{"id":52113,"date":"2009-11-02T00:01:00","date_gmt":"2009-11-02T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/11\/02\/hey-scripting-guy-how-can-i-write-an-event-driven-script\/"},"modified":"2009-11-02T00:01:00","modified_gmt":"2009-11-02T00:01:00","slug":"hey-scripting-guy-how-can-i-write-an-event-driven-script","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-write-an-event-driven-script\/","title":{"rendered":"Hey, Scripting Guy! How Can I Write an Event-Driven Script?"},"content":{"rendered":"

\"Bookmark<\/a><\/p>\n

 <\/p>\n

<\/p>\n

\"Hey,<\/p>\n

\n

<\/span><\/p>\n

Hey, Scripting Guy! I have a problem at work. It is not with the pointy-headed<\/font><\/a> boss, but I believe the problem is probably related to him anyway. There is this application that runs on a workstation in our computer room. It is not a client server application, and of course the workstation is not really a server—it is running Windows XP. <\/p>\n

Anyway, here is the problem. When the workstation reboots, the application starts automatically (the shortcut to it is placed in the Startup folder). After the application has started, a reporting application needs to start. If the reporting application starts before the main application is completely initialized, the reporting application will hang forever. The only way to recover is to reboot the workstation. Unfortunately, the stupid main application does not shut down cleanly if it did not finish loading. At those times, the indexes have a tendency to become corrupt, and then we have to run this utility to clean up the index and that takes nearly 4 hours to complete. We do not shut down the workstation, but unfortunately with your security patches coming out the first Tuesday of every month, we have to reboot this machine at least once a month. It then becomes a crap shoot to see if we can get the computer up before everyone goes for lunch. I know you cannot fix the stupid application or fire the pointy headed boss who purchased this application, but is there anything I can do with a script to make it easier to get the application up and running?<\/p>\n

— SC<\/p>\n

\"Hey,Hello SC, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. I am sipping a cup of gunpowder green tea<\/font><\/a> with a cinnamon stick and a little lemon grass, listening to Mozart on my Zune, and nibbling on a Tim Tam<\/font><\/a> that my friend Brent sent me from Australia. The gunpowder green tea and the Mozart were planned. The Tim Tam was an accident. When I headed to the kitchen for my snack, I spotted the Scripting Wife with a freshly opened bag of Tim Tams and I prevailed upon her to share one with me. (You may recall that the Tim Tams belong to the Scripting Wife, and the Anzac biscuits are mine.) <\/p>\n

Tim Tams are very sweet, and one does not need to eat more than one or two in a single sitting. They are perfect with coffee (which I seldom drink) or with the slightly sweet smoky taste of the gunpowder green tea. <\/p>\n

SC, what you need to do is to write an event-driven script. In VBScript the technique to respond to an event from within a script was rather esoteric. In my VBScript book, or in my WMI book<\/font><\/a>, the event-driven scripts were the most popular scripts. <\/p>\n

A VBScript that will detect when a new process starts is discussed in the How Can I Monitor for the Creation of Different Processes?<\/font><\/a> Hey, Scripting Guy! article. The MonitorForProcessCreation.vbs script is seen here. <\/p>\n

MonitorForProcessCreation.vbs<\/strong><\/p>\n

arrProcesses = Array(“freecell.exe”,”sol.exe”,”spider.exe”,”winmine.exe”)<\/p>\n

strComputer = “.”<\/p>\n

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “rootcimv2”)<\/p>\n

i = 0<\/p>\n

Set colMonitoredProcesses = objWMIService. ExecNotificationQuery _       
    (“Select * From __InstanceCreationEvent Within 5 Where TargetInstance ISA ‘Win32_Process'”)<\/p>\n

Do While i = 0
    Set objLatestProcess = colMonitoredProcesses.NextEvent
    strProcess = LCase(objLatestProcess.TargetInstance.Name)<\/p>\n

    For Each strName in arrProcesses
        If strName = strProcess Then
            Wscript.Echo strName & ” has started.”
        End If
    Next
Loop<\/p>\n

<\/font><\/font><\/span><\/p>\n

The MonitorForNotePadOrCalcGenerateEvent.ps1 script is very similar to the MonitorForProcessCreation.vbs script in functionality. Both scripts use WMI eventing, but the Windows PowerShell script uses a new cmdlet that was introduced in Windows PowerShell 2.0 (which officially was released on Thursday, October 22, with Windows 7). The advantage of using the Register-WmiEvent<\/b> cmdlet is that the script is much easier to write and read. The MonitorForNotePadOrCalcGenerateEvent.ps1 script is seen here.  <\/span><\/p>\n

MonitorForNotepadOrCalcGenerateEvent.ps1<\/strong><\/p>\n

#requires -version 2.0<\/p>\n

<\/font><\/font><\/span><\/p>\n

$progs = “calc.exe, notepad.exe”<\/p>\n

<\/font><\/font><\/span><\/p>\n

Register-WmiEvent -Class win32_ProcessStartTrace -SourceIdentifier processStarted<\/p>\n

<\/font><\/font><\/span><\/p>\n

$newEvent = Wait-Event -SourceIdentifier processStarted<\/p>\n

<\/font><\/font><\/span><\/p>\n

If ($progs -match $newEvent.SourceEventArgs.NewEvent.ProcessName) <\/p>\n

<\/font><\/font><\/span><\/p>\n

   <\/span>{ write-host $newEvent.SourceEventArgs.NewEvent.ProcessName “detected” }<\/p>\n

