Site Logo Image Maintenance Scripts

A repository of PowerShell Scripts to automate a variety of IT related maintenance tasks.

© 2025. All rights reserved.

Get-WmiADEvent.ps1

19 Sep 2025

Description

Purpose

Retrieves WMI events based on the specified query.

Detailed Description

The Get-WmiADEvent function retrieves WMI events based on the specified query. It uses the System.Management namespace to create a WMI event watcher and waits for events to occur. When an event is received, it outputs the event details.

Back to Top

Usage

Example 1

$query = "Select * from __InstanceCreationEvent Within 10 where TargetInstance ISA 'DS_USER'"

Get-WmiADEvent -query $query This example retrieves all instance creation events for Active Directory user objects within the last 10 seconds.

Example 2

$query = "Select * from __InstanceModificationEvent Within 10 where TargetInstance ISA 'DS_COMPUTER'"

Get-WmiADEvent -query $query This example retrieves all instance modification events for Active Directory computer objects within the last 10 seconds.

Back to Top

Notes

No additional notes.

Back to Top

Script

<#
.SYNOPSIS
    Retrieves WMI events based on the specified query.

.DESCRIPTION
    The Get-WmiADEvent function retrieves WMI events based on the specified query. It uses the System.Management namespace to create a WMI event watcher and waits for events to occur. When an event is received, it outputs the event details.

.PARAMETER query
    The WMI query string used to filter the events.

.EXAMPLE
    $query = "Select * from __InstanceCreationEvent Within 10 where TargetInstance ISA 'DS_USER'"
    Get-WmiADEvent -query $query

    This example retrieves all instance creation events for Active Directory user objects within the last 10 seconds.

.EXAMPLE
    $query = "Select * from __InstanceModificationEvent Within 10 where TargetInstance ISA 'DS_COMPUTER'"
    Get-WmiADEvent -query $query

    This example retrieves all instance modification events for Active Directory computer objects within the last 10 seconds.
#>

Function Get-WmiADEvent {
    Param([string]$query)
  
    $Path = "root\directory\ldap"
    $EventQuery = New-Object System.Management.WQLEventQuery $query
    $Scope = New-Object System.Management.ManagementScope $Path
    $Watcher = New-Object System.Management.ManagementEventWatcher $Scope, $EventQuery
    $Options = New-Object System.Management.EventWatcherOptions
    $Options.TimeOut = [timespan]"0.0:0:1"
    $Watcher.Options = $Options
    Write-Output "("Waiting for events in response to: { 0 }" -F $($EventQuery.querystring))"
    $Watcher.Start()
    while ($true) {
        trap [System.Management.ManagementException] { continue }
  
        $Evt = $Watcher.WaitForNextEvent()
        if ($Evt) {
            $Evt.TargetInstance | Select-Object *
            Clear-Variable evt
        }
    }
}
  
# Sample usage

# $query="Select * from __InstanceCreationEvent Within 10 where TargetInstance ISA 'DS_USER'"
# $query="Select * from __InstanceCreationEvent Within 10 where TargetInstance ISA 'DS_GROUP'"
# $query="Select * from __InstanceModificationEvent Within 10 where TargetInstance ISA 'DS_USER'"
# $query="Select * from __InstanceModificationEvent Within 10 where TargetInstance ISA 'DS_COMPUTER'"
# Get-WmiADEvent $query

Back to Top

Download

Please feel free to copy parts of the script or if you would like to download the entire script, simply click the download button. You can download the complete repository in a zip file by clicking the Download link in the menu bar on the left hand side of the page.

Report Issues

You can report an issue or contribute to this site on GitHub. Simply click the button below and add any relevant notes. I will attempt to respond to all issues as soon as possible.

Issue

Back to Top