ptrex Posted March 12, 2007 Share Posted March 12, 2007 (edited) FIle Monitorng Example - using ExecNotificationQuerySome one in the Help Forum wanted to have script to monitor files in a certain directory.You could write a basic script in AU3 to do that, but it would not be as efficient as using the native WMI functions for this.$strComputer = "." $objWMIService = ObjGet("winmgmts:" & $strComputer & "rootcimv2") $colMonitoredEvents = $objWMIService.ExecNotificationQuery _ ("SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE " _ & "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _ & "TargetInstance.GroupComponent= " _ & "'Win32_Directory.Name=""c:1""'") While 1 $objEventObject = $colMonitoredEvents.NextEvent() Select Case $objEventObject.Path_.Class()="__InstanceCreationEvent" ConsoleWrite ("A new file was just created: " & $objEventObject.TargetInstance.PartComponent() & @CR) Case $objEventObject.Path_.Class()="__InstanceDeletionEvent" ConsoleWrite ("A file was just deleted: " & $objEventObject.TargetInstance.PartComponent() & @CR) EndSelect WEndCreate a folder C:1 and add or delete a file in there.See what happens.Enjoy !!ptrex Edited September 14, 2012 by ptrex krasnoshtan 1 Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
arcker Posted March 12, 2007 Share Posted March 12, 2007 iop, i've made a lot of script using wmi events (to manage our servers) the best way is to have the execnotificationasyncquery the advantage is that you can have a multiple query, and only one sink (event receiver) i like to see that i'm not alone in my ActiveX & Com addiction XD -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
ptrex Posted March 12, 2007 Author Share Posted March 12, 2007 @arcker I am a COM fan too !! An example of your script using : execnotificationasyncquery would help me investigate that route as well. Thanks ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
arcker Posted March 12, 2007 Share Posted March 12, 2007 (edited) no problem, i make an example a i send you this : this current script illustrates the full possibilities of event creation i've added the the owner information this script reports all new process for computers declared in the arrays edit : updated expandcollapse popup;WMI monitoring #include<array.au3> #include<date.au3> Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account $arrComputers = _ArrayCreate("ncd004501003", "ncd004501004") $strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'" $SINK = ObjCreate("WbemScripting.SWbemSink") ObjEvent($SINK, "SINK_") For $strComputer In $arrComputers $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet") $objContext.Add ("hostname", $strComputer) $objContext.Add ("SinkName", "sinktest") $objWMIService = ObjGet("winmgmts:" _ & "!\\" & $strComputer & "\root\cimv2") If Not @error Then $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext) ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF) EndIf Next ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF) While 1 Sleep(10000) WEnd ;****************************************************************************** Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext) ;Trap asynchronous events. Local $essai1, $essai2 $objAsyncContextItem = $objAsyncContext.Item ("hostname") ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF) ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF) $objLatestEvent.TargetInstance.getowner($essai1,$essai2) ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF) ConsoleWrite(" Time: " & _NowDate() & @CRLF) EndFunc ;==>SINK_OnObjectReady func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext) ConsoleWrite("progress ... " & @crlf ) ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf ) endfunc Edited March 13, 2007 by arcker -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
ptrex Posted March 12, 2007 Author Share Posted March 12, 2007 @ARcher Thanks for the nice example. I have to update my knowledge to see what the benifit is of using the "ExecNotificationQueryAsync" method. :"> regards, ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
arcker Posted March 12, 2007 Share Posted March 12, 2007 i "sink" (lol) that it's the most complicated method is the execnotificationqueryasync i've just learn this in 2 days it's really powerful, so it you doubt, just think about it wmi rocks, and prove M$ competence -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
seandisanti Posted March 12, 2007 Share Posted March 12, 2007 nice, thanks for the examples guys. COM i like a lot, but haven't played much with WMI. i've got a book on it, just haven't bothered cracking it open yet; maybe i should do that... Link to comment Share on other sites More sharing options...
