0

I am trying to create a WMI Event query that notify me when a new file is created on the device whit this query "SELECT * From __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA \"CIM_DATAFile\" And TargetInstance.Drive=\"" + driveUnit.Name.Replace("\\", "") + "\" And TargetInstance.CreationDate > \"" + ManagementDateTimeConverter.ToDmtfDateTime(markfInstallation) + "\"");, but i have two problems:

  1. when I plug the device, this query notify me for all files created previously in the device (the same when I remove the device but with __InstanceDeletionEvent)
  2. For try to solve this i trying to filter this query using the TargetInstance.CreationDate, but there is the second problem, when read CreationDate for a file on the removable device the format is like 20220207123159.630000+***, I think that the problems is about "+***" but this only happend on removable device, and i dont know how to convert it ot something for use in a query (if make this for c: unit for example, the date get correctly de offset time, and works

I would like how to make the query for using CreatedDate in remable devices and compare it with other values

andrés matínez rodríguez
  • 243
  • 2
  • 9
  • In PowerShell: `[datetime]::ParseExact('20220207123159.630000+***', 'yyyyMMddHHmmss.ffffff\+\*\*\*', [cultureinfo]::InvariantCulture)`. In C# (I think) `DateTime.ParseExact("20220207123159.630000+***", "yyyyMMddHHmmss.ffffff\+\*\*\*", CultureInfo.InvariantCulture);` – Theo Feb 09 '22 at 15:46
  • the problem is that i am programming in c# using a WqlEventQuery, and here i must make the query like string and i cant parse nothing i think, the query is: "SELECT * From __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA \"CIM_DATAFile\" And TargetInstance.Drive=\"" + driveUnit.Name.Replace("\\", "") + "\" And TargetInstance.CreationDate > \"" + ManagementDateTimeConverter.ToDmtfDateTime(markfInstallation) + "\""); – andrés matínez rodríguez Feb 09 '22 at 15:51

0 Answers0