如何訂閱Windows文件修改事件

Question

我想訂閱特定文件的情況下使用WQL與此查詢被修改：

SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\"

我可以將事件成功寄存器（見輸出在底部），並且可以看到它與我註冊的腳本（消費者）綁定。

但是，當我修改C:\test\filewatching\中的文件時，腳本無法運行。

---

下面是在同一文件夾，註冊爲文件創建事件代碼，這個工程：

#WQL 

$query = @" 
SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA "Cim_DirectoryContainsFile" AND TargetInstance.GroupComponent="Win32_Directory.Name='C:\\test\\filewatching'" 
"@ 
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance() 
$instanceFilter.QueryLanguage = 'WQL' 
$instanceFilter.Query = $query 
$instanceFilter.Name = 'EventFilterNameHere' 
$instanceFilter.EventNameSpace = 'root/CIMV2' 
$result = $instanceFilter.Put() 

# Consumer 

$script = 
@" 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) 
objFile.WriteLine "New File Created" 
objFile.Close 
"@ 
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance() 
$instanceConsumer.Name = 'ConsumerNameHere' 
$instanceConsumer.ScriptingEngine = 'VBScript' 
$instanceConsumer.ScriptFilename = '' 
$instanceConsumer.ScriptText = $script 
$instanceConsumer.Put() 

# Binding 

[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name) 
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name) 

$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance() 
$instanceBinding.Filter = $Filter 
$instanceBinding.Consumer = $Consumer 
$instanceBinding.Put() 

所以我知道有什麼錯我的PowerShell。這讓我覺得我的查詢一定是錯的。

我已經嘗試了一下上面的InstanceModificationEvent查詢的一些調整，但沒有成功。 （這些調整包括諸如將C:改爲C或從TargetInstace.Path移除\s的東西）。

---

我需要此訂閱纔是永久性的，並且如果PC已打開或關閉，則無法重置 - 這就是我使用WQL的原因。如果任何人都可以提出另一種實現方法，或者我可以如何解決我的問題，我將永遠感激！

Path   : \\WIN7-IT3\root\subscription:ActiveScriptEventConsumer.Name="Co 
       nsumerNameHere" 
RelativePath : ActiveScriptEventConsumer.Name="ConsumerNameHere" 
Server  : WIN7-IT3 
NamespacePath : root\subscription 
ClassName  : ActiveScriptEventConsumer 
IsClass  : False 
IsInstance : True 
IsSingleton : False 

Path   : \\WIN7-IT3\root\subscription:__FilterToConsumerBinding.Consumer 
       ="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveScriptEventConsumer.Na 
       me=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Subscripti 
       on:__EventFilter.Name=\"EventFilterNameHere\"" 
RelativePath : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscri 
       ption:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",Filt 
       er="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"Event 
       FilterNameHere\"" 
Server  : WIN7-IT3 
NamespacePath : root\subscription 
ClassName  : __FilterToConsumerBinding 
IsClass  : False 
IsInstance : True 
IsSingleton : False 

查詢WMI訂閱：查詢後

Get-WmiObject -Namespace root\Subscription -Class __Eventfilter 
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer 
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding 
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer 

