Note the TYPOS...so keep a clean tablet ereader screen and make sure you use the double underscore characters...or cut n paste from the main blog.
I re jigged the script to get all event classes not just the Win32 class type...anyhoo huge screen dump and looks like I need to get messy with text files!!!
Ran this
gwmi -query "select * from meta_class where (__this isa '__event')" > c:\EventClasses.txt
NameSpace: ROOT\cimv2
Name Methods Properties
---- ------- ----------
__Event {} {SECURITY_DESCRIPTOR, TIME_CREATED}
__ExtrinsicEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_DeviceChangeEvent {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_SystemConfigurationChangeE... {} {EventType, SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_VolumeChangeEvent {} {DriveName, EventType, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_WMI_GenericNonCOMEvent {} {ProcessId, PropertyNames, PropertyValues, ProviderName...}
MSFT_NCProvEvent {} {Namespace, ProviderName, Result, SECURITY_DESCRIPTOR...}
MSFT_NCProvCancelQuery {} {ID, Namespace, ProviderName, Result...}
MSFT_NCProvClientConnected {} {Inproc, Namespace, ProviderName, Result...}
MSFT_NCProvNewQuery {} {ID, Namespace, ProviderName, Query...}
MSFT_NCProvAccessCheck {} {Namespace, ProviderName, Query, QueryLanguage...}
Win32_SystemTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_ProcessTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}
Win32_ProcessStartTrace {} {ParentProcessID, ProcessID, ProcessName, SECURITY_DESCRIPTOR...}
Win32_ProcessStopTrace {} {ExitStatus, ParentProcessID, ProcessID, ProcessName...}
Win32_ThreadTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}
Win32_ThreadStartTrace {} {ProcessID, SECURITY_DESCRIPTOR, StackBase, StackLimit...}
Win32_ThreadStopTrace {} {ProcessID, SECURITY_DESCRIPTOR, ThreadID, TIME_CREATED}
Win32_ModuleTrace {} {SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_ModuleLoadTrace {} {DefaultBase, FileName, ImageBase, ImageChecksum...}
Win32_PowerManagementEvent {} {EventType, OEMEventCode, SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_ComputerSystemEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED}
Win32_ComputerShutdownEvent {} {MachineName, SECURITY_DESCRIPTOR, TIME_CREATED, Type}
MSFT_SCMEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_SCMEventLogEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetSevereServiceFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetTransactInvalid {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetServiceNotInteractive {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetTakeOwnership {} {RegistryKey, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetServiceConfigBackoutFailed {} {ConfigField, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceShutdownFailed {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceStartHung {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceStopControlSuccess {} {Comment, Control, Reason, ReasonText...}
MSFT_NetServiceSlowStartup {} {SECURITY_DESCRIPTOR, Service, StartupTime, TIME_CREATED}
MSFT_NetCallToFunctionFailed {} {Error, FunctionName, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetBadServiceState {} {SECURITY_DESCRIPTOR, Service, State, TIME_CREATED}
MSFT_NetConnectionTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetCircularDependencyAuto {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetServiceStartTypeChanged {} {NewStartType, OldStartType, SECURITY_DESCRIPTOR, Service...}
MSFT_NetServiceLogonTypeNotGranted {} {Account, Error, SECURITY_DESCRIPTOR, Service...}
MSFT_NetServiceStartFailedGroup {} {Group, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetDependOnLaterService {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetFirstLogonFailedII {} {Account, Error, SECURITY_DESCRIPTOR, Service...}
MSFT_NetServiceDifferentPIDConne... {} {ActualPID, ExpectedPID, SECURITY_DESCRIPTOR, Service...}
MSFT_NetServiceCrashNoAction {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED, TimesFailed}
MSFT_NetCircularDependencyDemand {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceExitFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceStartFailedII {} {DependedOnService, Error, SECURITY_DESCRIPTOR, Service...}
MSFT_NetServiceExitFailedSpecific {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetBootSystemDriversFailed {} {DriverList, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetServiceCrash {} {Action, ActionDelay, ActionType, SECURITY_DESCRIPTOR...}
MSFT_NetServiceRecoveryFailed {} {Action, ActionType, Error, SECURITY_DESCRIPTOR...}
MSFT_NetServiceStatusSuccess {} {Control, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetTransactTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetFirstLogonFailed {} {Error, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetServiceControlSuccess {} {Control, SECURITY_DESCRIPTOR, Service, sid...}
MSFT_NetServiceStartFailed {} {Error, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetServiceStartFailedNone {} {NonExistingService, SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_NetReadfileTimeout {} {Milliseconds, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetRevertedToLastKnownGood {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_NetCallToFunctionFailedII {} {Argument, Error, FunctionName, SECURITY_DESCRIPTOR...}
MSFT_NetDependOnLaterGroup {} {SECURITY_DESCRIPTOR, Service, TIME_CREATED}
