Appendix I. Selected Events and Their Uses

PowerShell’s eventing commands give you access to events from the .NET Framework, as well as events surfaced by Windows Management Instrumentation (WMI). Table I-1 lists a selection of .NET events. Table I-2 lists a selection of WMI events.

Table I-1. Selected .NET events

Type

Event

Description

System.AppDomain

AssemblyLoad

Occurs when an assembly is loaded.

System.AppDomain

TypeResolve

Occurs when the resolution of a type fails.

System.AppDomain

ResourceResolve

Occurs when the resolution of a resource fails because the resource is not a valid linked or embedded resource in the assembly.

System.AppDomain

AssemblyResolve

Occurs when the resolution of an assembly fails.

System.AppDomain

ReflectionOnlyAssemblyResolve

Occurs when the resolution of an assembly fails in the reflection-only context.

System.AppDomain

UnhandledException

Occurs when an exception is not caught.

System.Console

CancelKeyPress

Occurs when the Control modifier key (CTRL) and C console key (C) are pressed simultaneously (CTRL-C).

Microsoft.Win32.SystemEvents

DisplaySettingsChanging

Occurs when the display settings are changing.

Microsoft.Win32.SystemEvents

DisplaySettingsChanged

Occurs when the user changes the display settings.

Microsoft.Win32.SystemEvents

InstalledFontsChanged

Occurs when the user adds fonts to or removes fonts from the system.

Microsoft.Win32.SystemEvents

LowMemory

Occurs when the system is running out of available RAM.

Microsoft.Win32.SystemEvents

PaletteChanged

Occurs when the user switches to an application that uses a different palette.

Microsoft.Win32.SystemEvents

PowerModeChanged

Occurs when the user suspends or resumes the system.

Microsoft.Win32.SystemEvents

SessionEnded

Occurs when the user is logging off or shutting down the system.

Microsoft.Win32.SystemEvents

SessionEnding

Occurs when the user is trying to log off or shut down the system.

Microsoft.Win32.SystemEvents

SessionSwitch

Occurs when the currently logged-in user has changed.

Microsoft.Win32.SystemEvents

TimeChanged

Occurs when the user changes the time on the system clock.

Microsoft.Win32.SystemEvents

UserPreferenceChanged

Occurs when a user preference has changed.

Microsoft.Win32.SystemEvents

UserPreferenceChanging

Occurs when a user preference is changing.

System.Net.WebClient

OpenReadCompleted

Occurs when an asynchronous operation to open a stream containing a resource completes.

System.Net.WebClient

OpenWriteCompleted

Occurs when an asynchronous operation to open a stream to write data to a resource completes.

System.Net.WebClient

DownloadStringCompleted

Occurs when an asynchronous resource-download operation completes.

System.Net.WebClient

DownloadDataCompleted

Occurs when an asynchronous data download operation completes.

System.Net.WebClient

DownloadFileCompleted

Occurs when an asynchronous file download operation completes.

System.Net.WebClient

UploadStringCompleted

Occurs when an asynchronous string-upload operation completes.

System.Net.WebClient

UploadDataCompleted

Occurs when an asynchronous data-upload operation completes.

System.Net.WebClient

UploadFileCompleted

Occurs when an asynchronous file-upload operation completes.

System.Net.WebClient

UploadValuesCompleted

Occurs when an asynchronous upload of a name/value collection completes.

System.Net.WebClient

DownloadProgressChanged

Occurs when an asynchronous download operation successfully transfers some or all of the data.

System.Net.WebClient

UploadProgressChanged

Occurs when an asynchronous upload operation successfully transfers some or all of the data.

System.Net.Sockets.SocketAsyncEventArgs

Completed

The event used to complete an asynchronous operation.

System.Net.NetworkInformation.NetworkChange

NetworkAvailabilityChanged

Occurs when the availability of the network changes.

System.Net.NetworkInformation.NetworkChange

NetworkAddressChanged

Occurs when the IP address of a network interface changes.

System.IO.FileSystemWatcher

Changed

Occurs when a file or directory in the specified path is changed.

