如果有一个为命名进程创建进程观察器的函数,就像这样
function New-Watcher {
param ([string] $processname)
$alarm = New-Object System.Management.EventQuery
$alarm.QueryString = "Select * from __InstanceCreationEvent WITHIN 1 WHERE targetinstance ISA 'Win32_Process' AND targetinstance.name = '$processname'"
New-Object System.Management.ManagementEventWatcher $alarm
}
我创造了像这样的多个观察者
$mywatcher1 = New-Watcher "notepad.exe"
$mywatcher2 = New-Watcher "cmd.exe"
# all the way down to...
$mywatcherxxx = New-Watcher "powershell.exe"
是否有一个cmdlet,列出了所有已创建的实例?
适用于Register-WmiEvent的Get-EventSubscriber。
答案 0 :(得分:1)
如果要将每个变量分配给变量,则可以始终执行以下操作:
Get-Variable|Where{$_.Value -is [System.Management.ManagementEventWatcher]}
那会输出:
Name Value
---- -----
mywatcher1 System.Management.ManagementEventWatcher
mywatcher2 System.Management.ManagementEventWatcher
或者如果你想让它变得更好,你可以通过ForEach运行数据并使自定义对象解析出每个人正在观看的内容:
Get-Variable mywatch*|
Where{$_.Value -is [System.Management.ManagementEventWatcher]}|
ForEach{
$QString = $_.value.query.querystring
[pscustomobject][ordered]@{
Variable=$_.Name
Watching=$Qstring.substring(($QString.lastindexof("= "))+2).trim("'")
}
}
反过来会反击:
Variable Watching
-------- --------
mywatcher1 notepad.exe
mywatcher2 cmd.exe