locked
Trouble with WMI Filtering with PowerShell and CIM Cmdlets RRS feed

  • Question

  • I am trying to get a permanent event hander to work – so far I fail.

    I have two basic scripts – one that sets the handler and another one that is meant to run when the event occurs.

    Here is the core of the event-handler :

    Powershell
    # Group to monitor
    $Group = 'UG-GAdmin'
    #region Create the Event Filter
    # Create the Event Filter
    Write-Verbose -Message "*** Creating the Filter to Monitor Group $Group"
    $Q = "Select * FROM __InstanceModificationEvent `
    WITHIN 5 `
    WHERE TargetInstance ISA 'ds_group' AND TargetInstance.ds_name = '$Group'"
    # Set parameters to call to New-CimInstance
    $param = @{
    QueryLanguage = 'WQL'
    Query = $Q
    Name = "EventFilter1"
    EventNameSpace = "root/directory/LDAP"
    }
    # Now create the Instance Filter
    $InstanceFilter = New-CimInstance -ClassName __EventFilter -Namespace root/subscription -Property $param -Verbose
    #endregion
    #region Create the Permanent Event Consumer details
    $param =@{
    Name = "EventConsumer1"
    CommandLineTemplate="PowerShell.exe -File C:\test.ps1 -Group $group"
    }
    $InstanceConsumer = New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $param -Verbose
    #endregion
    #region create a binding between the Filter Filter and the consumer
    $param = @{
    Filter = [ref]$InstanceFilter
    Consumer=[ref]$InstanceConsumer
    }
    
    $InstanceBinding= New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $param -Verbose
    #endregion
    

    The monitor.ps1 looks like this:

    Text
    PARAM([string]$Group)
    
    # Add header, details and trailer to the file
    Add-Content -Path C:\foo\cim\wmi.log -Value '**********'
    Add-Content -Path C:\foo\cim\wmi.log -Value "$(get-date) monitor.ps1 detected change in group: [$Group]"
    Add-Content -Path C:\foo\cim\wmi.log -Value '**********'
    

    If I then add a user to the group I get no updated wmi.log file.

    Clues?


    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, October 29, 2015 6:39 PM

All replies

  • Be sure AD auditing is enabled.

    #1 Find event in log.  Right Click and select create a task and assign your script.
    #2 Alternately define task in task scheduler.
    #3 Dump event XML and import into all target systems.


    \_(ツ)_/


    • Edited by jrv Thursday, October 29, 2015 6:54 PM
    Thursday, October 29, 2015 6:52 PM
  • You should set up a manual event monitor in PS to see if the events are actually being sent. I suspect they are not.


    \_(ツ)_/

    Thursday, October 29, 2015 6:55 PM
  • Not sure Auditing has anything to do with WMI Eventing.

    Re #1 - The script does not write to the event log, it's a permanent WMI handler, its a command line event handler.

    Re #2 - I am trying to get WMI to work so Task Scheduler is not relevant

    Re #3 - I am trying to detect when a group is being changed from the DC. Also, there is no XML involved with WMI eventing.


    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, October 29, 2015 8:42 PM
  • What changes to the PowerShell script(s) I posted would ensure the events are being triggered?

    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, October 29, 2015 8:43 PM
  • Without auditing I do not see how WMI will trap.  Did you verify that there is an event provider for LDAP and that it also works with ADSI?  AD uses ADSI.  I believe the ldap provider is just a protocol monitor.

    Auditing causes events to be posted the event log which leaves a permanent record of changes.  The events can trigger a task.  It is the modern way to detect and alert on AD changes.


    \_(ツ)_/

    Thursday, October 29, 2015 9:07 PM
  • I think I see your problem.  The reference class is not in the referenced namespace.  The filter namespace has to be set to the namespace r the monitored instances which is 'root/directory/ldap'.

    The other two bindings reference the subscription namespace.


    \_(ツ)_/

    Thursday, October 29, 2015 9:24 PM
  • the namespace is being set in the hash table

    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, October 29, 2015 9:28 PM
  • Sorry - looked again and found you were set to the correct namespace/


    \_(ツ)_/

    Thursday, October 29, 2015 9:32 PM
  • Suggestion.  Look in WMI logs to see if there is an error in execution.  The logs are in SYSTEM32\WBEM.

    \_(ツ)_/

    Thursday, October 29, 2015 9:33 PM
  • The c:\windows\system32\wbem folder is empty, and no logs in the parent folder either.

    Thomas Lee <DoctorDNS@Gmail.Com>

    Thursday, October 29, 2015 9:39 PM
  • I just ran a temporary event and got no events.  THe event is set correctly

    $scope = New-Object System.Management.ManagementScope("\\.\root\directory\ldap")
    $query = New-Object System.Management.WQLEventQuery(
    			'__InstanceModificationEvent',
    			[timespan]'0:0:0:1',
    			"TargetInstance ISA 'ds_group'"
    		)
    $watcher = New-Object System.Management.ManagementEventWatcher($scope, $query)
    while(1) {
    	$b = $watcher.WaitForNextEvent()
    	$b.TargetInstance.Name
    }
    
    This is how I have always tested for events.  It is from the MS documentation here:  https://technet.microsoft.com/en-us/library/ff730927.aspx

    \_(ツ)_/

    Thursday, October 29, 2015 9:47 PM
  • You seem to be saying that Windows does not support the desired WMI filter properly. 

    Thomas Lee <DoctorDNS@Gmail.Com>

    Friday, October 30, 2015 4:15 PM
  • I am saying that the LDAP  provider does not support eventing.  There is another namespace called "MicrosoftDirectoryServices" that supports eventing but it is sealed.

    AD supports auditing and writes audit records to the event log.  We use event log tasks to event on the audit records.  It is more efficient and easier to implement.  It is also more secure.


    \_(ツ)_/

    Friday, October 30, 2015 4:22 PM
  • This post: http://www.dexterposh.com/2014/01/powershell-monitor-ad-group-membership.html suggests otherwise.

    As to your second comment - we do not want an auditing solution - we want a WMI eventing solution - one that can be easily added and removed via script. 


    Thomas Lee <DoctorDNS@Gmail.Com>

    Friday, October 30, 2015 4:34 PM
  • Tasks can easily be added and removed by script.

    \_(ツ)_/

    Friday, October 30, 2015 4:37 PM