我尝试根据来自Windows 7 SP1上网卡的特定事件设置wmi永久事件。
我使用此代码:
#Creating a new event filter
$instanceFilter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
$instanceFilter.Query = "Select * From __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile='System' AND TargetInstance.SourceName LIKE '%e1_express%' AND (TargetInstance.EventCode=27 OR TargetInstance.EventCode=32 OR TargetInstance.EventCode=33 OR TargetInstance.EventCode=36)"
$instanceFilter.Name = "LAN_Watcher_Filter"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
#Creating a new event consumer
$instanceConsumer = ([wmiclass]"\\.\root\subscription:CommandLineEventConsumer").CreateInstance()
$instanceConsumer.Name ='LAN_Watcher_Consumer'
$instanceConsumer.ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$instanceConsumer.CommandLineTemplate="-file C:\Windows\System32\Switch_LAN_TEST.ps1"
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
#Bind filter and consumer
$instanceBinding = ([wmiclass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
##Removing WMI Subscriptions using [wmi] and Delete() Method
#([wmi]$newFilter).Delete()
#([wmi]$newConsumer).Delete()
#([wmi]$newBinding).Delete()
我可以关闭powershell会话,脚本将启动但是如果我重新启动计算机,永久事件会再次存在,但脚本不起作用。
有什么想法吗? 感谢。