在Autoit中使用WMI:总索引
<blockquote dir="ltr" style="margin-right: 0px"><p><strong>九、WMI事件</strong></p><p>所谓WMI事件,即特定对象的属性发生改变时发出的通知,其中包括增加、修改、删除三种类型。</p><p>首先看到下面一个例子:</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strComputer</span> = <span class="st0">"."</span><br /><br /><span class="re0">$objWMIService</span> = <span class="kw3">ObjGet</span><span class="br0">(</span><span class="st0">"winmgmts://"</span> & <span class="re0">$strComputer</span> & <span class="st0">"/root/cimv2"</span><span class="br0">)</span><br /><br /><span class="re0">$strWQL</span> = <span class="st0">"SELECT * "</span> & _<br /><span class="st0">"FROM __InstanceCreationEvent "</span> & _ <br /><span class="st0">"WITHin$2 "</span> & _<br /><span class="st0">"WHERE TargetInstance ISA 'Win32_Process' "</span> & _<br /><span class="st0">"AND TargetInstance.Name = 'notepad.exe'"</span><br /><br /><span class="kw3">ConsoleWrite</span><span class="br0">(</span> <span class="st0">"Waiting for a new instance of Notepad to start..."</span> & <span class="re0">@CrLf</span> <span class="br0">)</span><br /><span class="re0">$objEventSource</span> = <span class="re0">$objWMIService</span>.<span class="me1">ExecNotificationQuery</span><span class="br0">(</span><span class="re0">$strWQL</span><span class="br0">)</span><br /><span class="re0">$objEventObject</span> = <span class="re0">$objEventSource</span>.<span class="me1">NextEvent</span><span class="br0">(</span><span class="br0">)</span><br /><span class="kw3">ConsoleWrite</span><span class="br0">(</span> <span class="st0">"A new instance of Notepad was just started."</span> & <span class="re0">@CrLf</span> <span class="br0">)</span></p></blockquote><p>当你运行记事本时程序就会发出一条提示。下面是对这段代码的解释:</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strComputer</span> = <span class="st0">"."</span><br /><br /><span class="re0">$objWMIService</span> = <span class="kw3">ObjGet</span><span class="br0">(</span><span class="st0">"winmgmts://"</span> & <span class="re0">$strComputer</span> & <span class="st0">"/root/cimv2"</span><span class="br0">)</span></p></blockquote><p>连接到命名空间。</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strWQL</span> = <span class="st0">"SELECT * "</span> & _<br /><span class="st0">"FROM __InstanceCreationEvent "</span> & _ <br /><span class="st0">"WITHin 2 "</span> & _<br /><span class="st0">"WHERE TargetInstance ISA 'Win32_Process' "</span> & _<br /><span class="st0">"AND TargetInstance.Name = 'notepad.exe'"</span></p></blockquote><p>这是一段WQL查询代码,__InstanceCreationEvent 表示监视新实例的建立,在这里表示新进程建立。类似的东西还有__InstanceModificationEvent、__InstanceDeletionEvent、__InstanceOperationEvent,它们分别表示修改、删除、全部操作(既以上三种的综合)。WITHin 2 表示每两秒查询一次。TargetInstance ISA 'Win32_Process' 表示监控Win32_Process类。TargetInstance.Name = 'notepad.exe'表示监控Name属性为notepad.exe的实例。</p><blockquote dir="ltr" style="margin-right: 0px"><p>$objEventSource = $objWMIService.ExecNotificationQuery($strWQL)<br />$objEventObject = $objEventSource.NextEvent()</p></blockquote><p>ExecNotificationQuery和ExecQuery的意义差不多一样,不过前者是专门用来获取WMI事件。$objEventSource.NextEvent() 表示不断进行WQL查询,直到通知产生,这段时间内脚本会暂停。</p><p>另外,用$objEventObject.Path_.Class你可以获取通知的种类,比如__InstanceCreationEvent。你还可以用$objEventObject.TargetInstance.+属性 来获取产生通知的实例的属性。</p><p>理论就讲到这里,剩下的东西相信大家看了下面的几个例子后就明白了。</p><p>下面是一段监视进程的范例:</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strComputer</span> = <span class="st0">"."