

4\/12\/2010 2:13:29 PM 1<\/p>\n

<\/font><\/span><\/p>\n

PS C:><\/p>\n

<\/font><\/span><\/p>\n

These commands and the associated results are seen in the following image.<\/p>\n

\"Image<\/p>\n

\n

 <\/p>\n<\/p>\n

SM, that is all there is to using WMI eventing. This also concludes our WMI Week articles. Join us tomorrow when we open our virtual mailbag and examine questions that only require a short answer—that is right, it is time once again for Quick-Hits Friday. We will talk about…wait a minute. <\/p>\n

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter<\/font><\/a> or Facebook<\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/font><\/a> or post your questions on the Official Scripting Guys Forum<\/font><\/a>. See you tomorrow. Until then, peace.<\/p>\n

<\/p>\n

 <\/p>\n

<\/span><\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/p>\n

<\/span><\/b><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

    Hey, Scripting Guy! I have a Windows Server 2003 computer that I need to monitor for reboots. This may sound rather strange, but this server is more of a workstation, and we have a user mode application that runs under an actual user account. Therefore, we log on using the ID we have […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,3,4,45,6],"class_list":["post-50643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":"

    Hey, Scripting Guy! I have a Windows Server 2003 computer that I need to monitor for reboots. This may sound rather strange, but this server is more of a workstation, and we have a user mode application that runs under an actual user account. Therefore, we log on using the ID we have […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/50643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=50643"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/50643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=50643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=50643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=50643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}