PowerShell Logo Small

Register-WmiEvent



This is the built-in help made by Microsoft for the command 'Register-WmiEvent', in PowerShell version 3 - as retrieved from Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Subscribes to a Windows Management Instrumentation (WMI) event.

SYNTAX


Register-WmiEvent [-Class] <String> [[-SourceIdentifier] <String>] [[-Action] <ScriptBlock>] [-ComputerName <String>] [-Credential
<PSCredential>] [-Forward] [-MaxTriggerCount <Int32>] [-MessageData <PSObject>] [-Namespace <String>] [-SupportEvent] [-Timeout <Int64>]
[<CommonParameters>]
Register-WmiEvent [-Query] <String> [[-SourceIdentifier] <String>] [[-Action] <ScriptBlock>] [-ComputerName <String>] [-Credential
<PSCredential>] [-Forward] [-MaxTriggerCount <Int32>] [-MessageData <PSObject>] [-Namespace <String>] [-SupportEvent] [-Timeout <Int64>]
[<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Register-WmiEvent cmdlet subscribes to WMI events on the local computer or on a remote computer.


When the subscribed WMI event is raised, it is added to the event queue in your local session even if the event occurs on a remote computer.
To get events in the event queue, use the Get-Event cmdlet.


You can use the parameters of Register-WmiEvent to subscribe to events on remote computers and to specify the property values of the events
that can help you to identify the event in the queue. You can also use the Action parameter to specify actions to take when a subscribed event
is raised.


When you subscribe to an event, an event subscriber is added to your session. To get the event subscribers in the session, use the
Get-EventSubscriber cmdlet. To cancel the subscription, use the Unregister-Event cmdlet, which deletes the event subscriber from the session.


New CIM cmdlets, introduced Windows PowerShell 3.0, perform the same tasks as the WMI cmdlets. The CIM cmdlets comply with WS-Management
(WSMan) standards and with the Common Information Model (CIM) standard, which enables the cmdlets to use the same techniques to manage Windows
computers and those running other operating systems. Instead of using Register-WmiEvent, consider using the Register-CimIndicationEvent cmdlet.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkID=135245
Get-Event
New-Event
Register-EngineEvent
Register-ObjectEvent
Remove-Event
Unregister-Event
Wait-Event

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "ProcessStarted"



This command subscribes to the events generated by the Win32_ProcessStartTrace class. This class raises an event whenever a process starts.








-------------------------- EXAMPLE 2 --------------------------

PS C:\>register-wmiEvent -query "select * from __instancecreationevent within 5 where targetinstance isa 'win32_process'" -sourceIdentifier
"WMIProcess" -messageData "Test 01" -timeout 500



This command uses a query to subscribe to Win32_process instance creation events.








-------------------------- EXAMPLE 3 --------------------------

PS C:\>$action = { get-history | where { $_.commandline -like "*start-process*" } | export-cliXml "commandHistory.clixml" }
PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "ProcessStarted" -action $action
Id Name State HasMoreData Location Command
-- ---- ----- ----------- -------- -------
1 ProcessStarted NotStarted False get-history | where {...



This example shows how to use an action to respond to an event. In this case, when a process starts, any Start-Process commands in the current
session are written to an XML file.

When you use the Action parameter, Register-WmiEvent returns a background job that represents the event action. You can use the Job cmdlets,
such as Get-Job and Receive-Job, to manage the event job.

For more information, see about_Jobs.








-------------------------- EXAMPLE 4 --------------------------

PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "Start" -computername Server01
PS C:\>get-event -sourceIdentifier "Start"



This example registers for events on the Server01 remote computer.

WMI returns the events to the local computer and stores them in the event queue in the current session. To retrieve the events, run a local
Get-Event command.