</span><br /><br /><span class="re0">$objWMIService</span> = <span class="kw3">ObjGet</span><span class="br0">(</span><span class="st0">"winmgmts://"</span> & <span class="re0">$strComputer</span> & <span class="st0">"/root/cimv2"</span><span class="br0">)</span><br /><br /><span class="re0">$strQuery</span> = <span class="st0">"SELECT * "</span> & _<br /><span class="st0">"FROM __InstanceOperationEvent "</span> & _ <br /><span class="st0">"WITHin 2 "</span> & _<br /><span class="st0">"WHERE TargetInstance ISA 'Win32_Process' "</span> <br /><br /><span class="re0">$objEventSource</span> = <span class="re0">$objWMIService</span>.<span class="me1">ExecNotificationQuery</span><span class="br0">(</span><span class="re0">$strQuery</span><span class="br0">)</span><br /><br /><span class="kw3">ConsoleWrite</span><span class="br0">(</span> <span class="st0">"进程监控开始..."</span> & <span class="re0">@CRLF</span> <span class="br0">)</span><br /><br /><span class="kw1">While</span> <span class="nu0">1</span><br /><span class="re0">$objEventObject</span> = <span class="re0">$objEventSource</span>.<span class="me1">NextEvent</span><span class="br0">(</span><span class="br0">)</span><br /><span class="kw1">Switch</span> <span class="re0">$objEventObject</span>.<span class="me1">Path_</span>.<span class="me1">Class</span><br /><span class="kw1">Case</span> <span class="st0">"__InstanceCreationEvent"</span> <br /><span class="kw3">ConsoleWrite</span><span class="br0">(</span><span class="st0">"新进程建立:"</span> & <span class="re0">$objEventObject</span>.<span class="me1">TargetInstance</span>.<span class="me1">Name</span> & <span class="re0">@CrLf</span> <span class="br0">)</span><br /><span class="kw1">Case</span> <span class="st0">"__InstanceDeletionEvent"</span><br /><span class="kw3">ConsoleWrite</span><span class="br0">(</span><span class="st0">"进程被关闭:"</span> & <span class="re0">$objEventObject</span>.<span class="me1">TargetInstance</span>.<span class="me1">Name</span> & <span class="re0">@CrLf</span> <span class="br0">)</span><br /><span class="kw1">EndSwitch</span><br /><span class="kw1">WEnd</span></p></blockquote><p>下面是一段文件监控的例子:</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strComputer</span> = <span class="st0">"."</span><br /><span class="re0">$objWMIService</span> = <span class="kw3">ObjGet</span><span class="br0">(</span><span class="st0">"winmgmts:\\"</span> & <span class="re0">$strComputer</span> & <span class="st0">"\root\cimv2"</span><span class="br0">)</span><br /><br /><span class="re0">$colMonitoredEvents</span> = <span class="re0">$objWMIService</span>.<span class="me1">ExecNotificationQuery</span> _<br /><span class="br0">(</span><span class="st0">"SELECT * FROM __InstanceOperationEvent WITHIN 5 WHERE "</span> _<br />& <span class="st0">"Targetinstance ISA 'CIM_DirectoryContainsFile' and "</span> _<br />& <span class="st0">"TargetInstance.GroupComponent= "</span> _<br />& <span class="st0">"'Win32_Directory.Name="</span><span class="st0">"c:\\\\1"</span><span class="st0">"'"</span><span class="br0">)</span><br /><br /><span class="kw1">While</span> <span class="nu0">1</span><br /><span class="re0">$objEventObject</span> = <span class="re0">$colMonitoredEvents</span>.<span class="me1">NextEvent</span><span class="br0">(</span><span class="br0">)</span><br /><br /><span class="kw1">Select</span> <br /><span class="kw1">Case</span> <span class="re0">$objEventObject</span>.<span class="me1">Path_</span>.