Recently I have been learning about WMI and WQL. I found out the list of Win32 classes (from MSDN) that I can query for but I am not able to find out the list of event classes (should be the subset of the list of Win32 classes isn't it ?) Does any one have a list or some kind of cheat sheet for this? I am jsut asking this out of curiosity.
Example for an event class - Win32_ProcessStartTrace
Here's how to list WMI event classes in the root\cimv2 namespace with C# and System.Management:
using System;
using System.Management;
class Program
{
static void Main()
{
string query =
@"Select * From Meta_Class Where __This Isa '__Event'";
ManagementObjectSearcher searcher =
new ManagementObjectSearcher(query);
foreach (ManagementBaseObject cimv2Class in searcher.Get())
{
Console.WriteLine(cimv2Class.ClassPath.ClassName);
}
}
}
root\cimv2 is the default WMI namespace so you don't have to use a ManagementScope instance. The WQL query passed to ManagementObjectSearcher is a WMI metadata query. It uses:
Meta_Class to designate the query as a schema query, and__This property to recursively list __Event subclassesWMI class is an event class if its provider implemented as an event WMI provider and must be a subclass of __Event. This doesn't mean that you can't use 'ordinary' WMI classes like Win32_Process and Win32_Service in WQL event queries. You just have to use one of the __InstanceOperationEvent derived helper classes like __InstanceCreationEvent or __InstanceDeletionEvent, and WMI will use its own event subsystem to deliver events.
Here is a sample WQL query that subscribes to Win32_Process creation events:
Select * From __InstanceCreationEvent Within 5 Where TargetInstance Isa 'Win32_Process'
In this case you have to use the Within clause.