<\/font><\/font><\/span><\/p>\n

The first thing that is done in the MonitorForNotepadOrCalcGenerateEvent.ps1 script is the use of the #requires<\/b> tag. I recommend using the #requires<\/b> tag anytime that you write a Windows PowerShell script that you know uses a feature from Windows PowerShell 2.0 that is not available in Windows PowerShell 1.0. By specifying the #requires<\/b> tag, you prevent the script from running on Windows PowerShell 1.0. The tag is shown here:<\/p>\n

#requires -version 2.0<\/p>\n

<\/font><\/span><\/p>\n

The program names, which are stored in a single string, are not an array of program names, but a single string. This is because later, a regular expression pattern will be used to determine if the program is listed in the allow list. The variable $progs<\/b> holds the string assignment as seen here:<\/p>\n

$progs = “calc.exe, notepad.exe”<\/p>\n

<\/font><\/span><\/p>\n

The Register-WmiEvent<\/b> cmdlet is used to register the event with WMI. The WMI class, Win32_ProcessStartTrace<\/font><\/a> is an intrinsic event class, which means it automatically knows how to do events. When a new process starts, the Win32_ProcessStartTrace<\/b> WMI class will trigger an event. The SourceIdentifier<\/b> parameter is used to specify a name for the WMI event subscription. It must be unique for the Windows PowerShell session, or an error will be generated. This is seen here:<\/p>\n

PS C:Usersadministrator.NWTRADERS> C:Usersadministrator.NWTRADERSDocumentsMonitorForNotepadOrCalcGenerateEvent.ps1<\/p>\n

<\/font><\/span><\/p>\n

Register-WmiEvent : Cannot subscribe to event. A subscriber with source identifier ‘processStarted’ already exists.<\/p>\n

<\/font><\/span><\/p>\n

At C:Usersadministrator.NWTRADERSDocumentsMonitorForNotepadOrCalcGenerateEvent.ps1:10 char:18<\/p>\n

<\/font><\/span><\/p>\n

+ Register-WmiEvent <<<<  <\/span>-Class win32_ProcessStartTrace -SourceIdentifier processStarted<\/p>\n

<\/font><\/span><\/p>\n

    <\/span>+ CategoryInfo          <\/span>: InvalidArgument: (System.Management.ManagementEventWatcher:ManagementEventWatcher) [Register-WmiEvent],  <\/span><\/p>\n

<\/font><\/span><\/p>\n

   <\/span>ArgumentException<\/p>\n

<\/font><\/span><\/p>\n

    <\/span>+ FullyQualifiedErrorId : SUBSCRIBER_EXISTS,Microsoft.PowerShell.Commands.RegisterWmiEventCommand<\/p>\n

<\/font><\/span><\/p>\n

An easy way to avoid errors when attempting to create a new event subscription is to collect the events and remove the events, and then do the same thing for the registered event subscriptions. The code to do this is seen here:<\/p>\n

Get-Event | Remove-Event                                                                                                          <\/span><\/p>\n

<\/font><\/span><\/p>\n

Get-EventSubscriber | Unregister-Event   <\/span><\/p>\n

<\/font><\/span><\/p>\n

The code to register a WMI event is seen here:<\/p>\n

Register-WmiEvent -Class win32_ProcessStartTrace -SourceIdentifier processStarted<\/p>\n

<\/font><\/span><\/p>\n

The Wait-Event<\/b> cmdlet is used to cause the script to halt execution while it waits for an event to occur. When the event is raised, the resulting object is stored in the $newEvent<\/b> variable. By default the Wait-Event<\/b> cmdlet will wait for any event, but by using the SourceIdentifier<\/b> parameter, the Wait-Event<\/b> cmdlet will respond to events from the specific source. You can also specify a timeout value that would cause the Wait-Event<\/b> cmdlet to pause for a specific amount of time before returning control back to the script. This section of the script is seen here:<\/p>\n

$newEvent = Wait-Event -SourceIdentifier processStarted<\/p>\n

<\/font><\/span><\/p>\n

The if<\/b> statement is used to determine if the processName<\/b> that triggered the event matches one of the program names in the $progs<\/b> variable. If the program name matches, the Write-Host<\/b> cmdlet is used to display the name of the process that was detected. The code that does this is shown here:<\/p>\n

If ($progs -match $newEvent.SourceEventArgs.NewEvent.ProcessName) <\/p>\n

<\/font><\/span><\/p>\n

   <\/span>{ write-host $newEvent.SourceEventArgs.NewEvent.ProcessName “detected” }<\/p>\n

<\/font><\/span><\/p>\n

Once an event has been triggered, the script will exit. When the script is run with the Windows PowerShell ISE, this output is seen:<\/p>\n

\"Image<\/p>\n


Well, SC, as you can see, using events in Windows PowerShell scripts is considerably easier that it was when using VBScript. Join us tomorrow as WMI Event Week continues. <\/p>\n

If you want to know exactly what we will be looking at tomorrow, follow us on Twitter<\/font><\/a> or Facebook<\/font><\/a>. If you have any questions, send e-mail to us at scripter@microsoft.com<\/font><\/a> or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n

 <\/p>\n

Ed Wilson and Craig Liebendorfer, Scripting Guys<\/p>\n

<\/span><\/b><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

  Hey, Scripting Guy! I have a problem at work. It is not with the pointy-headed boss, but I believe the problem is probably related to him anyway. There is this application that runs on a workstation in our computer room. It is not a client server application, and of course the workstation is not […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,3,4,45],"class_list":["post-52113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-windows-powershell"],"acf":[],"blog_post_summary":"

  Hey, Scripting Guy! I have a problem at work. It is not with the pointy-headed boss, but I believe the problem is probably related to him anyway. There is this application that runs on a workstation in our computer room. It is not a client server application, and of course the workstation is not […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=52113"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/52113\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=52113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=52113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=52113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}