System.IO.FileSystemWatcher

Created

Occurs when a file or directory in the specified path is created.

System.IO.FileSystemWatcher

Deleted

Occurs when a file or directory in the specified path is deleted.

System.IO.FileSystemWatcher

Renamed

Occurs when a file or directory in the specified path is renamed.

System.Timers.Timer

Elapsed

Occurs when the interval elapses.

System.Diagnostics.EventLog

EntryWritten

Occurs when an entry is written to an event log on the local computer.

System.Diagnostics.Process

OutputDataReceived

Occurs when an application writes to its redirected StandardOutput stream.

System.Diagnostics.Process

ErrorDataReceived

Occurs when an application writes to its redirected StandardError stream.

System.Diagnostics.Process

Exited

Occurs when a process exits.

System.IO.Ports.SerialPort

ErrorReceived

Represents the method that handles the error event of a SerialPort object.

System.IO.Ports.SerialPort

PinChanged

Represents the method that will handle the serial pin changed event of a SerialPort object.

System.IO.Ports.SerialPort

DataReceived

Represents the method that will handle the data received event of a SerialPort object.

System.Management.Automation.Job

StateChanged

Event fired when the status of the job changes, such as when the job has completed in all runspaces or failed in any one runspace. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Debugger

DebuggerStop

Event raised when Windows PowerShell stops execution of the script and enters the debugger as the result of encountering a breakpoint or executing a step command. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Debugger

BreakpointUpdated

Event raised when the breakpoint is updated, such as when it is enabled or disabled. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Runspaces.Runspace

StateChanged

Event that is raised when the state of the runspace changes.

System.Management.Automation.Runspaces.Runspace

AvailabilityChanged

Event that is raised when the availability of the runspace changes, such as when the runspace becomes available and when it is busy. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Runspaces.Pipeline

StateChanged

Event raised when the state of the pipeline changes.

System.Management.Automation.PowerShell

InvocationStateChanged

Event raised when the state of the pipeline of the PowerShell object changes. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.PSDataCollection[T]

DataAdded

Event that is fired after data is added to the collection. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.PSDataCollection[T]

Completed

Event that is fired when the Complete method is called to indicate that no more data is to be added to the collection. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Runspaces.RunspacePool

StateChanged

Event raised when the state of the runspace pool changes. This event is introduced in Windows PowerShell 2.0.

System.Management.Automation.Runspaces.PipelineReader[T]

DataReady

Event fired when data is added to the buffer.

System.Diagnostics.Eventing.Reader.EventLogWatcher

EventRecordWritten

Allows setting a delegate (event handler method) that gets called every time an event is published that matches the criteria specified in the event query for this object.

System.Data.Common.DbConnection

StateChange

Occurs when the state of the event changes.

System.Data.SqlClient.SqlBulkCopy

SqlRowsCopied

Occurs every time that the number of rows specified by the NotifyAfter property have been processed.

System.Data.SqlClient.SqlCommand

StatementCompleted

Occurs when the execution of a Transact-SQL statement completes.

System.Data.SqlClient.SqlConnection

InfoMessage

Occurs when SQL Server returns a warning or informational message.

System.Data.SqlClient.SqlConnection

StateChange

Occurs when the state of the event changes.

System.Data.SqlClient.SqlDataAdapter

RowUpdated

Occurs during Update after a command is executed against the data source. The attempt to update is made, so the event fires.

System.Data.SqlClient.SqlDataAdapter

RowUpdating

Occurs during Update before a command is executed against the data source. The attempt to update is made, so the event fires.

System.Data.SqlClient.SqlDataAdapter

FillError

Returned when an error occurs during a fill operation.

System.Data.SqlClient.SqlDependency

OnChange

Occurs when a notification is received for any of the commands associated with this SqlDependency object.

Table I-2. Selected WMI Events

Event

Description

__InstanceCreationEvent

This event class generically represents the creation of instances in WMI providers, such as Processes, Services, Files, and more.

A registration for this generic event looks like:

$query = "SELECT * FROM __InstanceCreationEvent " +
            "WITHIN 5 " +
            "WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query

__InstanceDeletionEvent

This event class generically represents the removal of instances in WMI providers, such as Processes, Services, Files, and more.

