1

Would you please review the WMI-QL or share the correct MSDN section or WMI man page to lookout for these following WMI Event class QL definitions ?

Setup using Win7 laptop with WMI enabled and working for many WMI-QL for system info.

WMI EVENT-ID COMMAND EXPECTED RESPONSE

N/A / 4778  SESSION_RECONNECTED      ??
N/A / 4779  SESSION_DISCONNECTED     ??
N/A / 4800  WORKSTATION_LOCKED       ??
*   / 4801  WORKSTATION_UNLOCKED     ??
N/A / 4802  SCREENSAVER_INVOKED      ??
N/A / 4803  SCREENSAVER_DISMISSED    ??

==

I have already explored WMI Reference, however unable to Zero-In the correct class category.

==

Myself still not getting any response from WMIC command for the following commands, while remaining commands are giving positive response.

Following Seven Empty Response WMI-QL commands, each of which returned immediately always:

  1. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4778'".
    $

  2. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4779'" $

  3. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4780'" $

  4. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4800'" $

  5. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4801'" $

  6. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4802'" $

  7. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4803'" $

The question points to: Whether we need to explicitly Subscribe/Register to any WMI Event class explicitly only for these above seven events ? or any other configuration settings are missing for these events ? Any tips/hints would be highly appreciated.

==

Thanks in advance.

sam
  • 13
  • 4

1 Answers1

0

Please refer to MSDN link: [Win32_NTLogEvent class] (http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx#properties).

Like to get the "512 / 4608 STARTUP" query, you may run WMIC command: "select * from Win32_StartupCommand"

CLASS: Win32_StartupCommand

Caption|Command|Description|Location|Name|SettingID|User|UserSID

Sidebar|%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun|Sidebar|HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Sidebar|(null)|NT AUTHORITY\LOCAL SERVICE|S-1-5-19

...

Similarly, to get the event code 4800, you may also run the exact WMIC command:

wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4800'".

WMI/WMIC experts out there, please review/correct, if anything need to be modified.

mav_2k
  • 171
  • 7
  • Hey Mav, Are you absolutely sure this EventCode 4800 directly map to WORKSTATION_LOCKED event under Win32_NTLogEvent class ? While testing unable to get any response from wmic command line for 4778 to 4803 events as above using the above provided WMI-QL. Non confirmed whether WMI-QL query was correct or, the response not exist !! – sam Apr 11 '14 at 14:52
  • `Win32_StartupCommand` represents a command run at Windows startup (e.g. application autorun), not the Windows startup event itself. You need to query `Win32_NTLogEvent where EventCode = '4608'` instead. – Helen Apr 14 '14 at 07:20