<span class="me1">Class</span><span class="br0">(</span><span class="br0">)</span>=<span class="st0">"__InstanceCreationEvent"</span><br /><span class="kw3">ConsoleWrite</span> <span class="br0">(</span><span class="st0">"A new file was just created: "</span> & <span class="re0">$objEventObject</span>.<span class="me1">TargetInstance</span>.<span class="me1">PartComponent</span><span class="br0">(</span><span class="br0">)</span> & <span class="re0">@CR</span><span class="br0">)</span><br /><span class="kw1">Case</span> <span class="re0">$objEventObject</span>.<span class="me1">Path_</span>.<span class="me1">Class</span><span class="br0">(</span><span class="br0">)</span>=<span class="st0">"__InstanceDeletionEvent"</span><br /><span class="kw3">ConsoleWrite</span> <span class="br0">(</span><span class="st0">"A file was just deleted: "</span> & <span class="re0">$objEventObject</span>.<span class="me1">TargetInstance</span>.<span class="me1">PartComponent</span><span class="br0">(</span><span class="br0">)</span> & <span class="re0">@CR</span><span class="br0">)</span><br /><span class="kw1">EndSelect</span><br /><span class="kw1">WEnd</span></p></blockquote><p>下面是监控USB设备的例子:</p><blockquote dir="ltr" style="margin-right: 0px"><p><span class="re0">$strComputer</span> = <span class="st0">"."</span><br /><span class="re0">$objWMIService</span> = <span class="kw3">ObjGet</span><span class="br0">(</span><span class="st0">"winmgmts:\\"</span> & <span class="re0">$strComputer</span> & <span class="st0">"\root\cimv2"</span><span class="br0">)</span><br /><br /><span class="re0">$colEvents</span> = <span class="re0">$objWMIService</span>.<span class="me1">ExecNotificationQuery</span> _<br /><span class="br0">(</span><span class="st0">"Select * From __InstanceOperationEvent Within 5 Where "</span> _<br />& <span class="st0">"TargetInstance isa 'Win32_LogicalDisk'"</span><span class="br0">)</span><br /><br /><span class="kw1">While</span> <span class="nu0">1</span><br /><span class="re0">$objEvent</span> = <span class="re0">$colEvents</span>.<span class="me1">NextEvent</span><br /><span class="kw1">If</span> <span class="re0">$objEvent</span>.<span class="me1">TargetInstance</span>.<span class="me1">DriveType</span> = <span class="nu0">2</span> <span class="kw1">Then</span> <br /><span class="kw1">Select</span> <br /><span class="kw1">Case</span> <span class="re0">$objEvent</span>.<span class="me1">Path_</span>.<span class="me1">Class</span><span class="br0">(</span><span class="br0">)</span>=<span class="st0">"__InstanceCreationEvent"</span><br /><span class="kw3">Consolewrite</span><span class="br0">(</span><span class="st0">"Drive "</span> & <span class="re0">$objEvent</span>.<span class="me1">TargetInstance</span>.<span class="me1">DeviceId</span> & <span class="st0">"has been added."</span> & <span class="re0">@CR</span><span class="br0">)</span><br /><span class="kw1">Case</span> <span class="re0">$objEvent</span>.<span class="me1">Path_</span>.<span class="me1">Class</span><span class="br0">(</span><span class="br0">)</span>=<span class="st0">"__InstanceDeletionEvent"</span><br /><span class="kw3">Consolewrite</span><span class="br0">(</span><span class="st0">"Drive "</span> & <span class="re0">$objEvent</span>.<span class="me1">TargetInstance</span>.<span class="me1">DeviceId</span> & <span class="st0">"has been removed."</span>& <span class="re0">@CR</span><span class="br0">)</span><br /><span class="kw1">EndSelect</span><br /><span class="kw1">EndIf</span><br /><span class="kw1">WEnd</span></p></blockquote></blockquote> 这个是 总索引嘛骗人,发帖也不看看 很不错的呀 谢谢楼主提供
页:
[1]