PowerShell's eventing commands give you access to events from the .NET Framework, as well as events surfaced by Windows Management Instrumentation (WMI.) Table I.1, “Selected .NET Events” lists a selection of .NET events. Table I.2, “Selected WMI Events” lists a selection of WMI events.
Table I.1. Selected .NET Events
Type | Event | Description |
|---|---|---|
|
| Occurs when an assembly is loaded. |
|
| Occurs when the resolution of a type fails. |
|
| Occurs when the resolution of a resource fails because the resource is not a valid linked or embedded resource in the assembly. |
|
| Occurs when the resolution of an assembly fails. |
|
| Occurs when the resolution of an assembly fails in the reflection-only context. |
|
| Occurs when an exception is not caught. |
|
| Occurs when the Control modifier key (CTRL) and C console key (C) are pressed simultaneously (CTRL+C). |
|
| Occurs when the display settings are changing. |
|
| Occurs when the user changes the display settings. |
|
| Occurs when the user adds fonts to or removes fonts from the system. |
|
| Occurs when the system is running out of available RAM. |
|
| Occurs when the user switches to an application that uses a different palette. |
|
| Occurs when the user suspends or resumes the system. |
|
| Occurs when the user is logging off or shutting down the system. |
|
| Occurs when the user is trying to log off or shut down the system. |
|
| Occurs when the currently logged-in user has changed. |
|
| Occurs when the user changes the time on the system clock. |
|
| Occurs when a user preference has changed. |
|
| Occurs when a user preference is changing. |
|
| Occurs when an asynchronous operation to open a stream containing a resource completes. |
|
| Occurs when an asynchronous operation to open a stream to write data to a resource completes. |
|
| Occurs when an asynchronous resource-download operation completes. |
|
| Occurs when an asynchronous data download operation completes. |
|
| Occurs when an asynchronous file download operation completes. |
|
| Occurs when an asynchronous string-upload operation completes. |
|
| Occurs when an asynchronous data-upload operation completes. |
|
| Occurs when an asynchronous file-upload operation completes. |
|
| Occurs when an asynchronous upload of a name/value collection completes. |
|
| Occurs when an asynchronous download operation successfully transfers some or all of the data. |
|
| Occurs when an asynchronous upload operation successfully transfers some or all of the data. |
|
| The event used to complete an asynchronous operation. |
|
| Occurs when the availability of the network changes. |
|
| Occurs when the IP address of a network interface changes. |
|
| Occurs when a file or directory in the specified Path is changed. |
|
| Occurs when a file or directory in the specified Path is created. |
|
| Occurs when a file or directory in the specified Path is deleted. |
|
| Occurs when a file or directory in the specified Path is renamed. |
|
| Occurs when the interval elapses. |
|
| Occurs when an entry is written to an event log on the local computer. |
|
| Occurs when an application writes to its redirected StandardOutput stream. |
|
| Occurs when an application writes to its redirected StandardError stream. |
|
| Occurs when a process exits. |
|
| Represents the method that handles the error event of a SerialPort object. |
|
| Represents the method that will handle the serial pin changed event of a SerialPort object. |
|
| Represents the method that will handle the data received event of a SerialPort object. |
|
| Event fired when the status of the job changes, such as when the job has completed in all runspaces or failed in any one runspace. This event is introduced in Windows PowerShell 2.0. |
|
| Event raised when Windows PowerShell stops execution of the script and enters the debugger as the result of encountering a breakpoint or executing a step command. This event is introduced in Windows PowerShell 2.0. |
|
| Event raised when the breakpoint is updated, such as when it is enabled or disabled. This event is introduced in Windows PowerShell 2.0. |
|
| Event that is raised when the state of the runspace changes. |
|
| Event that is raised when the availability of the runspace changes, such as when the runspace becomes available and when it is busy. This event is introduced in Windows PowerShell 2.0. |
|
| Event raised when the state of the pipeline changes. |
|
| Event raised when state of the pipeline of the PowerShell object changes. This event is introduced in Windows PowerShell 2.0. |
|
| Event that is fired after data is added to the collection. This event is introduced in Windows PowerShell 2.0. |
|
| Event that is fired when the Complete method is called to indicate that no more data is to be added to the collection. This event is introduced in Windows PowerShell 2.0. |
|
| Event raised when the state of the runspace pool changes. This event is introduced in Windows PowerShell 2.0. |
|
| Event fired when data is added to the buffer. |
|
| Allows setting a delegate (event handler method) that gets called every time an event is published that matches the criteria specified in the event query for this object. |
|
| Occurs when the state of the event changes. |
|
| Occurs every time that the number of rows specified by the NotifyAfter property have been processed. |
|
| Occurs when the execution of a Transact-SQL statement completes. |
|
