I'm pretty unfamiliar with WMI so I made some test MOFs for a permanent extrinsic event.
My filter to consumer binding isn't working correctly. Here are the MOFs pulled directly from wbemtest.
Filter:
instance of __EventFilter
{
CreatorSID = { [ Removed ] };
EventNamespace = "ROOT\\CIMV2";
Name = "TestFilter";
Query = "SELECT * FROM RegistryValueChangeEvent WHERE Hive='HKEY_USERS' AND KeyPath='.DEFAULT\\\\SOFTWARE\\\\TestKey' AND ValueName = 'Test'";
QueryLanguage = "WQL";
};
When I execute this query in Wbemtest using the Notification Query option, it correctly lists the events when I change the value of 'Test'. So it wouldn't appear that the issue is the filter.
Here's the consumer:
instance of CommandLineEventConsumer
{
CommandLineTemplate = "calc.exe";
CreatorSID = { [ Removed ] };
Name = "TestConsumer";
RunInteractively = TRUE;
};
And the Filter to Consumer binding:
instance of __FilterToConsumerBinding
{
Consumer = "TestConsumer";
CreatorSID = { [ Removed ] };
Filter = "TestFilter";
};
And they all show up correctly in the Wbemtest interface, I pulled the MOFs directly from Wbemtest. But the actual consumer is never triggering.
I feel like I must be missing something obvious. I have tried every debugging possibility under the sun including changing the number of escapes, specifying an exact directory path for calc.exe, etc.