輸出：

運行腳本後

---

輸出

__GENUS : 2 __CLASS : __EventFilter __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __EventFilter.Name="EventFilterNameHere" __PROPERTY_COUNT : 6 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" CreatorSID : {1, 5, 0, 0...} EventAccess : EventNamespace : root/CIMV2 Name : EventFilterNameHere Query : SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive="C:" AND TargetInstace.Path="\\test\\filewatching\\" QueryLanguage : WQL PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : __FilterToConsumerBinding __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __FilterToConsumerBinding.Consumer="\\\\WIN7-IT3\\ROOT\\Subscription:ActiveS criptEventConsumer.Name=\"ConsumerNameHere\"",Filter="\\\\WIN7-IT3\\ROOT\\Su bscription:__EventFilter.Name=\"EventFilterNameHere\"" __PROPERTY_COUNT : 7 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:__FilterToConsumerBinding.Consumer="\\\\WIN7-IT 3\\ROOT\\Subscription:ActiveScriptEventConsumer.Name=\"ConsumerNameHere\"",F ilter="\\\\WIN7-IT3\\ROOT\\Subscription:__EventFilter.Name=\"EventFilterName Here\"" Consumer : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHer e" CreatorSID : {1, 5, 0, 0...} DeliverSynchronously : False DeliveryQoS : Filter : \\WIN7-IT3\ROOT\Subscription:__EventFilter.Name="EventFilterNameHere" MaintainSecurityContext : False SlowDownProviders : False PSComputerName : WIN7-IT3 __GENUS : 2 __CLASS : ActiveScriptEventConsumer __SUPERCLASS : __EventConsumer __DYNASTY : __SystemClass __RELPATH : ActiveScriptEventConsumer.Name="ConsumerNameHere" __PROPERTY_COUNT : 8 __DERIVATION : {__EventConsumer, __IndicationRelated, __SystemClass} __SERVER : WIN7-IT3 __NAMESPACE : ROOT\Subscription __PATH : \\WIN7-IT3\ROOT\Subscription:ActiveScriptEventConsumer.Name="ConsumerNameHere" CreatorSID : {1, 5, 0, 0...} KillTimeout : 0 MachineName : MaximumQueueSize : Name : ConsumerNameHere ScriptFilename : ScriptingEngine : VBScript ScriptText : Set objFSO = CreateObject("Scripting.FileSystemObject") Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) objFile.WriteLine "New File Created" objFile.Close PSComputerName : WIN7-IT3 

Answer 1

跨越this page迷迷糊糊張貼這個問題，我從中摸索出我需要的查詢後不久：

注意，相反，其他幾個帖子在網上，什麼工作對我來說竟是省略TargetInstance的Path和Drive部分，並且只包含我要觀看的文件的完整路徑和名稱。

這適用於我，因爲我只會看1個特定的文件。如果您需要使用此方法觀看多個文件，則需要註冊多個訂閱。

登記文件修改觀察者的完整代碼：

#WQL 

$query = @" 
SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance ISA 'CIM_DataFile' AND TargetInstance.Name='c:\\test\\filewatching\\tester.txt' 
"@ 
$instanceFilter = ([WMICLASS]"\\$Computername\root\subscription:__EventFilter").CreateInstance() 
$instanceFilter.QueryLanguage = 'WQL' 
$instanceFilter.Query = $query 
$instanceFilter.Name = 'EventFilterNameHere' 
$instanceFilter.EventNameSpace = 'root/CIMV2' 
$result = $instanceFilter.Put() 

# Consumer 

$script = 
@" 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.OpenTextFile("c:\test\filewatching\Log.log", 8, True) 
objFile.WriteLine "New File Created" 
objFile.Close 
"@ 
$instanceConsumer = ([wmiclass]"\\$Computername\root\subscription:ActiveScriptEventConsumer").CreateInstance() 
$instanceConsumer.Name = 'ConsumerNameHere' 
$instanceConsumer.ScriptingEngine = 'VBScript' 
$instanceConsumer.ScriptFilename = '' 
$instanceConsumer.ScriptText = $script 
$instanceConsumer.Put() 

# Binding 

[object]$Filter = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventFilter | Sort Name) 
[object]$Consumer = (Get-WMIObject -Computername $Computername -Namespace root\Subscription -Class __EventConsumer | Sort Name) 

$instanceBinding = ([wmiclass]"\\$Computername\root\subscription:__FilterToConsumerBinding").CreateInstance() 
$instanceBinding.Filter = $Filter 
$instanceBinding.Consumer = $Consumer 
$instanceBinding.Put() 

Answer 2

需要消費者和過濾器的路徑連接到粘合劑 ，而不是系統中的每個過濾器\消費者

$result = $instanceFilter.Put() 
$filterPath = $result.Path 
$result = $instanceConsumer.Put() 
$consumerPath = $result.Path 

$bind.Filter = $filterPath 
$bind.Consumer = $consumerPath