我正在尝试创建一个永久的wmi事件使用者,它将等待使用特定命令行参数创建进程然后终止它。
到目前为止,我可以在预期时触发我的事件处理程序并写入测试日志文件。 我甚至可以使用TargetEvent.TargetInstance从WMI事件中访问参数。但是,当我尝试在其上调用terminate时,它会失败。
我也无法创建像wscript.shell或wscript.network这样无法创建实例的对象实例。我相信这可能是因为此脚本实际上并未在Windows脚本宿主中运行。
所以我的问题是如何让我的win32_Process实例使用terminate方法,或者是否有办法调用外部命令(假设我不能使用wscript.shell对象)。
我从这里获得了有关如何创建mof文件的大部分细节: http://www.codeproject.com/KB/system/PermEvtSubscriptionMOF.aspx?display=Print
我的设置Mof文件如下:
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
Name = "My Test Filter";
EventNamespace = "Root\\Cimv2";
Query = "Select * From __InstanceCreationEvent Within 2 "
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" "
"And Targetinstance.CommandLine LIKE \"%test.txt%\"";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "MyTestConsumer";
ScriptingEngine = "VBScript";
ScriptText =
"On Error Resume Next\n"
"'Set WshShell = WScript.CreateObject(\"WScript.Shell\")\n"
"Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
"Set objFile = objFSO.OpenTextFile(\"c:\\log.txt\", 8, True)\n"
"objFile.WriteLine Time & \" \" & \" notepad started \" & TargetEvent.TargetInstance.Handle \n"
"objFile.Close\n"
"TargetEvent.TargetInstance.Terminate()\n";
};
instance of __FilterToConsumerBinding
{
Filter = $EventFilter;
Consumer = $Consumer;
};
我的删除mof文件是:
#pragma namespace("\\\\.\\root\\subscription")
#Pragma deleteInstance("__EventFilter.Name=\"My Test Filter\"",FAIL)
#Pragma deleteInstance("ActiveScriptEventConsumer.Name=\"MyTestConsumer\"",FAIL)
#pragma deleteinstance ("__FilterToConsumerBinding.Consumer="
"\"\\\\\\\\.\\\\root\\\\subscription:ActiveScriptEventConsumer.Name=\\\"MyTestConsumer\\\"\","
"Filter=\"\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\"My Test Filter\\\"\"", FAIL)
答案 0 :(得分:1)
我不知道这是什么原因,但我也从未设法让它发挥作用。乍一看它应该 - TargetEvent.TargetInstance.Name返回进程名称等。但是在调用方法时,会将错误写入wbemess.log:
脚本引擎说:Microsoft VBScript运行时错误:对象不支持此属性或方法:'TargetEvent.TargetInstance.Terminate' (Wed Apr 13 19:44:54 2011.15735734):在命名空间//./ root / subscription中删除事件消费者ActiveScriptEventConsumer =“TestConsumer”的事件
以下是我的解决方法:
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "New Process Instance Filter";
Query = "Select * From __InstanceCreationEvent Within 2"
"Where TargetInstance Isa \"Win32_Process\" "
"And Targetinstance.Name = \"notepad.exe\" ";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "TargetEventConsumer";
ScriptingEngine = "VBScript";
ScriptText =
"Set objWmi = GetObject(\"winmgmts:\")\n"
"\n"
"Set objProcess = objWmi.Get(\"Win32_Process.Handle='\" _\n"
" & TargetEvent.TargetInstance.Handle & \"'\")\n"
"\n"
"objProcess.Terminate\n";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
在脚本中,我使用SWbemServices.Get()来获取创建的流程实例,然后使用Terminate工作。只需将TargetEvent.TargetInstance.Handle传递给SWbemServices.Get()即可。
您未能使用WshShell对象,因为您尝试使用WScript.CreateObject创建它,并且ActiveScriptConsumer VBScript引擎无法使用WScript。如果您使用VBScript CreateObject()函数,它应该工作。与WshNetwork相同。