Recently I have been learning about WMI and WQL. I found out the list of Win32 classes (from MSDN) that I can query for but I am not able to find out the list of event classes (should be the subset of the list of Win32 classes isn't it ?) Does any one have a list or some kind of cheat sheet for this? I am jsut asking this out of curiosity.
Example for an event class - Win32_ProcessStartTrace
Here's how to list WMI event classes in the root\cimv2 namespace with C# and System.Management:
using System;
using System.Management;
class Program
{
static void Main()
{
string query =
@"Select * From Meta_Class Where __This Isa '__Event'";
ManagementObjectSearcher searcher =
new ManagementObjectSearcher(query);
foreach (ManagementBaseObject cimv2Class in searcher.Get())
{
Console.WriteLine(cimv2Class.ClassPath.ClassName);
}
}
}
root\cimv2 is the default WMI namespace so you don't have to use a ManagementScope instance. The WQL query passed to ManagementObjectSearcher is a WMI metadata query. It uses:
Meta_Class to designate the query as a schema query, and__This property to recursively list __Event subclasses(see here and here).
WMI class is an event class if its provider implemented as an event WMI provider and must be a subclass of __Event. This doesn't mean that you can't use 'ordinary' WMI classes like Win32_Process and Win32_Service in WQL event queries. You just have to use one of the __InstanceOperationEvent derived helper classes like __InstanceCreationEvent or __InstanceDeletionEvent, and WMI will use its own event subsystem to deliver events.
Here is a sample WQL query that subscribes to Win32_Process creation events:
Select * From __InstanceCreationEvent Within 5 Where TargetInstance Isa 'Win32_Process'
In this case you have to use the Within clause.
WMI Code Creator is a great tool for learning WMI that, among other things, lets you explore WMI event classes on the local or remote computer and generate code for receiving event notifications.
Edit: Since you tagged your question as C#, you might be interested in the code for getting the list of event classes derived from a particular class programmatically:
using System.Management;
...
string ancestor = "WMIEvent"; // the ancestor class
string scope = "root\\wmi"; // the WMI namespace to search within
try
{
EnumerationOptions options = new EnumerationOptions();
options.ReturnImmediately = true;
options.Rewindable = false;
ManagementObjectSearcher searcher =
new ManagementObjectSearcher(scope, "SELECT * FROM meta_class", options);
foreach (ManagementClass cls in searcher.Get())
{
if (cls.Derivation.Contains(ancestor))
{
Console.WriteLine(cls["__CLASS"].ToString());
}
}
}
catch (ManagementException exception)
{
Console.WriteLine(exception.Message);
}
Doesn't MSDN have a list of all the MSMCA classes here
UPDATE:
I don't do tons of work with WMI, but I just found this WMI tool that would have been helpful. It gives you a GUI for viewing the WMI hierarchy of objects, and even allows you to register and consume events. This should give you the information you need.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 做个烂人 的文章《List of WMIEvent classes》','https://www.manongdao.com/article-682842.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}