A plea for help using PowerEvents…I am almost there!

Dec 9, 2011 at 8:07 AM

I am working through the  lectures and documentation and I have been able to implement 3 of the 4  ConsumerTypes that I am interested in.

SMTP was the first and worked first try…then I got stuck on CommandLine so I moved on to LogFile, EventLog with no issues.  I remain stuck after several attempts to make CommandLine work with either .bat or .vbs but it not running the command.

.I have looked in WMI and see the instances and everything seems to be OK but the sample programs won’t run.

This is all CommandLine_Helper.bat is doing nothing more than

ECHO Hello %1 > D:\Admin\event.log

This is the setup…the only think I can think of is that I am not using proper quoting/backticks in my CommandLineTemplate syntax but I can’t get it going after much trial and error.

Example 1

$query = "Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'CIM_DataFile' AND TargetInstance.Drive='D:' AND TargetInstance.Path='\\Program Files (x86)\\Platform Computing\\Platform Process Manager\\work\\storage\\error\\'"

$taskFilter = New-WmiEventFilter -Name "LSF_Flow_Monitor" -Query $query

$CLConsumer = New-WmiEventConsumer -Name CL_Test -ConsumerType CommandLine -CommandLineTemplate "cscript.exe /b D:\Admin\CommandLine_Helper.vbs %TargetInstance.Name%"

New-WmiFilterToConsumerBinding -Filter $taskFilter -Consumer $CLConsumer -Verbos

 

Example 2

$query = "Select * from __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'CIM_DataFile' AND TargetInstance.Drive='D:' AND TargetInstance.Path='\\Program Files (x86)\\Platform Computing\\Platform Process Manager\\work\\storage\\error\\'"

$taskFilter = New-WmiEventFilter -Name "LSF_Flow_Monitor" -Query $query

$cmdConsumer = New-WmiEventConsumer -Verbose -Name "LSF_Flow_Monitor_Consumer" -ConsumerType CommandLine -CommandLineTemplate "cmd.exe /c `"D:\Admin\CommandLine_Helper.bat`" %TargetInstance.Name%"

New-WmiFilterToConsumerBinding -Filter $taskFilter -Consumer $cmdConsumer -Verbos

Would gratefully appreciate any guidance.  Thanks again for all your good work.

Coordinator
Dec 13, 2011 at 10:25 PM

FYI, I've been working with Antonio on this issue over e-mail. As far as I can tell, the CommandLineTemplate is correct, however the %TargetInstance.Name% property being passed to the batch file does not have quotes around it. If the file name being created has spaces in its name, then I can see how the script might misinterpret the arguments.

My recommendation would be to test a batch file that does not take any parameters at first. Once that works, then adding the parameters back in can be done.

I tested out a similar setup, which simply runs this in a batch file:

ipconfig > c:\test.log

...and it works great on a Windows 7 Enterprise x64 client.

Cheers,
Trevor Sullivan
http://trevorsullivan.net
http://twitter.com/pcgeek86

Dec 16, 2011 at 11:57 PM
Edited Dec 17, 2011 at 12:00 AM

Per recommndation I took the parameter out of the equation but that was not the issue.

(I have sent Trevor a message offline) but it seem to have something to do with

The code that calls WmiEventConsumer Cmdlet...this function is defined in New-WmiEventConsumer.ps1

## Line 178

  ${ComputerName} = 'localhost'

## Line 622

    # Create a new instance of CommandLineEventConsumer
    ${NewConsumer} = ([wmiclass]"\\${ComputerName}\root\subscription:CommandLineEventConsumer").CreateInstance()
    ${NewConsumer}.{MachineName} = ${ComputerName}

When I compared a CommandLineEventConsumer compiled using MOF rather than PowerEvents I noticed that this property was <empty> rather than 'localhost'. 

Digging deeper at the other standard event consumer classes "CommandLineEventConsumer" is the only one setting machine name...the others are not and they have been working all along for me....

When I changed this property in WMI from "localhost" to <empty> the event started working.

So I am and drawing the conclusion there is something wrong with setting this property to localhost (at least on my domain)

boy did I learn a few things debugging this...

Keep up the good work...this is good stuff

Details and bickering with other folks... 

http://social.technet.microsoft.com/Forums/en/winserverManagement/thread/a2f2c922-10f7-4879-b935-d94ed88062ec

http://social.technet.microsoft.com/Forums/en/ITCG/thread/72622438-226e-4a0a-8e81-f52446d6b3b6

Repeat mostly

http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/18c5bd58-9405-42e1-9c00-d42ffcb9ff4b

 

 

 

 

 

 

Dec 17, 2011 at 12:10 AM

WOW...I just realize that 99440d1d4431
has the fix...I downloaded Alpha 2.0 :(

Since that is a major fix I would have made it the latest Allpha....

Well at least I learned a bit....

Coordinator
Dec 23, 2011 at 2:52 PM

I'll be updating the official release to reflect the change. Thanks for your efforts in finding this problem.

Cheers,
Trevor Sullivan
http://trevorsullivan.net
http://twitter.com/pcgeek86