arcker Posted March 13, 2007 Share Posted March 13, 2007 books are not free, google is... try with some vbs and some researches on the MSDN that's how i did -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
ptrex Posted March 13, 2007 Author Share Posted March 13, 2007 @arcker Just to let you know when I ran you example if failed with an error when opening a new application. Failed the get the Object ? Did you run it and test it. regards ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
arcker Posted March 13, 2007 Share Posted March 13, 2007 yep i tested it, Sometimes WMI can be crashed so i often used : net stop winmgmt net start winmgmt and things going well edit : ohhh sorry, i've used a wrong valueset (used for monitoring ntlog) post updated -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
ptrex Posted March 13, 2007 Author Share Posted March 13, 2007 @arcker Now it is working OK. Thanks ptrex Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM - New Link to comment Share on other sites More sharing options...
i542 Posted March 14, 2007 Share Posted March 14, 2007 Wow, that is great! I was thinking about that too but i didn't know how... i542 I can do signature me. Link to comment Share on other sites More sharing options...
Andrew Peacock Posted April 24, 2007 Share Posted April 24, 2007 (edited) Hi all, Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried: $filename = $targetinstance.PartComponent.value $filename = $targetinstance.item("PartComponent").value $filename = $targetinstance.item("PartComponent") $filename = $targetinstance.PartComponent EDIT: Also tried: $objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error) And they all generate errors. Anyone got any ideas? Thanks in advance, Andy Edited April 24, 2007 by Andrew Peacock Link to comment Share on other sites More sharing options...
ldub Posted April 28, 2007 Share Posted April 28, 2007 (edited) Hello Ptrex ! I have made a big mistake : I have run your script on my computer (single user, windows XPP) and, when I reboot (usually on c:\), my sytem try to boot now on my diskette drive ! What could I do ? Thank's a lot for your help or for the help of anybody else ! Loïc Edited April 28, 2007 by ldub Link to comment Share on other sites More sharing options...
arcker Posted April 29, 2007 Share Posted April 29, 2007 I have run your script on my computerno it's not possible with this scripttry to configure well your bios before targetting scriptstry to reconfigure your boot.ini if needed -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
ldub Posted May 2, 2007 Share Posted May 2, 2007 Thanks for your help. I beg you pardon... I'm a beginner. What can we do to protect our computer when running scripts which may not be perfect ? Link to comment Share on other sites More sharing options...
nitekram Posted May 2, 2007 Share Posted May 2, 2007 no problem, i make an example a i send you this : this current script illustrates the full possibilities of event creation i've added the the owner information this script reports all new process for computers declared in the arrays edit : updated expandcollapse popup;WMI monitoring #include<array.au3> #include<date.au3> Dim $arrComputers, $strQuery, $SINK, $objContext, $objWMIService, $objAsyncContextItem, $return, $account $arrComputers = _ArrayCreate("ncd004501003", "ncd004501004") $strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'" $SINK = ObjCreate("WbemScripting.SWbemSink") ObjEvent($SINK, "SINK_") For $strComputer In $arrComputers $objContext = ObjCreate("WbemScripting.SWbemNamedValueSet") $objContext.Add ("hostname", $strComputer) $objContext.Add ("SinkName", "sinktest") $objWMIService = ObjGet("winmgmts:" _ & "!