MSFT_WmiSelfEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_WmiEssEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_WmiThreadPoolEvent {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}
MSFT_WmiThreadPoolThreadCreated {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}
MSFT_WmiThreadPoolThreadDeleted {} {SECURITY_DESCRIPTOR, ThreadId, TIME_CREATED}
MSFT_WmiRegisterNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...}
MSFT_WmiFilterEvent {} {Name, Namespace, Query, QueryLanguage...}
MSFT_WmiFilterDeactivated {} {Name, Namespace, Query, QueryLanguage...}
MSFT_WmiFilterActivated {} {Name, Namespace, Query, QueryLanguage...}
MSFT_WmiCancelNotificationSink {} {Namespace, Query, QueryLanguage, SECURITY_DESCRIPTOR...}
MSFT_WmiProviderEvent {} {Namespace, ProviderName, SECURITY_DESCRIPTOR, TIME_CREATED}
MSFT_WmiConsumerProviderEvent {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}
MSFT_WmiConsumerProviderSinkLoaded {} {Consumer, Machine, Namespace, ProviderName...}
MSFT_WmiConsumerProviderSinkUnlo... {} {Consumer, Machine, Namespace, ProviderName...}
MSFT_WmiConsumerProviderUnloaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}
MSFT_WmiConsumerProviderLoaded {} {Machine, Namespace, ProviderName, SECURITY_DESCRIPTOR...}
Msft_WmiProvider_OperationEvent {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}
Msft_WmiProvider_OperationEvent_... {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...}
Msft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...}
Msft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_CancelQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_NewQuery_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_ProvideEvents_Post {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_AccessCheck_Post {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...}
Msft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...}
Msft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...}
Msft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_InitializationO... {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_LoadOperationFa... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}
Msft_WmiProvider_ComServerLoadOp... {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}
Msft_WmiProvider_UnLoadOperation... {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_LoadOperationEvent {} {Clsid, HostingGroup, HostingSpecification, InProcServer...}
Msft_WmiProvider_OperationEvent_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_DeleteInstanceA... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_AccessCheck_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_ExecQueryAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_DeleteClassAsyn... {} {ClassName, Flags, HostingGroup, HostingSpecification...}
Msft_WmiProvider_NewQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_PutInstanceAsyn... {} {Flags, HostingGroup, HostingSpecification, InstanceObject...}
Msft_WmiProvider_CreateClassEnum... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_ExecMethodAsync... {} {Flags, HostingGroup, HostingSpecification, InputParameters...}
Msft_WmiProvider_ProvideEvents_Pre {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_CancelQuery_Pre {} {HostingGroup, HostingSpecification, Locale, Namespace...}
Msft_WmiProvider_PutClassAsyncEv... {} {ClassObject, Flags, HostingGroup, HostingSpecification...}
Msft_WmiProvider_GetObjectAsyncE... {} {Flags, HostingGroup, HostingSpecification, Locale...}
Msft_WmiProvider_CreateInstanceE... {} {ClassName, Flags, HostingGroup, HostingSpecification...}
Win32_IP4RouteTableEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
RegistryEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
RegistryKeyChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED}
RegistryTreeChangeEvent {} {Hive, RootPath, SECURITY_DESCRIPTOR, TIME_CREATED}
RegistryValueChangeEvent {} {Hive, KeyPath, SECURITY_DESCRIPTOR, TIME_CREATED...}
__SystemEvent {} {SECURITY_DESCRIPTOR, TIME_CREATED}
__EventDroppedEvent {} {Event, IntendedConsumer, SECURITY_DESCRIPTOR, TIME_CREATED}
__EventQueueOverflowEvent {} {CurrentQueueSize, Event, IntendedConsumer, SECURITY_DESCRIPTOR...}
__QOSFailureEvent {} {ErrorCode, ErrorDescription, Event, IntendedConsumer...}
__ConsumerFailureEvent {} {ErrorCode, ErrorDescription, ErrorObject, Event...}
__InstanceOperationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}
__InstanceModificationEvent {} {PreviousInstance, SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}
__InstanceCreationEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}
__MethodInvocationEvent {} {Method, Parameters, PreCall, SECURITY_DESCRIPTOR...}
__InstanceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetInstance, TIME_CREATED}
__ClassOperationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
__ClassDeletionEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
__ClassModificationEvent {} {PreviousClass, SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
__ClassCreationEvent {} {SECURITY_DESCRIPTOR, TargetClass, TIME_CREATED}
__NamespaceOperationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
__NamespaceModificationEvent {} {PreviousNamespace, SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
__NamespaceDeletionEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
__NamespaceCreationEvent {} {SECURITY_DESCRIPTOR, TargetNamespace, TIME_CREATED}
__TimerEvent {} {NumFirings, SECURITY_DESCRIPTOR, TIME_CREATED, TimerId}
No comments:
Post a Comment