为什么 WMI 不会返回 ManagementObjectCollection 中的完整结果集？

发布于 2024-11-16 20:37:27 字数 1656 浏览 2 评论 0原文

使用 C# .net 运行 WMI 查询

对于为什么在多次运行查询时并不总是返回时间范围内的所有相同事件并且这样做时也不会引发异常，有什么想法吗？

ConnectionOptions opts = new ConnectionOptions();

if (EncryptConnections)
{
    opts.Authentication = AuthenticationLevel.PacketPrivacy;
}

opts.Username = eventSource.user;
opts.SecurePassword = eventSource.password;
opts.Impersonation = ImpersonationLevel.Impersonate;

string location = string.Format("\\\\{0}\\root\\cimv2", eventSource.machine);
ManagementScope scope = new ManagementScope(location, opts);
scope.Connect();

EnumerationOptions enumOptions = new EnumerationOptions();
enumOptions.DirectRead = false;
enumOptions.EnumerateDeep = false;
enumOptions.ReturnImmediately = true;
enumOptions.Rewindable = false; 
enumOptions.Timeout = TimeSpan.MaxValue;
enumOptions.BlockSize = 10;

WqlObjectQuery query = new WqlObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'Security' AND TimeWritten >= '20110614025212.000000+000' AND TimeWritten <= '20110614030712.000000+000'");

ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, enumOptions);

foreach (ManagementBaseObject mbo in searcher.Get() ) {
   // do Stuff
}

在实际代码中，查询每次都会更改以获得不同的时间范围，但如果没有，则会显示不完整的结果。

每次运行此命令时，从 searcher.Get() 返回的 ManagementObjectCollection 都会成功枚举列表 - 不会引发异常，但集合并不总是相同。

该集合每次的排序可能会有所不同，这是预期的。该集合并不总是包含相同时间范围内相同数量的事件，这是意外的。

该集合似乎无法每几百个查询获取一次完整的 WMI 结果。它默默地这样做，我还没有发现任何异常或错误消息。

我们发现，对于某些日志文件类型（至少值得注意的是安全性），针对时间的“逻辑”运算符 <= 和 < 的行为也不符合预期，因此我们已经必须在每一端使用包含 <= 来处理重叠的结束时间点。

上述丢失结果的问题并不是由于逻辑运算符未能包含 == 的时间造成的。

原文

Running a WMI query using C# .net

Any ideas on why this would not always return all the same events in the time range when the query is run multiple times and also not raise an exception when doing so?

ConnectionOptions opts = new ConnectionOptions();

if (EncryptConnections)
{
    opts.Authentication = AuthenticationLevel.PacketPrivacy;
}

opts.Username = eventSource.user;
opts.SecurePassword = eventSource.password;
opts.Impersonation = ImpersonationLevel.Impersonate;

string location = string.Format("\\\\{0}\\root\\cimv2", eventSource.machine);
ManagementScope scope = new ManagementScope(location, opts);
scope.Connect();

EnumerationOptions enumOptions = new EnumerationOptions();
enumOptions.DirectRead = false;
enumOptions.EnumerateDeep = false;
enumOptions.ReturnImmediately = true;
enumOptions.Rewindable = false; 
enumOptions.Timeout = TimeSpan.MaxValue;
enumOptions.BlockSize = 10;

WqlObjectQuery query = new WqlObjectQuery("Select * from Win32_NTLogEvent Where Logfile = 'Security' AND TimeWritten >= '20110614025212.000000+000' AND TimeWritten <= '20110614030712.000000+000'");

ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, enumOptions);

foreach (ManagementBaseObject mbo in searcher.Get() ) {
   // do Stuff
}

In actual code the query would change each time to get a different time range, but the incomplete results are shown without that.

Each time you run this the ManagementObjectCollection returned from searcher.Get() enumerates the list succesfully - no exceptions raised, however the collection is not always the same.

The collection may be ordered differently each time, this is expected.
The collection doesn't always contain the same count of events for the same time range, this is unexepected.

The collection appears to fail in getting complete WMI results once every couple of hundred queries. It does so silently, no exception or error messages that I've found yet.

We identified that the 'logic' operators <= and < against time don't behave as expected either for some log files types (notable at least was Security) so we already have to deal with overlapping end time points using inclusive <= at each end.

The issue of lost results above is not due to the logic operator failing to include times that are ==.

分享到QQ

分享到微博