- Using PowerShell with $PSStyle - Mon, Jan 24 2022
- Clean up user profiles with PowerShell - Mon, Jun 9 2014
- Track user logons with a PowerShell script - Fri, Jun 6 2014
Registering a CIM Indication ^
In PowerShell 3.0 we can still create a WMI query to monitor changes but we’ll use slightly different classes.
- CIM_InstIndication
- CIM_InstCreation
- CIM_InstModification
- CIM_InstDeletion
We can still target a specific class with TargetInstance. Here’s my query to watch the BITS service to see if it stops.
$query = "Select * from CIM_InstModification within 10 where TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='BITS' AND TargetInstance.State='Stopped'"
I’ll register this on my computer, but watching the service on a remote computer that is running PowerShell 3.0
PS C:\> Register-CimIndicationEvent -Query $query -SourceIdentifier "BITSMonitor" -MessageData "BITS has stopped" -ComputerName NOVO8 PS C:\> Get-EventSubscriber SubscriptionId : 5 SourceObject : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatch… EventName : CimIndicationArrived SourceIdentifier : BITSMonitor Action : HandlerDelegate : SupportEvent : False ForwardEvent : False
Now when I stop the service on NOVO8, I’ll get an event in my local queue.
PS C:\> get-event
ComputerName :
RunspaceId : e6e0457d-1a5b-474b-a2d6-d9944a3f8811
EventIdentifier : 3
Sender : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatch…
SourceEventArgs : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationEvent…
SourceArgs : {Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWat…
SourceIdentifier : BITSMonitor
TimeGenerated : 2/15/2013 12:56:17 PM
MessageData : BITS has stoppedI can compare the previous and source instance. In the WMI query, this is the TargetInstance property.
PS C:\> (get-event)[0].SourceEventArgs.NewEvent.PreviousInstance,(get- event)[0].SourceEventArgs.NewEvent.SourceInstance ProcessId Name StartMode State Status ExitCode --------- ---- --------- ----- ------ -------- 0 BITS Manual Stopped OK 0 788 BITS Manual Running OK 0
Taking action ^
We can also take action with a scriptblock just as we did with the WMI. I’ll revise my query to watch for any change to BITS.
$query = "Select * from CIM_InstModification within 10 where TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='BITS'"
When the event fires I’ll display the previous and source instances using Out-Gridview
$action = {
$Event.SourceEventArgs.NewEvent.PreviousInstance,$Event.SourceEventArgs.NewEvent.
SourceInstance | out-gridview
}Finally, I’ll register this event subscription.
Register-CimIndicationEvent -Query $query -SourceIdentifier "BITSMonitor" -Action $action -ComputerName NOVO8
The event subscription is watching the service on NOVO8 but the action will execute on my computer.
CIM Service Events
You can’t specify multiple computers and when you specify a remote computername, PowerShell will setup a temporary CIMSession. If you have one already created you can use it instead. In fact you could setup multiple event subscriptions using the same CIM session.
Clean up ^
When the time comes to clean up, it is the same as using the WMI event subscriptions. Unregister the subscription.
PS C:\> Get-EventSubscriber -SourceIdentifier bitsmonitor | Unregister-Event
And optionally, clear out the event queue.
PS C:\> get-event -SourceIdentifier bitsmonitor | Remove-Event
Or remove everything:
PS C:\> get-event -SourceIdentifier | Remove-Event
Summary ^
And this concludes our (long) look at managing services with Windows PowerShell. Certainly if you only need to deal with a single service there’s nothing wrong with the graphical Services management console. But for quick management, or management that needs to span your enterprise, I encourage you to take the time to learn how to do it with PowerShell.