\\" & $strComputer & "\root\cimv2") If Not @error Then $objWMIService.ExecNotificationQueryAsync ($SINK, $strQuery, Default, Default, Default, $objContext) ConsoleWrite("Waiting for processes to start on " & $strComputer & " ..." & @CRLF) EndIf Next ConsoleWrite("In monitoring mode. Press Ctrl+C to exit." & @CRLF) While 1 Sleep(10000) WEnd ;****************************************************************************** Func SINK_OnObjectReady($objLatestEvent, $objAsyncContext) ;Trap asynchronous events. Local $essai1, $essai2 $objAsyncContextItem = $objAsyncContext.Item ("hostname") ConsoleWrite(@CRLF & "Computer Name: " & $objAsyncContextItem.Value & @CRLF) ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF) $objLatestEvent.TargetInstance.getowner($essai1,$essai2) ConsoleWrite(" Owner : " & $essai1 &"\" & $essai2 & @CRLF) ConsoleWrite(" Time: " & _NowDate() & @CRLF) EndFunc ;==>SINK_OnObjectReady func sink_onprogress($iUpperBound,$iCurrent,$strMessage,$objWbemAsyncContext) ConsoleWrite("progress ... " & @crlf ) ConsoleWrite($iUpperBound & @crlf & $iCurrent & @crlf & $strMessage & @crlf &$objWbemAsyncContext & @crlf ) endfunc I have gotten this to somewhat work - is the sinktest suppose to be a value of the process started or just the name "sinktest"? If the latter - is there anyway to show the started process? 2¢ All by me:"Sometimes you have to go back to where you started, to get to where you want to go." "Everybody catches up with everyone, eventually" "As you teach others, you are really teaching yourself." From my dad "Do not worry about yesterday, as the only thing that you can control is tomorrow." WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2 AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit Docs SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language Programming Tips Excel Changes ControlHover.UDF GDI_Plus Draw_On_Screen GDI Basics GDI_More_Basics GDI Rotate GDI Graph GDI CheckExistingItems GDI Trajectory Replace $ghGDIPDll with $__g_hGDIPDll DLL 101? Array via Object GDI Swimlane GDI Plus French 101 Site GDI Examples UEZ GDI Basic Clock GDI Detection Ternary operator Link to comment Share on other sites More sharing options...
arcker Posted May 2, 2007 Share Posted May 2, 2007 i really don't undertstand what you mean if you need the processID, try : $objLatestEvent.TargetInstance.ProcessId -- Arck System _ Soon -- Ideas make everything "La critique est facile, l'art est difficile" Projects :[list] [*]Au3Service : Run your exe as service V3 / Updated 29/07/2013 Get it Here [/list] Link to comment Share on other sites More sharing options...
Andrew Peacock Posted May 2, 2007 Share Posted May 2, 2007 Hi all,Can anyone help with this question I raised earlier?Thanks in advance,AndyHi all,Does anyone know how to get the filename/path? I've done some reading around, and it seems to be something to do with the PartComponent property of the latestevent object, but I've tried:$filename = $targetinstance.PartComponent.value$filename = $targetinstance.item("PartComponent").value$filename = $targetinstance.item("PartComponent")$filename = $targetinstance.PartComponentEDIT: Also tried:$objEventObject.TargetInstance.PartComponent() based on the synchronous example above - still get error)And they all generate errors.Anyone got any ideas?Thanks in advance,Andy Link to comment Share on other sites More sharing options...
nitekram Posted May 2, 2007 Share Posted May 2, 2007 i really don't undertstand what you mean if you need the processID, try : $objLatestEvent.TargetInstance.ProcessId oÝ÷ Ûú®¢×éí+%w¢²»§jëh×6 ConsoleWrite("Sink Name: " & $objAsyncContext.Item ("sinkname").Value & @CRLF) oÝ÷ Ø̨ºÚn¶+ I get the ID but I am looking to get the name of the process - any ideas 2¢ All by me:"Sometimes you have to go back to where you started, to get to where you want to go." "Everybody catches up with everyone, eventually" "As you teach others, you are really teaching yourself." From my dad "Do not worry about yesterday, as the only thing that you can control is tomorrow." WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2 AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit Docs SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language Programming Tips Excel Changes ControlHover.UDF GDI_Plus Draw_On_Screen GDI Basics GDI_More_Basics GDI Rotate GDI Graph GDI CheckExistingItems GDI Trajectory Replace $ghGDIPDll with $__g_hGDIPDll DLL 101? Array via Object GDI Swimlane GDI Plus French 101 Site GDI Examples UEZ GDI Basic Clock GDI Detection Ternary operator Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now