如何订阅Windows文件修改事件

Question

我想订阅特定文件的情况下使用WQL与此查询被修改：

SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\"

我可以将事件成功寄存器（见输出在底部），并且可以看到它与我注册的脚本（消费者）绑定。

但是，当我修改C:\test\filewatching\中的文件时，脚本无法运行。

---

下面是在同一文件夹，注册为文件创建事件代码，这个工程：

#WQL 

$query = @" 
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA "Cim_DirectoryContainsFile" AND TargetInstance.GroupComponent="Win32_Directory.Name='C:\\test\\filewatching'" 
"@ 
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance() 
$instanceFilter.QueryLanguage = 'WQL' 
$instanceFilter.Query = $query 
$instanceFilter.Name = 'EventFilterNameHere' 
$instanceFilter.EventNameSpace = 'root/CIMV2' 
$result = $instanceFilter.Put() 

# Consumer 

$script = 
@" 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) 
objFile.WriteLine "New File Created" 
objFile.Close 
"@ 
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance() 
$instanceConsumer.Name = 'ConsumerNameHere' 
$instanceConsumer.ScriptingEngine = 'VBScript' 
$instanceConsumer.ScriptFilename = '' 
$instanceConsumer.ScriptText = $script 
$instanceConsumer.Put() 

# Binding 

[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name) 
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name) 

$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance() 
$instanceBinding.Filter = $Filter 
$instanceBinding.Consumer = $Consumer 
$instanceBinding.Put() 

所以我知道有什么错我的PowerShell。这让我觉得我的查询一定是错的。

我已经尝试了一下上面的InstanceModificationEvent查询的一些调整，但没有成功。 （这些调整包括诸如将C:改为C或从TargetInstace.Path移除\s的东西）。

---

我需要此订阅才是永久性的，并且如果PC已打开或关闭，则无法重置 - 这就是我使用WQL的原因。如果任何人都可以提出另一种实现方法，或者我可以如何解决我的问题，我将永远感激！

Path   : \\WIN7-IT3\root\subscription:ActiveScriptEventConsumer.Name="Co 
       nsumerNameHere" 
RelativePath : ActiveScriptEventConsumer.Name="ConsumerNameHere" 
Server  : WIN7-IT3 
NamespacePath : root\subscription 
ClassName  : ActiveScriptEventConsumer 
IsClass  : False 
IsInstance : True 
IsSingleton : False 

Path   : \\WIN7-IT3\root\subscription:__FilterToConsumerBinding.Consumer 
       ="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveScriptEventConsumer.Na 
       me=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Subscripti 
       on:__EventFilter.Name=\"EventFilterNameHere\"" 
RelativePath : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscri 
       ption:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",Filt 
       er="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"Event 
       FilterNameHere\"" 
Server  : WIN7-IT3 
NamespacePath : root\subscription 
ClassName  : __FilterToConsumerBinding 
IsClass  : False 
IsInstance : True 
IsSingleton : False 

查询WMI订阅：查询后

Get-WmiObject -Namespace root\Subscription -Class __Eventfilter 
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer 
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding 
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer 

输出：

运行脚本后

---

输出

__GENUS : 2 __CLASS : __EventFilter __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __EventFilter.Name="EventFilterNameHere" __PROPERTY_COUNT : 6 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" CreatorSID : {1, 5, 0, 0...} EventAccess : EventNamespace : root/CIMV2 Name : EventFilterNameHere Query : SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\" QueryLanguage : WQL PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : __FilterToConsumerBinding __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveS criptEventConsumer.Name=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Su bscription:__EventFilter.Name=\"EventFilterNameHere\"" __PROPERTY_COUNT : 7 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__FilterToConsumerBinding.Consumer="\\\\WIN7-IT 3\\ROOT\\Subscription:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",F ilter="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"EventFilterName Here\"" Consumer : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHer e" CreatorSID : {1, 5, 0, 0...} DeliverSynchronously : False DeliveryQoS : Filter : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" MaintainSecurityContext : False SlowDownProviders : False PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3 

Answer 1

跨越this page迷迷糊糊张贴这个问题，我从中摸索出我需要的查询后不久：

注意，相反，其他几个帖子在网上，什么工作对我来说竟是省略TargetInstance的Path和Drive部分，并且只包含我要观看的文件的完整路径和名称。

这适用于我，因为我只会看1个特定的文件。如果您需要使用此方法观看多个文件，则需要注册多个订阅。

登记文件修改观察者的完整代码：

#WQL 

$query = @" 
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'CIM_DataFile' AND TargetInstance.Name='c:\\test\\filewatching\\tester.txt' 
"@ 
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance() 
$instanceFilter.QueryLanguage = 'WQL' 
$instanceFilter.Query = $query 
$instanceFilter.Name = 'EventFilterNameHere' 
$instanceFilter.EventNameSpace = 'root/CIMV2' 
$result = $instanceFilter.Put() 

# Consumer 

$script = 
@" 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) 
objFile.WriteLine "New File Created" 
objFile.Close 
"@ 
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance() 
$instanceConsumer.Name = 'ConsumerNameHere' 
$instanceConsumer.ScriptingEngine = 'VBScript' 
$instanceConsumer.ScriptFilename = '' 
$instanceConsumer.ScriptText = $script 
$instanceConsumer.Put() 

# Binding 

[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name) 
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name) 

$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance() 
$instanceBinding.Filter = $Filter 
$instanceBinding.Consumer = $Consumer 
$instanceBinding.Put() 

Answer 2

需要消费者和过滤器的路径连接到粘合剂 ，而不是系统中的每个过滤器\消费者

$result = $instanceFilter.Put() 
$filterPath = $result.Path 
$result = $instanceConsumer.Put() 
$consumerPath = $result.Path 

$bind.Filter = $filterPath 
$bind.Consumer = $consumerPath