Search code examples
windowspowershellwmi

Couldn't register WMI __EventConsumer in Powershell

My PC environment is Windows 10 Enterprise Evaluation, Build 17763.rs5_release.180914-1434

When I entered this command $consumer = ([wmiclass]"\.\root\subscription:CommandLineEventConsumer").CreateInstance() in Powershell (Run as Administrator), I got an exception like below.

 Cannot convert value "\\.\root\subscription:CommandLineEventConsumer" to type "System.Management.ManagementClass". Error: "Not found
 "
 At line:1 char:1
 + $consumer = ([wmiclass]"\\.\root\subscription:CommandLineEventConsume ...
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
     + FullyQualifiedErrorId : InvalidCastToWMIClass

I tried to digger more deeper information, then I got some messages like below

 System.Management.Automation.RuntimeException: Cannot convert value "\\.\root\subscription:CommandLineEventConsumer" to type "System.Management.ManagementClass". Error: "Not found " ---> System.Management.Automation.PSInvalidCastException: Cannot convert value "\\.\root\subscription:CommandLineEventConsumer" to type "System.Management.ManagementClass". Error: "Not found " ---> System.Management.ManagementException: Not found 
    at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
    at System.Management.ManagementObject.Initialize(Boolean getObject)
    at System.Management.ManagementBaseObject.get_wbemObject()
    at System.Management.PropertyData.RefreshPropertyInfo()
    at System.Management.PropertyDataCollection.get_Item(String propertyName)
    at System.Management.Automation.LanguagePrimitives.ConvertToWMIClass(Object valueToConvert, Type resultType, Boolean recursion, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable)
    --- End of inner exception stack trace ---
    at System.Management.Automation.LanguagePrimitives.ConvertToWMIClass(Object valueToConvert, Type resultType, Boolean recursion, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable)
    at System.Management.Automation.Interpreter.DynamicInstruction`2.Run(InterpretedFrame frame)
    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
    --- End of inner exception stack trace ---
    at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
    at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

Actually, I could register __EventFilter, __EventConsumer and __FilterToConsumerBinding at first. However, after trying some commands related to register and unregister WMI (Sorry I didn't remember what commands I tried...), I couldn't register __EventConsumer anymore, even though I tried to reboot PC and unregister all of them, I still get the exception like above.

Solution

  • you can try something like this instead to create a new instance in the CommandLineEventConsumer Class. The same will go for Filters and Consumer Binding.

    $Properties = @{
    "Name"="Test"
    "CommandLineTemplate"="C:\Windows\Notepad.exe"
}

New-CimInstance -Namespace 'ROOT\subscription' -ClassName 'CommandLineEventConsumer' -Arguments $Properties