In Part 9 of this series we looked at using WMI event queries to monitor services. Those techniques work in both PowerShell 2.0 and 3.0. But one drawback, especially when monitoring remote systems, is that you are using WMI which is not necessary very firewall friendly. If you have PowerShell 3.0, then you can take advantage of the new CIM cmdlets which use the same single port we use for PowerShell remoting.

Registering a CIM Indication

In PowerShell 3.0 we can still create a WMI query to monitor changes but we’ll use slightly different classes.

  • CIM_InstIndication
  • CIM_InstCreation
  • CIM_InstModification
  • CIM_InstDeletion

We can still target a specific class with TargetInstance. Here’s my query to watch the BITS service to see if it stops.

$query = "Select * from CIM_InstModification within 10 where TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='BITS' AND TargetInstance.State='Stopped'"

I’ll register this on my computer, but watching the service on a remote computer that is running PowerShell 3.0

PS C:\> Register-CimIndicationEvent -Query $query -SourceIdentifier "BITSMonitor" 
  -MessageData "BITS has stopped" -ComputerName NOVO8

PS C:\> Get-EventSubscriber

SubscriptionId   : 5
SourceObject     : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatch…
EventName        : CimIndicationArrived
SourceIdentifier : BITSMonitor
Action           : 
HandlerDelegate  : 
SupportEvent     : False
ForwardEvent     : False

Now when I stop the service on NOVO8, I’ll get an event in my local queue.

PS C:\> get-event

ComputerName     : 
RunspaceId       : e6e0457d-1a5b-474b-a2d6-d9944a3f8811
EventIdentifier  : 3
Sender           : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatch…
SourceEventArgs  : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationEvent…
SourceArgs       : {Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWat…
SourceIdentifier : BITSMonitor
TimeGenerated    : 2/15/2013 12:56:17 PM
MessageData      : BITS has stopped

I can compare the previous and source instance. In the WMI query, this is the TargetInstance property.

PS C:\> (get-event)[0].SourceEventArgs.NewEvent.PreviousInstance,(get-

ProcessId Name StartMode State   Status ExitCode
--------- ---- --------- -----   ------ --------
0         BITS Manual    Stopped OK     0       
788       BITS Manual    Running OK     0

Taking action

We can also take action with a scriptblock just as we did with the WMI. I’ll revise my query to watch for any change to BITS.

$query = "Select * from CIM_InstModification within 10 where TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='BITS'"

When the event fires I’ll display the previous and source instances using Out-Gridview

$action = {
SourceInstance | out-gridview

Finally, I’ll register this event subscription.

Register-CimIndicationEvent -Query $query -SourceIdentifier "BITSMonitor" -Action $action -ComputerName NOVO8

The event subscription is watching the service on NOVO8 but the action will execute on my computer.

CIM Service Events

CIM Service Events

You can’t specify multiple computers and when you specify a remote computername, PowerShell will setup a temporary CIMSession. If you have one already created you can use it instead. In fact you could setup multiple event subscriptions using the same CIM session.

Clean up

When the time comes to clean up, it is the same as using the WMI event subscriptions. Unregister the subscription.

PS C:\> Get-EventSubscriber -SourceIdentifier bitsmonitor | Unregister-Event

And optionally, clear out the event queue.

PS C:\> get-event -SourceIdentifier bitsmonitor | Remove-Event

Or remove everything:

PS C:\> get-event -SourceIdentifier | Remove-Event


And this concludes our (long) look at managing services with Windows PowerShell. Certainly if you only need to deal with a single service there’s nothing wrong with the graphical Services management console. But for quick management, or management that needs to span your enterprise, I encourage you to take the time to learn how to do it with PowerShell.


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account