A registration for this generic event looks like:

$query = "SELECT * FROM __InstanceDeletionEvent " +
            "WITHIN 5 " +
            "WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query

__InstanceModificationEvent

This event class generically represents the modification of instances in WMI providers, such as Processes, Services, Files, and more.

A registration for this generic event looks like:

$query = "SELECT * FROM __InstanceModificationEvent " +
            "WITHIN 5 " +
            "WHERE targetinstance isa 'Win32_UserAccount'
Register-WmiEvent -Query $query

Msft_WmiProvider_OperationEvent

The Msft_WmiProvider_OperationEvent event class is the root definition of all WMI provider events. A provider operation is defined as some execution on behalf of a client via WMI that results in one or more calls to a provider executable. The properties of this class define the identity of the provider associated with the operation being executed and is uniquely associated with instances of the class Msft_Providers. Internally, WMI can contain any number of objects that refer to a particular instance of __Win32Provider since it differentiates each object based on whether the provider supports per user or per locale instantiation and also depending on where the provider is being hosted. Currently TransactionIdentifier is always an empty string.

Win32_ComputerSystemEvent

This event class represents events related to a computer system.

Win32_ComputerShutdownEvent

This event class represents events when a computer has begun the process of shutting down.

Win32_IP4RouteTableEvent

The Win32_IP4RouteTableEvent class represents IP route change events resulting from the addition, removal, or modification of IP routes on the computer system.

RegistryEvent

The registry event classes allow you to subscribe to events that involve changes in hive subtrees, keys, and specific values.

RegistryKeyChangeEvent

The RegistryKeyChangeEvent class represents changes to a specific key. The changes apply only to the key, not its subkeys.

RegistryTreeChangeEvent

The RegistryTreeChangeEvent class represents changes to a key and its subkeys.

RegistryValueChangeEvent

The RegistryValueChangeEvent class represents changes to a single value of a specific key.

Win32_SystemTrace

The SystemTrace class is the base class for all system trace events. System trace events are fired by the kernel logger via the event tracing API.

Win32_ProcessTrace

This event is the base event for process events.

Win32_ProcessStartTrace

The ProcessStartTrace event class indicates a new process has started.

Win32_ProcessStopTrace

The ProcessStopTrace event class indicates a process has terminated.

Win32_ModuleTrace

The ModuleTrace event class is the base event for module events.

Win32_ModuleLoadTrace

The ModuleLoadTrace event class indicates a process has loaded a new module.

Win32_ThreadTrace

The ThreadTrace event class is the base event for thread events.

Win32_ThreadStartTrace

The ThreadStartTrace event class indicates a new thread has started.

Win32_ThreadStopTrace

The ThreadStopTrace event class indicates a thread has terminated.

Win32_PowerManagementEvent

The Win32_PowerManagementEvent class represents power management events resulting from power state changes. These state changes are associated with either the Advanced Power Management (APM) or the Advanced Configuration and Power Interface (ACPI) system management protocols.

Win32_DeviceChangeEvent

The Win32_DeviceChangeEvent class represents device change events resulting from the addition, removal, or modification of devices on the computer system. This includes changes in the hardware configuration (docking and undocking), the hardware state, or newly mapped devices (mapping of a network drive). For example, a device has changed when a WM_DEVICECHANGE message is sent.

Win32_SystemConfigurationChangeEvent

The Win32_SystemConfigurationChangeEvent is an event class that indicates the device list on the system has been refreshed, meaning a device has been added or removed or the configuration changed. This event is fired when the Windows message ‘DevMgrRefreshOn<ComputerName>' is sent. The exact change to the device list is not contained in the message, and therefore a device refresh is required in order to obtain the current system settings. Examples of configuration changes affected are IRQ settings, COM ports, and BIOS version, to name a few.

Win32_VolumeChangeEvent

The Win32_VolumeChangeEvent class represents a local drive event resulting from the addition of a drive letter or mounted drive on the computer system (e.g., CD-ROM). Network drives are not currently supported.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.98.148