Menu
There are some events expose via WMI, but I can't seem to find any examples for subscribing and being alerted of those events. Particularly I am wanting to implement WmiMonitorBrightnessEvent to push a notification to Growl/Snarl.
230
The log files created by WMI and various providers record: events, trace or diagnostic data, errors, and various activities. Only administrators have read access to the WMI log folder found at %windir%\system32\wbem\logs.
Open a command prompt. Type WMIC to invoke the program, and hit enter. This will give you the WMIC command prompt, wmic:root\cli> From here, you can run WMI queries.
In short, a WMI event consumer is a method of subscribing to certain system events, then enabling an action of some sort. Common adversary use cases may include persistence, privilege escalation, or as a collection trigger.
This is a sample code for receive the WmiMonitorBrightnessEvent WMI Event.
using System;
using System.Collections.Generic;
using System.Management;
using System.Text;
namespace GetWMI_Info
{
public class EventWatcherAsync
{
private void WmiEventHandler(object sender, EventArrivedEventArgs e)
{
Console.WriteLine("Active : " + e.NewEvent.Properties["Active"].Value.ToString());
Console.WriteLine("Brightness : " + e.NewEvent.Properties["Brightness"].Value.ToString());
Console.WriteLine("InstanceName : " + e.NewEvent.Properties["InstanceName"].Value.ToString());
}
public EventWatcherAsync()
{
try
{
string ComputerName = "localhost";
string WmiQuery;
ManagementEventWatcher Watcher;
ManagementScope Scope;
if (!ComputerName.Equals("localhost", StringComparison.OrdinalIgnoreCase))
{
ConnectionOptions Conn = new ConnectionOptions();
Conn.Username = "";
Conn.Password = "";
Conn.Authority = "ntlmdomain:DOMAIN";
Scope = new ManagementScope(String.Format("\\\\{0}\\root\\WMI", ComputerName), Conn);
}
else
Scope = new ManagementScope(String.Format("\\\\{0}\\root\\WMI", ComputerName), null);
Scope.Connect();
WmiQuery ="Select * From WmiMonitorBrightnessEvent";
Watcher = new ManagementEventWatcher(Scope, new EventQuery(WmiQuery));
Watcher.EventArrived += new EventArrivedEventHandler(this.WmiEventHandler);
Watcher.Start();
Console.Read();
Watcher.Stop();
}
catch (Exception e)
{
Console.WriteLine("Exception {0} Trace {1}", e.Message, e.StackTrace);
}
}
public static void Main(string[] args)
{
Console.WriteLine("Listening {0}", "WmiMonitorBrightnessEvent");
Console.WriteLine("Press Enter to exit");
EventWatcherAsync eventWatcher = new EventWatcherAsync();
Console.Read();
}
}
}
If you are new to the WMI try using a tool like the WMI Delphi Code Creator and reading the documentation related to this topic Receiving a WMI Event
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
