PowerShell Logo Small


This is the built-in help made by Microsoft for the command 'Register-WmiEvent', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.


Subscribes to a Windows Management Instrumentation (WMI) event.


Register-WmiEvent [-Class] <String> [[-SourceIdentifier] [<String>]] [[-Action] [<ScriptBlock>]] [-ComputerName [<String>]] [-Credential [<PSCredential>]] [-Forward]
[-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable [<System.String>]] [-MaxTriggerCount [<System.Int32>]]
[-MessageData [<PSObject>]] [-Namespace [<String>]] [-SupportEvent] [-Timeout [<Int64>]] [<CommonParameters>]
Register-WmiEvent [-Query] <String> [[-SourceIdentifier] [<String>]] [[-Action] [<ScriptBlock>]] [-ComputerName [<String>]] [-Credential [<PSCredential>]] [-Forward]
[-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable [<System.String>]] [-MaxTriggerCount [<System.Int32>]]
[-MessageData [<PSObject>]] [-Namespace [<String>]] [-SupportEvent] [-Timeout [<Int64>]] [<CommonParameters>]

Search powershellhelp.space


The Register-WmiEvent cmdlet subscribes to WMI events on the local computer or on a remote computer.

When the subscribed WMI event is raised, it is added to the event queue in your local session even if the event occurs on a remote computer. To get events in the event
queue, use the Get-Event cmdlet.

You can use the parameters of Register-WmiEvent to subscribe to events on remote computers and to specify the property values of the events that can help you to identify the
event in the queue. You can also use the Action parameter to specify actions to take when a subscribed event is raised.

When you subscribe to an event, an event subscriber is added to your session. To get the event subscribers in the session, use the Get-EventSubscriber cmdlet. To cancel the
subscription, use the Unregister-Event cmdlet, which deletes the event subscriber from the session.

New CIM cmdlets, introduced Windows PowerShell 3.0, perform the same tasks as the WMI cmdlets. The CIM cmdlets comply with WS-Management (WSMan) standards and with the
Common Information Model (CIM) standard, which enables the cmdlets to use the same techniques to manage Windows computers and those running other operating systems. Instead
of using Register-WmiEvent, consider using the Register-CimIndicationEvent cmdlet.



Online Version: http://go.microsoft.com/fwlink/p/?linkid=293893




-------------------------- EXAMPLE 1 --------------------------

PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "ProcessStarted"

This command subscribes to the events generated by the Win32_ProcessStartTrace class. This class raises an event whenever a process starts.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>register-wmiEvent -query "select * from __instancecreationevent within 5 where targetinstance isa 'win32_process'" -sourceIdentifier "WMIProcess" -messageData "Test
01" -timeout 500

This command uses a query to subscribe to Win32_process instance creation events.

-------------------------- EXAMPLE 3 --------------------------

PS C:\>$action = { get-history | where { $_.commandline -like "*start-process*" } | export-cliXml "commandHistory.clixml" }
PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "ProcessStarted" -action $action

Id Name State HasMoreData Location Command
-- ---- ----- ----------- -------- -------
1 ProcessStarted NotStarted False get-history | where {...

This example shows how to use an action to respond to an event. In this case, when a process starts, any Start-Process commands in the current session are written to an XML

When you use the Action parameter, Register-WmiEvent returns a background job that represents the event action. You can use the Job cmdlets, such as Get-Job and Receive-Job,
to manage the event job.

For more information, see about_Jobs.

-------------------------- EXAMPLE 4 --------------------------

PS C:\>register-wmiEvent -class 'Win32_ProcessStartTrace' -sourceIdentifier "Start" -computername Server01
PS C:\>get-event -sourceIdentifier "Start"

This example registers for events on the Server01 remote computer.

WMI returns the events to the local computer and stores them in the event queue in the current session. To retrieve the events, run a local Get-Event command.