Note<\/b> For more information about WMI event driven scripts, see An Insider’s Guide to Using WMI Events and PowerShell<\/a>.<\/p>\n Today I am going to develop a WMI event query to detect newly created files in a particular folder. Then I will use this WQL event query tomorrow to create a permanent WMI event consumer. In fact, whenever I am creating a permanent WMI event consumer, I always test it out as a temporary event consumer first. Creating a temporary event consumer with Windows PowerShell 2.0 is really easy, so it only makes sense to take this first step.<\/p>\n The hardest part of creating a WMI WQL event query is, well…just about everything. This stuff does not make much sense. Luckily, if you have WQL event query from VBScript or some other language, it is not too difficult to migrate the query to Windows PowerShell.<\/p>\n When you start trying to do this, however, you run into weird quoting rules that only make a confusing situation more confusing. Luckily, Windows PowerShell can bring some sanity to this part of the process. The secret is to use a here-string. Here-strings are really finicky (they make Morris the Cat<\/a> seem like an omnivore). The basic syntax is to use a variable to hold the resulting here-string. The here-string begins with an ampersand and an opening quotation mark: @”<\/b>. Everything inside the here-string is interpreted literally so you do not need to worry with escaping special characters or quotation marks or any of that stuff. The here-string closes with a closing quotation mark ampersand: “@<\/b>.<\/p>\n There are two rules that you must follow:<\/p>\n I referred to an old Hey Scripting Guy! Blog, How Can I Automatically Run a Script Any Time a File is Added to a Folder<\/a>, which was written nearly eight years ago in VBScript. Guess what? The query was just the thing I needed to refresh my memory for creating my new query. Here is the VBScript query from that blog.<\/p>\n (“SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE ” _<\/p>\n & “Targetinstance ISA ‘CIM_DirectoryContainsFile’ and ” _<\/p>\n & “TargetInstance.GroupComponent= ” _<\/p>\n & “‘Win32_Directory.Name=””c:\\\\\\\\scripts””‘”)<\/p>\n You can see where the use of a here-string vastly simplifies things by allowing me to forget about line continuation and having to escape quotation marks and other things. But also you can see how having a nice reference query, even from an eight-year old VBScript script, is also beneficial.<\/p>\n Note<\/b> This is ONE of the major reasons I insisted on migrating all of the old Hey Scripting Guy! Blogs to the new Hey, Scripting Guy! Blog format four years ago when I became the Scripting Guy. I knew that a lot of that old code was easily adaptable to Windows PowerShell and would be useful for years to come. <\/p>\n The WQL query itself is not too horribly bad. It begins by selecting everything from the __InstanceCreationEvent<\/b> WMI class. This class is a generic event class, and it will monitor for new instances of “stuff.” It can be anything from a new entry in an event log to a new file. The problem with monitoring for a newly created file is that a file must reside somewhere—for example, inside a directory. To find a file in a directory by using WMI means that we need to use an association WMI class.<\/p>\n The Cim_DirectoryContainsFile<\/b> WMI class associates files and directories. When working with association classes, there is always a property that relates one to the other. Here we are looking for the GroupComponent <\/b>portion of the association. GroupComponent <\/b>is an instance of the Win32_Directory<\/b> WMI class. Because we are interested in a particular directory, we need to use the Key<\/b> property for GroupComponent<\/b>. Here, the key is the name of the folder. The name of the folder uses POSIX notation; therefore, it requires \\\\\\\\ (four back slashes). The query is shown here.<\/p>\n $query = @”<\/p>\n Select * from __InstanceCreationEvent within 10<\/p>\n where targetInstance isa ‘Cim_DirectoryContainsFile’<\/p>\n and targetInstance.GroupComponent = ‘Win32_Directory.Name=”c:\\\\\\\\test”‘<\/p>\n “@<\/p>\n Now I need register the WMI event. In Windows PowerShell 2.0 and Windows PowerShell 3.0, this is really easy. I use the Register-WmiEvent<\/b> cmdlet and specify the WQL query. I also need to create a value for the SourceIdentifier<\/b> <\/i>property so I can monitor the job. Here, I register the WMI event by using the query contained in the $query<\/b> variable, and I specify a SourceIdentifier<\/b> <\/i>of MonitorFiles<\/b>.<\/p>\n Register-WmiEvent -Query $query -SourceIdentifier “MonitorFiles”<\/p>\n Upon registering the event, I can do any number of things. The easiest thing to do is to wait for the event to occur. The Wait-Event<\/b> cmdlet will wait for the event that is identified by the SourceIdentifier<\/b> <\/i>to trigger. After it does, I store the generated event in the $fileEvent<\/b> variable as shown here.