wql

问题 I have created an agent to read windows event using WMI. I ma using the agent from last 3 years to collect events. It is used in a SEIM product. The query looks like SELECT * FROM Win32_NTLogEvent where LogFile = 'System' or logFile='Active Directory Web Services' I am able to get the events properly. But Now I want to read apploacker events 'Microsoft-Windows-AppLocker/EXE and DLL' (Application and Security Logs -> Microsoft -> Windows -> AppLocker -> Exe And DLL). I tried the below query

问题 I have created an agent to read windows event using WMI. I ma using the agent from last 3 years to collect events. It is used in a SEIM product. The query looks like SELECT * FROM Win32_NTLogEvent where LogFile = 'System' or logFile='Active Directory Web Services' I am able to get the events properly. But Now I want to read apploacker events 'Microsoft-Windows-AppLocker/EXE and DLL' (Application and Security Logs -> Microsoft -> Windows -> AppLocker -> Exe And DLL). I tried the below query

问题 I've got Microsoft.Management.Infrastructure working in my application, at least as far as the very first sample code: CimSession.Create(null) .QueryInstances(@"root\cimv2", "WQL", "SELECT * FROM Win32_OperatingSystem") .FirstOrDefault().CimInstanceProperties["Version"].Value.ToString(); What I need is to use MMI to determine whether any applications on the local machine have a lock on a specific file (see this question to see why approaches besides MMI aren't working) I've been reading page

问题 I am trying to access specific information about Bluetooth serial ports. I was able to find this window in my Bluetooth settings that showed me the port, direction, and name of a Bluetooth device if it was related to a COM Port. Currently to try and get this information, I have been using WQL to query some of the Windows Management Classes. # I don't really mind if it is run in a Powershell environment gwmi -query "SELECT * FROM Win32_PnPEntity WHERE Name LIKE '%COM%' AND PNPDeviceID LIKE '

问题 def getPnpDeviceInfo(): c = wmi.WMI() wql = "SELECT * FROM Win32_PnPEntity WHERE Manufacturer != 'Microsoft' AND NOT PNPDeviceID LIKE 'ROOT\\%'" print ("All physical PNP devices") for J in c.query(wql): print(J) This function (the query) typically returns all physical PNP devices, here is an output sample : instance of Win32_PnPEntity { Caption = "ACPI Lid"; ClassGuid = "{4d36e97d-e325-11ce-bfc1-08002be10318}"; ConfigManagerErrorCode = 0; ConfigManagerUserConfig = FALSE; CreationClassName =

问题 I have to list all users (both local system and domain). I tried using WQL but it takes a lot of time for the program to run. Is there any other way to get it from registry? Any help would be appreciated. 回答1: using System; using System.Collections.Generic; using System.DirectoryServices; namespace ListADUsers.ConsoleApp { class Program { static void Main(string[] args) { Console.Clear(); IList<String> userList = new List<String>(); int badEntries = 0; string domainName = String.Empty; if

问题 (PS Version 1) PS C:\> $query = 'Select * From Exchange_PublicFolder WHERE Path LIKE "/Foo%"' PS C:\> $query Select * From Exchange_PublicFolder WHERE Path LIKE "/Foo%" PS C:\> gwmi -namespace ROOT\MicrosoftExchangev2 -query $query Get-WmiObject : Provider is not capable of the attempted operation At line:1 char:5 + gwmi <<<< -namespace ROOT\MicrosoftExchangev2 -query $query It makes no difference if I try to assign the query to a variable first or not. Is there might be a problem with the

问题 Trying to trawl through the WMI/WQL MS Reference Data and the WMI Code Creator Event Classes, but can't find anything to indicate: A) If this is possible B) How to do it Ideally i'd like to be able to subscribe to WMI Events that are of the nature of the End User changing (UI) window (any Windows application). 回答1: You are using the wrong tool, there is not WMI classes or WMI events related to the UI of a windows application. instead you must use the Windows messages and the WinAPI. 来源： https

问题 When acquiring the value of the property SerialNumber from the WMI class Win32_CDROMDrive like this SELECT SerialNumber FROM Win32_CDROMDrive it throughs a NullReferenceException unless i change the query to SELECT * FROM Win32_CDROMDrive . Then loop arround all the properties including the SerialNumber in-which in that case is not null. And since the first method is faster than the second (not quite sure) I prefer to use it. So what is happening? Am I missing something? Note that it works

问题 I am trying to register this file ( mytest3.mof ) : #PRAGMA AUTORECOVER #pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { Name = "Event Filter Instance Name"; EventNamespace = "Root\\Cimv2"; Query = "Select * From __InstanceCreationEvent Within 1 " "Where TargetInstance Isa \"Cim_DirectoryContainsFile\" " "and TargetInstance.GroupComponent=\"Win32_Directory.Name=\'C:\\\\test\'\""; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as