如何从 wmi 永久事件使用者终止进程

发布于 2024-10-31 12:57:27 字数 2224 浏览 1 评论 0原文

我正在尝试创建一个永久的 wmi 事件使用者，它将等待使用特定命令行参数创建进程，然后终止它。

到目前为止，我可以让我的事件处理程序在预期时触发并写入测试日志文件。我什至可以使用 TargetEvent.TargetInstance 访问 WMI 事件中的参数。但是，当我尝试对其调用终止时，它失败了。

我在创建 wscript.shell 或 wscript.network 等对象的实例时也遇到问题，这些对象无法创建实例。我相信这可能是因为该脚本实际上并未在 Windows 脚本主机中运行。

所以我的问题是如何让终止方法在我的 Win32_Process 实例上工作，或者有没有办法调用外部命令（假设我不能使用 wscript.shell 对象）。

我从这里获得了有关如何创建 mof 文件的大部分详细信息： http://www.codeproject.com/KB/system/PermEvtSubscriptionMOF.aspx ?display=Print

我的安装 Mof 文件如下：

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    Name  = "My Test Filter";
    EventNamespace = "Root\\Cimv2";
    Query = "Select * From __InstanceCreationEvent Within 2 " 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" "
            "And Targetinstance.CommandLine LIKE \"%test.txt%\"";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "MyTestConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "On Error Resume Next\n"
    "'Set WshShell = WScript.CreateObject(\"WScript.Shell\")\n"
    "Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
    "Set objFile = objFSO.OpenTextFile(\"c:\\log.txt\", 8, True)\n"
    "objFile.WriteLine Time & \" \" & \" notepad started \" & TargetEvent.TargetInstance.Handle \n"    
    "objFile.Close\n"
    "TargetEvent.TargetInstance.Terminate()\n";

};

instance of __FilterToConsumerBinding
{
    Filter = $EventFilter;
    Consumer   = $Consumer;
};

我的删除 mof 文件是：

#pragma namespace("\\\\.\\root\\subscription")
#Pragma deleteInstance("__EventFilter.Name=\"My Test Filter\"",FAIL)
#Pragma deleteInstance("ActiveScriptEventConsumer.Name=\"MyTestConsumer\"",FAIL)

#pragma deleteinstance ("__FilterToConsumerBinding.Consumer="
    "\"\\\\\\\\.\\\\root\\\\subscription:ActiveScriptEventConsumer.Name=\\\"MyTestConsumer\\\"\","
    "Filter=\"\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\"My Test Filter\\\"\"", FAIL)

原文

I am trying to create a permanent wmi event consumer that will wait for a process to be created with a specific commandline parameter then terminate it.

So far I can get my event handler to fire when expected and write to a test log file.
I can even access parameters from the WMI event by using the TargetEvent.TargetInstance. However when i try to call terminate on it, it fails.

I am also having trouble creating instances of objects like wscript.shell or wscript.network which fail to create an instance. I believe this might be because this script is not actually running in the windows script host.

So my question is how can I get the terminate method to work on my instance of Win32_Process or is there a way to call an external command (given I can't use wscript.shell object).

I got most of the details on how to create my mof file from here:
http://www.codeproject.com/KB/system/PermEvtSubscriptionMOF.aspx?display=Print

My Setup Mof File is the following:

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    Name  = "My Test Filter";
    EventNamespace = "Root\\Cimv2";
    Query = "Select * From __InstanceCreationEvent Within 2 " 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" "
            "And Targetinstance.CommandLine LIKE \"%test.txt%\"";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "MyTestConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "On Error Resume Next\n"
    "'Set WshShell = WScript.CreateObject(\"WScript.Shell\")\n"
    "Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
    "Set objFile = objFSO.OpenTextFile(\"c:\\log.txt\", 8, True)\n"
    "objFile.WriteLine Time & \" \" & \" notepad started \" & TargetEvent.TargetInstance.Handle \n"    
    "objFile.Close\n"
    "TargetEvent.TargetInstance.Terminate()\n";

};

instance of __FilterToConsumerBinding
{
    Filter = $EventFilter;
    Consumer   = $Consumer;
};

My removal mof file is:

#pragma namespace("\\\\.\\root\\subscription")
#Pragma deleteInstance("__EventFilter.Name=\"My Test Filter\"",FAIL)
#Pragma deleteInstance("ActiveScriptEventConsumer.Name=\"MyTestConsumer\"",FAIL)

#pragma deleteinstance ("__FilterToConsumerBinding.Consumer="
    "\"\\\\\\\\.\\\\root\\\\subscription:ActiveScriptEventConsumer.Name=\\\"MyTestConsumer\\\"\","
    "Filter=\"\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\"My Test Filter\\\"\"", FAIL)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

薆情海 2024-11-07 12:57:27

我不知道这是什么原因，但我也从未设法让它发挥作用。乍一看应该是 - TargetEvent.TargetInstance.Name 返回进程名称等。但是在调用方法时，会向 wbemess.log 写入错误：

脚本引擎说： Microsoft VBScript 运行时错误：对象不支持此属性或方法：'TargetEvent.TargetInstance.Terminate'
(Wed Apr 13 19:44:54 2011.15735734) ：在命名空间 //./root/subscription 中删除发往事件使用者 ActiveScriptEventConsumer="TestConsumer" 的事件

这是我的解决方法：

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "New Process Instance Filter";
    Query = "Select * From __InstanceCreationEvent Within 2" 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" ";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "TargetEventConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "Set objWmi = GetObject(\"winmgmts:\")\n"
    "\n"
    "Set objProcess = objWmi.Get(\"Win32_Process.Handle='\" _\n"
    "    & TargetEvent.TargetInstance.Handle & \"'\")\n"
    "\n"
    "objProcess.Terminate\n";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

在脚本中，我使用 SWbemServices.Get() 来获取创建流程实例，然后终止工作。只需将 TargetEvent.TargetInstance.Handle 传递给 SWbemServices.Get() 即可。

您无法使用 WshShell 对象，因为您尝试使用 WScript.CreateObject 创建它，但 ActiveScriptConsumer VBScript 引擎无法使用 WScript。如果您改用 VBScript CreateObject() 函数，它应该可以工作。与 WshNetwork 相同。

I have no idea what is the reason for this, but I have never managed to make it work either. At first glance it should - TargetEvent.TargetInstance.Name returns the process name, etc. But when calling a method, an error is written to wbemess.log:

Scripting engine says: Microsoft VBScript runtime error: Object doesn't support this property or method: 'TargetEvent.TargetInstance.Terminate'
(Wed Apr 13 19:44:54 2011.15735734) : Dropping event destined for event consumer ActiveScriptEventConsumer="TestConsumer" in namespace //./root/subscription

Here is my workaround:

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "New Process Instance Filter";
    Query = "Select * From __InstanceCreationEvent Within 2" 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" ";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "TargetEventConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "Set objWmi = GetObject(\"winmgmts:\")\n"
    "\n"
    "Set objProcess = objWmi.Get(\"Win32_Process.Handle='\" _\n"
    "    & TargetEvent.TargetInstance.Handle & \"'\")\n"
    "\n"
    "objProcess.Terminate\n";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

In the script I use SWbemServices.Get() to get the created process instance and then Terminate works. Just pass TargetEvent.TargetInstance.Handle to SWbemServices.Get().

You failed to use WshShell object because you attempted to create it with WScript.CreateObject and WScript is not available to the ActiveScriptConsumer VBScript engine. It should work if you use the VBScript CreateObject() function instead. Same with WshNetwork.

回复收藏 0 原文

~没有更多了~