我正在使用C++在VS2010中开发一个应用程序。在我的代码中,我有两个WQL查询,如下所示:
hres = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceDeletionEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process' "),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
hres1 = pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * "
"FROM __InstanceCreationEvent WITHIN 1 "
"WHERE TargetInstance ISA 'Win32_Process'"),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
在创建或删除进程时,我从IWbemObjectSink::Indicate方法将其名称打印到控制台中。打印进程名称时,我需要知道它是创建还是删除。我怎么知道这个?有没有办法知道哪个异步方法调用Indicate方法?
三江源
答案 0 :(得分:1)
__ InstanceDeletionEvent和__InstanceCreationEvent是__InstanceOperationEvent的子类。因此,您应该查询__InstanceOperationEvent的实例。然后,您将从Sink类中的对象(例如,pStubSink)获取类,以了解正在创建的实例。请查看此示例以了解如何处理类似情况:http://blogs.technet.com/b/heyscriptingguy/archive/2005/04/04/how-can-i-monitor-for-different-types-of-events-with-just-one-script.aspx
<强> UPDATE1:
__ InstanceOperationEvent是以下类的超类:__ InstanceDeletionEvent,__ InstanceCreationEvent和__InstanceModificationEvent。
pSvc->ExecNotificationQueryAsync(
_bstr_t("WQL"),
_bstr_t("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE Targetinstance ISA 'Win32_Process'"),
WBEM_FLAG_SEND_STATUS,
NULL,
pStubSink);
在您的指示功能中:
Indicate(long lObjectCount,
IWbemClassObject **apObjArray)
{
HRESULT hr = S_OK;
for (int i = 0; i < lObjectCount; i++)
{
_variant_t myVariant;
hr = apObjArray[i]->Get(_bstr_t(L"__Class"), 0, &myVariant, 0, 0);
if (SUCCEEDED(hr))
{
std::wstring classOrigin(myVariant.bstrVal);
if (0 == classOrigin.compare(L"__InstanceDeletionEvent") )
{
std::wcout << L"DELETION" << std::endl;
}
else if (0 == classOrigin.compare(L"__InstanceCreationEvent"))
{
std::wcout << L"CREATION" << std::endl;
}
}
}
}
myVariant会说哪个是生成事件的类(读取注释)。
注意:这将导致对pStubSink的持续调用,因为进程不断被修改(__InstanceModificationEvent,例如,内存/ CPU的更改)。
UPDATE2:您还可以有两个不同的查询(以及连续的Sink对象),一个用于创建,一个用于删除(例如,pStubSinkCreation,pStubSinkDeletion)。通过这种方式,你(1)将确切地知道它何时来自Creation和何时来自Deletion; (2)避免不断接收__InstanceModificationEvent。