| Occurs when SQL Server returns a warning or informational message. |
|
| Occurs when SQL Server returns a warning or informational message. |
|
| Occurs during DataSet) after a command is executed against the data source. The attempt to update is made, so the event fires. |
|
| Occurs during DataSet) before a command is executed against the data source. The attempt to update is made, so the event fires. |
|
| Occurs during DataSet) before a command is executed against the data source. The attempt to update is made, so the event fires. |
|
| Occurs when a notification is received for any of the commands associated with this SqlDependency object. |
Table I.2. Selected WMI Events
Event | Description |
|---|---|
| This event class generically represents the creation of instances in WMI providers, such as Processes, Services, Files, and more. A registration for this generic event looks like: $query = "SELECT * FROM __InstanceCreationEvent " +
"WITHIN 5 " +
"WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query |
| This event class generically represents the removal of instances in WMI providers, such as Processes, Services, Files, and more. A registration for this generic event looks like: $query = "SELECT * FROM __InstanceDeletionEvent " +
"WITHIN 5 " +
"WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query |
| This event class generically represents the modification of instances in WMI providers, such as Processes, Services, Files, and more. A registration for this generic event looks like: $query = "SELECT * FROM __InstanceModificationEvent " +
"WITHIN 5 " +
"WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query |
| The Msft_WmiProvider_OperationEvent event class is the root definition of all WMI provider events. A provider operation is defined as some execution on behalf of a client via WMI that results in one or more calls to a provider executable, The properties of this class define the identity of the provider associated with the operation being executed and is uniquely associated with instances of the class Msft_Providers. Each instance of __Win32Provider can have an associated operation and be identified using the properties below. Internally WMI can contain any number of objects that refer to a particular instance of __Win32Provider since it differentiates each object based on whether the provider supports per user or per locale instantiation and also depending on where the provider is being hosted. Currently TransactionIdentifier is always an empty string. |
| This event class represents events related to a computer system. |
| This event class represents events when a computer has begun the process of shutting down. |
| The Win32_IP4RouteTableEvent class represents IP route change events resulting from the addition, removal or modification of IP routes on the computer system. |
| The registry event classes allow you to subscribe to events that involve changes in hive subtrees, keys, and specific values. |
| The RegistryKeyChangeEvent class represents changes to a specific key. The changes apply only to the key, not its subkeys. |
| The RegistryTreeChangeEvent class represents changes to a key and its subkeys. |
| The RegistryValueChangeEvent class represents changes to a single value of a specific key. |
| The SystemTrace class is the base class for all system trace events. System trace events are fired by the kernel logger via the event tracing API. |
| This event is the base event for process events. |
| The ProcessStartTrace event class indicates a new process has started. |
| The ProcessStopTrace event class indicates a process has terminated. |
| The ModuleTrace event class is the base event for module events. |
| The ModuleLoadTrace event class indicates a process has loaded a new module. |
| The ThreadTrace event class is the base event for thread events. |
| The ThreadStartTrace event class indicates a new thread has started. |
| The ThreadStopTrace event class indicates a thread has terminated. |
| The Win32_PowerManagementEvent class represents power management events resulting from power state changes. These state changes are associated with either the Advanced Power Management(APM) or the Advanced Configuration and Power Interface(ACPI) system management protocols. |
| The Win32_DeviceChangeEvent class represents device change events resulting from the addition, removal or modification of devices on the computer system. This includes changes in the hardware configuration (docking and undocking), the hardware state, or newly mapped devices (mapping of a network drive). For example, a device has changed when a WM_DEVICECHANGE message is sent. |
| The Win32_SystemConfigurationChangeEvent is an event class which indicates that the device list on the system has been refreshed. Refreshed meaning: a device has been added, removed, or the configuration changed. This event is fired when the windows message 'DevMgrRefreshOn<ComputerName>' is sent. The exact change to the device list is not contained in the message and therefore a device refresh is required in order to obtain the current system settings. Examples of configuration changes affected are IRQ settings, COM ports and BIOS version, to name a few. |
| The Win32_VolumeChangeEvent class represents a local drive event resulting from the addition of a drive letter or mounted drive on the computer system (e.g. CDROM). Network drives are not currently supported. |
No comments yet
Add a comment