Skip to content

WMI Event Subscriptions

Jump to bottom Edit New page
Invoke-IR edited this page Oct 18, 2014 · 1 revision

Table of Contents

Windows Management Instrumentation

WMI Permanent Event Subscriptions

Namespace

Classes

  • __EventFilter
  • CommandLineEventConsumer
  • FilterToConsumerBinding
  • __InstanceCreationEvent
  • __InstanceModificationEvent
  • __InstanceDeletionEvent

Other Important Concepts

  • %TargetInstance%
  • %PreviousInstance%

Windows Management Instrumentation

WMI Permanent Event Subscriptions

Namespace

  • root/subscription namespace

Important Classes

class __EventFilter : __IndicationRelated
{ uint8  CreatorSID[] = {1,1,0,0,0,0,0,5,18,0,0,0};
  string EventAccess;
  string EventNamespace;
  string Name;
  string Query;
  string QueryLanguage;
};

class CommandLineEventConsumer : __EventConsumer
{
  string  CommandLineTemplate;
  boolean CreateNewConsole = False;
  boolean CreateNewProcessGroup = True;
  boolean CreateSeparateWowVdm = False;
  boolean CreateSharedWowVdm = False;
  string  DesktopName;
  string  ExecutablePath;
  uint32  FillAttributes;
  boolean ForceOffFeedback = False;
  boolean ForceOnFeedback = False;
  uint32  KillTimeout = 0;
  string  Name;
  sint32  Priority = 0x20;
  boolean RunInteractively = False;
  uint32  ShowWindowCommand;
  boolean UseDefaultErrorMode = False;
  string  WindowTitle;
  string  WorkingDirectory;
  uint32  XCoordinate;
  uint32  XNumCharacters;
  uint32  XSize;
  uint32  YCoordinate;
  uint32  YNumCharacters;
  uint32  YSize;
};

class __FilterToConsumerBinding : __IndicationRelated
{
  __EventConsumer REF Consumer;
  uint8           CreatorSID[];
  boolean         DeliverSynchronously = False;
  uint32          DeliveryQoS;
  __EventFilter   REF Filter;
  boolean         MaintainSecurityContext = False;
  boolean         SlowDownProviders = False;
};

class __InstanceCreationEvent : __InstanceOperationEvent
{
  uint8  SECURITY_DESCRIPTOR[];
  object TargetInstance;
  uint64 TIME_CREATED;
};

class __InstanceModificationEvent : __InstanceOperationEvent
{
  object PreviousInstance;
  uint8  SECURITY_DESCRIPTOR[];
  object TargetInstance;
  uint64 TIME_CREATED;
};

class __InstanceDeletionEvent : __InstanceOperationEvent
{
  uint8  SECURITY_DESCRIPTOR[];
  object TargetInstance;
  uint64 TIME_CREATED;
};

Other Important Concepts

  • %TargetInstance%. Instance affected by the event. For creation events, this is the newly created instance. For modification events, this is the new version of the changed instance. For deletion events, this is the deleted instance.

  • %PreviousInstance%. Copy of the instance prior to modification.

Add a custom footer

Home

Getting Started

Permanent WMI Event Subscription Overview

Class Documentation

PowerShell Module

Uproot Server/Controller

Development

Clone this wiki locally