<\/p>\n $fileEvent = Wait-Event -SourceIdentifier “MonitorFiles”<\/p>\n Once again, I could do anything I want to do upon notification that an event triggers. Here, I simply display the complete path to the newly created file. I will use this information tomorrow in my follow-up to today’s blog. Notice that the $fileEvent<\/b> variable contains a rich object. You might want to play around with Get-Member<\/b> to explore this object.<\/p>\n $fileEvent.SourceEventArgs.NewEvent.TargetInstance.PartComponent<\/p>\n When the script runs, it waits for an event to trigger. This behavior is shown in the image that follows.<\/p>\n When I create a file in the c:\\test folder, within 10 seconds the temporary event consumer detects the presence of the newly created file, and Wait-Event<\/b> returns the event to the $fileEvent<\/b> variable. The script then displays the path to the newly created file. The image that follows illustrates the Windows PowerShell ISE following the generation of the new event.<\/p>\n If you attempt to run the script a second time, you will more than likely receive errors. The error is because the event SourceIdentifier<\/b> <\/i>“MonitorFiles” already exists. The way to correct this is to unregister the event. You can do this by name, by specifying the SourceIdentifier<\/b> <\/i>property of the Unregister-Event<\/b> cmdlet. But the easier way to do this is to use the Get-EventSubscriber<\/b> cmdlet, and pipe the event subscriber to the Unregister-Event<\/b> cmdlet as shown here.<\/p>\n Get-EventSubscriber | Unregister-Event<\/p>\n The unpredictable results portion of the scenario is that one WMI event already exists—the one that generated during testing. It is certainly possible to work with multiple events, but it is also easier to just clean up. The easiest way to do this is to find all of the WMI events by using the Get-Event<\/b> cmdlet, and then pipe all the found WMI events to the Remove-Event<\/b> cmdlet. This command is shown here.<\/p>\n Get-Event | Remove-Event<\/p>\n If you are writing a temporary WMI event consumer script, it makes sense to place the two previous commands into a function called something like Remove-WMIEventAndSubscriber<\/b>. Such a function is shown here.<\/p>\n Function Remove-WMIEventAndSubscriber<\/p>\n {<\/p>\n Get-EventSubscriber | Unregister-Event<\/p>\n Get-Event | Remove-Event<\/p>\n } #end function Remove-WmiEventAndSubscriber<\/p>\n A function such as Remove-WMIEventAndSubscriber<\/b> makes testing your script inside the Windows PowerShell ISE much easier, and it saves a lot of typing because you reset the environment each time you decide to run an additional test.<\/p>\n The complete TemporaryWMIEventToMonitorFolderForNewFiles.ps1 script<\/a> is uploaded to the Scripting Guys Script Repository. You can download the entire script from there.<\/p>\n That is all there is to using a temporary WMI event to monitor a folder for the creation of a new file. Join me tomorrow for more Windows PowerShell cool stuff.<\/p>\n I invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to monitor for the creation of new files. Microsoft Scripting Guy, Ed Wilson, is here. Yesterday’s email from KS about his problems with files that contain leading spaces in them got me thinking. Although running a script on demand to find and rename […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[42,3,45,6],"class_list":["post-8691","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-events-and-monitoring","tag-scripting-guy","tag-windows-powershell","tag-wmi"],"acf":[],"blog_post_summary":" Summary: Microsoft Scripting Guy, Ed Wilson, shows how to use Windows PowerShell to monitor for the creation of new files. Microsoft Scripting Guy, Ed Wilson, is here. Yesterday’s email from KS about his problems with files that contain leading spaces in them got me thinking. Although running a script on demand to find and rename […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8691","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=8691"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8691\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=8691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=8691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=8691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Creating a WMI WQL event query<\/h2>\n
\n
Register the WMI event<\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6102.HSG-7-17-12-01.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6746.HSG-7-17-12-02.png\" "\\"Image")
<\/a><\/p>\nClean up after creating a temporary event subscriber<\/h2>\n